Share
## https://sploitus.com/exploit?id=0D182D4B-D9B1-5CA4-8036-DD0DB1BC588E
```
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•‘
 โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘
 โ•šโ•โ•     โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ•โ•
```

```
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—      โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
 โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•”โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘โ•šโ•โ•โ–ˆโ–ˆโ•”โ•โ•โ•
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—   โ•šโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘
 โ–ˆโ–ˆโ•”โ•โ•โ•   โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ•โ•โ• โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘
 โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘
 โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•     โ•šโ•โ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•   โ•šโ•โ•
```

# ๐Ÿ›ก๏ธ FriendsExploit โ€” CVE-2026-3891

### `Pix for WooCommerce 

---

## ๐Ÿ“– Description

> โšก This tool exploits **CVE-2026-3891**, a critical **unauthenticated arbitrary file upload** vulnerability found in the **Pix for WooCommerce** WordPress plugin (versions โ‰ค 1.5.0).

An unauthenticated attacker can upload arbitrary files (e.g., PHP web shells) to the target server **without any authentication**, leading to **Remote Code Execution (RCE)**.





> โš ๏ธ **DISCLAIMER**
>
> This tool is intended for **authorized penetration testing and educational purposes only**.
> Do not use this tool against systems you do not own or have explicit written permission to test.
> **Unauthorized use is illegal.**



---

## ๐Ÿ” CVE Details


  
    ๐Ÿ†” CVE ID
    CVE-2026-3891
  
  
    ๐Ÿ”Œ Plugin
    Pix for WooCommerce
  
  
    ๐ŸŽฏ Affected
    Versions โ‰ค 1.5.0
  
  
    ๐Ÿ”“ Type
    Unauthenticated Arbitrary File Upload
  
  
    ๐Ÿ’ฅ Impact
    Remote Code Execution (RCE)
  
  
    โš ๏ธ CVSS
    Critical
  


---

## โš™๏ธ Requirements

| Requirement        | Version       | Notes                        |
|--------------------|---------------|------------------------------|
| ๐Ÿ Python          | 3.8+          | Required                     |
| ๐Ÿ–ฅ๏ธ Kali Linux      | Any version   | Recommended                  |
| ๐Ÿ“ฆ PyQt5           | โ‰ฅ 5.15.9      | GUI framework                |
| ๐ŸŒ requests        | โ‰ฅ 2.31.0      | HTTP library                 |
| ๐Ÿ”— urllib3          | โ‰ฅ 2.2.0       | URL handling                 |

---

## ๐Ÿ“ฅ Installation

```bash
# ๐Ÿ“‚ Clone or download the tool
cd "CVE-2026-3891-Linux"

# ๐Ÿ Create a virtual environment
python3 -m venv venv

# โ–ถ๏ธ Activate the virtual environment
source venv/bin/activate

# ๐Ÿ“ฆ Install dependencies
pip install -r requirements.txt
```

---

## ๐Ÿš€ Quick Start

### Method 1 โ€” Auto Launcher (Recommended)

```bash
chmod +x run.sh
./run.sh
```

> `run.sh` will automatically check Python3, create venv, install dependencies, verify PyArmor, and launch the tool.

### Method 2 โ€” Manual Run

```bash
source venv/bin/activate
python3 CVE-2026-3891.py
```

### Method 3 โ€” Run with English Translation

```bash
source venv/bin/activate
python3 patch_runner.py
```

---

## ๐Ÿ–ฑ๏ธ GUI Instructions


  
    #
    Step
    Description
  
  
    1
    ๐ŸŽฏ Targets
    Enter target URL(s) comma-separated or browse to a .txt file
  
  
    2
    ๐Ÿš Shell File (.php)
    Enter the PHP shell filename (default: shell.php)
  
  
    3
    ๐Ÿ“„ Output File
    Specify output file for successful shells (default: shells.txt)
  
  
    4
    ๐Ÿงต Threads
    Set number of concurrent threads (max: 50)
  
  
    5
    โ–ถ๏ธ Start Exploit
    Click to begin the exploitation process
  
  
    6
    โน๏ธ Stop
    Click to halt execution at any time
  
  
    7
    ๐Ÿงน Clear Log
    Click to clear the output log
  


---

## ๐Ÿ“ File Structure

```
CVE-2026-3891-Linux/
โ”œโ”€โ”€ ๐Ÿ“œ CVE-2026-3891.py        # Main exploit script (PyArmor encrypted)
โ”œโ”€โ”€ ๐Ÿ“‚ pyarmor_runtime_000000/  # PyArmor runtime (required)
โ”œโ”€โ”€ ๐Ÿ”„ patch_runner.py          # Translation wrapper (Indonesian โ†’ English)
โ”œโ”€โ”€ ๐Ÿงช patch_test.py            # Alternative translation via Qt hooks
โ”œโ”€โ”€ ๐Ÿš€ run.sh                   # Auto launcher (recommended)
โ”œโ”€โ”€ ๐Ÿ“‹ requirements.txt         # Python dependencies
โ”œโ”€โ”€ ๐Ÿ venv/                    # Virtual environment (auto-created)
โ””โ”€โ”€ ๐Ÿ“– README.md                # This file
```

> โš ๏ธ **Important:** The `pyarmor_runtime_000000/` folder must always be in the same directory as `CVE-2026-3891.py`. **Do not move or delete it.**

---

## ๐Ÿ”„ Translation Layer

The main exploit (`CVE-2026-3891.py`) has Indonesian UI strings. Two translation wrappers are included:

| File | Method | Status |
|------|--------|--------|
| `patch_runner.py` | Scans widgets every 500ms and replaces text | โœ… Recommended |
| `patch_test.py` | Hooks Qt `setText`/`setPlaceholderText` methods | ๐Ÿงช Testing |

Both translate Indonesian labels and placeholders to English before display.

---

## ๐Ÿ“ Notes

- ๐Ÿ“„ Results are saved to `shells.txt` by default.
- ๐Ÿš Make sure your PHP shell file (`shell.php`) is placed in the same directory before running.
- ๐Ÿ–ฅ๏ธ On Kali Linux, always use a virtual environment to avoid system Python conflicts.
- ๐Ÿ”’ The main exploit script is **PyArmor protected** โ€” source code is encrypted.

---

## ๐Ÿ‘จโ€๐Ÿ’ป Developer & Collaboration


  
    
      
        
      
      
      WILLY JR. CARNASA GAILO
      
      ๐Ÿ”ฌ Security Researcher
      
      ๐Ÿ’ป Developer & Exploit Author
      
      
        
      
    
  


> ๐Ÿ’ก *"Building tools for authorized security research and responsible disclosure."*

---

## ๐Ÿ™ Acknowledgments


  
    
      
    
    
      
    
    
      
    
  
  
    
      
    
    
      
    
    
      
    
  




> ๐ŸŽฏ Sa lahat ng **bug bounty hunters** at **security researchers** na nagpo-propose ng responsible disclosure โ€” kayo ang dahilan kung bakit nag-i-improve ang security ng mga web applications.
>
> ๐Ÿ™ Kung may naitulong itong tool sa iyong **authorized penetration testing**, please consider giving back sa open-source security community.

---



### ๐Ÿ“œ Legal Notice

```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘                                                               โ•‘
โ•‘   This tool is for AUTHORIZED penetration testing only.       โ•‘
โ•‘   Always follow responsible disclosure practices.             โ•‘
โ•‘   Unauthorized use is ILLEGAL and may result in prosecution.  โ•‘
โ•‘                                                               โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
```

---

### ๐Ÿ“Š Repository Stats

![Visitors](https://api.visitorbadge.io/api/visitors?path=willygailo%2FCVE-2026-3891-Linux&countColor=%2337d67a&style=for-the-badge)

---

**ยฉ 2026 FriendsExploit | Developed by Willy Jr. Carnasa Gailo**

Made with ๐Ÿ›ก๏ธ for the security community