Arbitrary File Upload Vulnerability in Pix for WooCommerce Plugin by WordPress
CVE-2026-3891
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 13 March 2026
Badges
What is CVE-2026-3891?
CVE-2026-3891 is a significant vulnerability affecting the Pix for WooCommerce plugin, which integrates a payment gateway into WordPress sites for processing transactions. This plugin provides functionality for managing payment transactions via the Brazilian payment method, Pix. The vulnerability arises from a lack of essential capability checks and insufficient file type validation within the lkn_pix_for_woocommerce_c6_save_settings function in all versions up to and including 1.5.0.
Due to this flaw, unauthenticated attackers can exploit the plugin to upload arbitrary files to the server hosting the affected WordPress site. This capability poses a serious threat, as attackers could potentially execute malicious code remotely, leading to unauthorized access to sensitive data, further compromise of the site's infrastructure, and a myriad of other security threats.
Potential impact of CVE-2026-3891
-
Unauthorized File Uploads: Attackers can upload malicious files to the server without authentication, which may facilitate remote code execution, compromising the integrity of the affected website.
-
Remote Code Execution: The exploitation of this vulnerability can lead to remote code execution on the server, allowing attackers to take full control of the web application and potentially the underlying server environment.
-
Data Breach and Exfiltration: Successful exploitation could result in unauthorized access to sensitive user data, including payment information and personal details, heightening the risk of data breaches and fraud.
Affected Version(s)
Pix for WooCommerce 0 <= 1.5.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved