CVE-2026-3891 - Pix for WooCommerce - Unrestricted File Upload

Overview

Pix for WooCommerce plugin for WordPress <= 1.5.0 contains an unrestricted file upload vulnerability caused by missing capability check and file type validation in 'lkn_pix_for_woocommerce_c6_save_settings', letting unauthenticated attackers upload arbitrary files, potentially leading to remote code execution.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 12.8%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise.

Mitigation

Update to the latest version of Pix for WooCommerce plugin.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 13, 2026

🔴 CVE-2026-3891 - Critical (9.8) The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3891/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 13, 2026

🔴 CVE-2026-3891 - Critical (9.8) The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3891/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

https://github.com/joshuavanderpoll/CVE-2026-3891

CVE-2026-3891 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

GitHub Repositories(1 repo)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score