Arbitrary File Upload Vulnerability in Pix for WooCommerce Plugin by WordPress
CVE-2026-3891

9.8CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
13 March 2026

Badges

πŸ“ˆ Score: 115πŸ‘Ύ Exploit Exists🟑 Public PoC

What is CVE-2026-3891?

CVE-2026-3891 is a significant vulnerability affecting the Pix for WooCommerce plugin, which integrates a payment gateway into WordPress sites for processing transactions. This plugin provides functionality for managing payment transactions via the Brazilian payment method, Pix. The vulnerability arises from a lack of essential capability checks and insufficient file type validation within the lkn_pix_for_woocommerce_c6_save_settings function in all versions up to and including 1.5.0.

Due to this flaw, unauthenticated attackers can exploit the plugin to upload arbitrary files to the server hosting the affected WordPress site. This capability poses a serious threat, as attackers could potentially execute malicious code remotely, leading to unauthorized access to sensitive data, further compromise of the site's infrastructure, and a myriad of other security threats.

Potential impact of CVE-2026-3891

  1. Unauthorized File Uploads: Attackers can upload malicious files to the server without authentication, which may facilitate remote code execution, compromising the integrity of the affected website.

  2. Remote Code Execution: The exploitation of this vulnerability can lead to remote code execution on the server, allowing attackers to take full control of the web application and potentially the underlying server environment.

  3. Data Breach and Exfiltration: Successful exploitation could result in unauthorized access to sensitive user data, including payment information and personal details, heightening the risk of data breaches and fraud.

Affected Version(s)

Pix for WooCommerce 0 <= 1.5.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alexis Lafontaine
.