CVE-2026-3891

CRITICAL

Pix for WooCommerce <=1.5.0 - Arbitrary File Upload

Title source: llm

Description

The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Exploits (3)

nomisec WORKING POC 1 stars

by joshuavanderpoll · poc

https://github.com/joshuavanderpoll/CVE-2026-3891

View Code ZIP pw:eip

nomisec

by Nxploited · poc

https://github.com/Nxploited/CVE-2026-3891

View Code ZIP pw:eip

nomisec

by vladimirmanylobed451 · poc

https://github.com/vladimirmanylobed451/CVE-2026-3891

View Code ZIP pw:eip

References (3)

[Product] https://plugins.trac.wordpress.org/browser/payment-gateway-pix-for-woocommerce/tags/1.4.0/Includes/LknPaymentPixForWoocommercePixC6.php#L694

[Product] https://plugins.trac.wordpress.org/changeset/3480639/payment-gateway-pix-for-woocommerce#file56

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/20188fd3-c330-4c76-912b-72731e14c450?source=cve

Scores

CVSS v3 9.8

EPSS 0.0007

EPSS Percentile 22.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

linknacional/Pix for WooCommerce < 1.5.0

Published Mar 13, 2026

Tracked Since Mar 14, 2026