cleantalk
Vulnerabilities and Security Researches

Prodigy Commerce, CVE-2026-0926

CVE, Research URL

CVE-2026-0926

Home page URL

Security reports for Prodigy Commerce

Application

Prodigy Commerce

Published on
Feb 19, 2026
Research Description
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected versions
max 3.3.1.
Status
vulnerable
Previous vulnerability researches
Happy Addons for Elementor (CVE-2025-68999) , Feb 27, 2026
Happy Addons for Elementor (CVE-2025-30766) , Apr 02, 2025
Happy Addons for Elementor (CVE-2024-5647) , Apr 13, 2026
Happy Addons for Elementor (CVE-2024-10538) , Nov 14, 2024
Happy Addons for Elementor (CVE-2024-12852) , Jan 09, 2025
New vulnerability
Collect.chat – Chatbot ⚡️ (CVE-2026-0736) , Apr 15, 2026
SQL Chart Builder (CVE-2026-4079) , Apr 15, 2026
FastDup – Fastest WordPress Migration & Duplicator (CVE-2026-1104) , Apr 15, 2026
Timeline Block (CVE-2026-1228) , Apr 15, 2026
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress (CVE-2026-3180) , Apr 15, 2026