CVE-2026-3891

CRITICAL LAB

Pix for WooCommerce <=1.5.0 - Arbitrary File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-3891. PoCs published by willygailo, joshuavanderpoll, AnggaTechI.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-3891, targeting an unauthenticated arbitrary file upload vulnerability in Pix for WooCommerce <= 1.5.0. The exploit is obfuscated using PyArmor and includes a GUI for ease of use.

Description

The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (5)

github WORKING POC 1 stars
by willygailo · pythonpoc
https://github.com/willygailo/CVE-2026-3891-Linux

This repository contains a functional exploit for CVE-2026-3891, targeting an unauthenticated arbitrary file upload vulnerability in Pix for WooCommerce <= 1.5.0. The exploit is obfuscated using PyArmor and includes a GUI for ease of use.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pix for WooCommerce <= 1.5.0
No auth needed
Prerequisites: Target running Pix for WooCommerce <= 1.5.0 · Network access to the target
devstral-2 · analyzed May 31, 2026 Full analysis →
nomisec WORKING POC 1 stars
by joshuavanderpoll · poc
https://github.com/joshuavanderpoll/CVE-2026-3891

This repository contains a functional exploit for CVE-2026-3891, an unauthenticated arbitrary file upload vulnerability in the Pix for WooCommerce plugin (versions <= 1.5.0). The exploit uploads a PHP webshell to the target server and allows command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: payment-gateway-pix-for-woocommerce <= 1.5.0
No auth needed
Prerequisites: Target WordPress site with vulnerable plugin installed · Network access to the target
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec SCANNER
by AnggaTechI · poc
https://github.com/AnggaTechI/Mass-Scanner-CVE-2026-3891

This repository contains a Python-based scanner for CVE-2026-3891, which targets a WordPress AJAX behavior. The tool checks for the presence of a nonce generation endpoint and validates responses, but does not include exploit code for weaponization.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: WordPress (specific plugin not explicitly named, but likely related to 'lkn_pix_for_woocommerce')
No auth needed
Prerequisites: Target WordPress site with vulnerable plugin installed · Access to the AJAX endpoint (/wp-admin/admin-ajax.php)
devstral-2 · analyzed Apr 16, 2026 Full analysis →
nomisec WORKING POC
by Nxploited · poc
https://github.com/Nxploited/CVE-2026-3891

This repository contains a functional exploit for CVE-2026-3891, targeting a file upload vulnerability in the 'lkn_pix_for_woocommerce' WordPress plugin. The exploit automates the process of generating a nonce and uploading a malicious shell via the plugin's settings functionality.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress plugin 'lkn_pix_for_woocommerce' (version not specified)
No auth needed
Prerequisites: Target must have the vulnerable plugin installed · Attacker must provide a local shell file (e.g., shell.php)
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by vladimirmanylobed451 · poc
https://github.com/vladimirmanylobed451/CVE-2026-3891

This repository contains a functional Python exploit for CVE-2026-3891, an unauthenticated arbitrary file upload vulnerability in the Pix for WooCommerce plugin (version <= 1.5.0). The exploit uploads a PHP webshell by leveraging a nonce generation endpoint and a file upload endpoint, then allows command execution via the uploaded shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pix for WooCommerce plugin for WordPress <= 1.5.0
No auth needed
Prerequisites: Target must have the vulnerable Pix for WooCommerce plugin installed and active · WordPress site must be accessible
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0008
EPSS Percentile 24.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:6.8-php8.3-apache
+2 more repos

Details

CWE
CWE-434
Status published
Products (1)
linknacional/Pix for WooCommerce < 1.5.0
Published Mar 13, 2026
Tracked Since Mar 14, 2026