LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-3891

CVE-2026-3891 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 13, 2026

Pix for WooCommerce - Unrestricted File Upload

Published: March 13, 2026Updated: March 13, 2026PoC AvailableRemote Exploitable

Overview

Pix for WooCommerce plugin for WordPress <= 1.5.0 contains an unrestricted file upload vulnerability caused by missing capability check and file type validation in 'lkn_pix_for_woocommerce_c6_save_settings', letting unauthenticated attackers upload arbitrary files, potentially leading to remote code execution.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 12.8%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.

Mitigation

Update to the latest version of Pix for WooCommerce plugin.

References

Social Media Activity(5 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 13, 2026

šŸ”“ CVE-2026-3891 - Critical (9.8) The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-3891/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 13, 2026

šŸ”“ CVE-2026-3891 - Critical (9.8) The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-3891/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 13, 2026

šŸ”“ CVE-2026-3891 - Critical (9.8) The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-3891/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 13, 2026

šŸ”“ CVE-2026-3891 - Critical (9.8) The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-3891/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
Offensive Sequence
Offensive Sequence
@offseq
Mar 13, 2026

šŸšØ CVE-2026-3891 (CRITICAL, CVSS 9.8): Pix for WooCommerce plugin allows unauthenticated file uploads via missing checks, risking RCE. Disable/uninstall or apply mitigations now. Affects all versions. Full details: https://radar.offseq.com/threat/cve-2026-3891-cwe-434-unrestricted-upload-of-file--f5fb3cc6 #OffSeq #WordPress #WooCommerce #Vuln

View original post

GitHub Repositories(1 repo)

Related Resources

Details

CVE ID
CVE-2026-3891
Severity
Critical
CVSS Score
9.8
Type
unrestricted_file_upload
Status
new
EPSS
12.8%
Social Posts
5

CWE

  • CWE-434

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

12.8%Probability of exploitation in the next 30 days