CVE-2026-3891
Arbitrary File Upload in Pix for WooCommerce Enables RCE
Publication date: 2026-03-13
Last updated on: 2026-03-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pix_for_woocommerce | pix_for_woocommerce | to 1.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Pix for WooCommerce plugin for WordPress has a vulnerability that allows unauthenticated attackers to upload arbitrary files to the affected site's server. This happens because the plugin's function 'lkn_pix_for_woocommerce_c6_save_settings' lacks proper capability checks and file type validation in all versions up to and including 1.5.0.
This arbitrary file upload vulnerability can potentially enable remote code execution, meaning attackers could run malicious code on the server hosting the website.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized file uploads by attackers without authentication, which may lead to remote code execution on your server.
Such an exploit could allow attackers to take control of your website, manipulate or steal data, disrupt services, or use your server for malicious activities.
The CVSS v3.1 base score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking for the presence of the Pix for WooCommerce plugin version 1.5.0 or earlier on your WordPress site, as these versions lack proper capability checks and file type validation allowing arbitrary file uploads.'}, {'type': 'paragraph', 'content': "Since the vulnerability allows unauthenticated arbitrary file uploads via the 'lkn_pix_for_woocommerce_c6_save_settings' function, monitoring for unexpected POST requests to this AJAX endpoint or unusual file uploads on the server could indicate exploitation attempts."}, {'type': 'paragraph', 'content': 'Specific commands to detect this might include:'}, {'type': 'list_item', 'content': "Using web server logs to search for POST requests to admin-ajax.php with the action parameter set to 'lkn_pix_for_woocommerce_c6_save_settings'. For example, on a Linux server: `grep 'action=lkn_pix_for_woocommerce_c6_save_settings' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Checking for recently uploaded files in the WordPress uploads directory or other writable directories that could be suspicious: `find /path/to/wordpress/wp-content/uploads -type f -mtime -7` to find files modified in the last 7 days.'}, {'type': 'list_item', 'content': 'Using WordPress CLI to check the installed plugin version: `wp plugin get pix-for-woocommerce --field=version`'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Pix for WooCommerce plugin to version 1.6.0 or later, where the vulnerability is addressed by enforcing authenticated AJAX requests and secure nonce generation.
This update removes unauthenticated AJAX access to critical endpoints and adds nonce-based authentication to prevent arbitrary file uploads and potential remote code execution.
If updating immediately is not possible, restrict access to the WordPress admin AJAX endpoint (admin-ajax.php) from unauthenticated users via web server or firewall rules as a temporary measure.
Additionally, monitor your site for suspicious activity and consider scanning for any uploaded malicious files.