The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
The vulnerability results from improper validation of the 'parameters[template_name]' parameter passed by the user, which is subsequently used to include a file through the plugin's template mechanism. An attacker without any authentication can specify any file path on the server, resulting in its loading and — in the case of PHP files — execution of the code contained within it. A particularly dangerous scenario occurs when the service allows file uploads (e.g., images): an attacker can upload a file with embedded PHP code and then force its execution through this vulnerability.
An attacker can read arbitrary files from the server (including configuration data, credentials), bypass access control mechanisms, and execute arbitrary PHP code, which in practice means the ability to fully compromise the server (RCE).
The Prodigy Commerce plugin must be immediately updated to a version higher than 3.3.0. According to available reference (changeset 3464655), the vendor published a fix in the WordPress repository. Until the update is applied, it is recommended to deactivate the plugin and restrict file upload capabilities for unprivileged users.
Prodigy Commerce plugin for WordPress in all versions up to and including 3.3.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H