A critical LFI-to-RCE vulnerability in the Prodigy Commerce WordPress plugin allows unauthenticated attackers to execute arbitrary PHP code and compromise the site.

The plugin fails to sanitize the parameters[template_name] parameter, allowing for Local File Inclusion. An unauthenticated attacker can include arbitrary files or execute uploaded "safe" files (like images containing PHP) to achieve full remote code execution.

Successful exploitation results in full site takeover, unauthorized access to sensitive customer data, and potential server-wide compromise. The CVSS score of 9.8 reflects the critical nature of unauthenticated RCE in an e-commerce context.

Immediate Action: Update the Prodigy Commerce plugin to the latest available version immediately.

Proactive Monitoring: Audit web server logs for directory traversal patterns (e.g., ../) targeting the plugin's parameters.

Compensating Controls: Deploy a WAF with rules specifically designed to detect and block Local File Inclusion (LFI) and directory traversal attacks.

Public Exploit Available: No

E-commerce plugins are high-risk targets due to the sensitive data they process. It is imperative to apply the latest security updates for the Prodigy Commerce plugin to mitigate the risk of unauthenticated remote code execution.