## https://sploitus.com/exploit?id=8FF2484F-1FFF-5A2F-B4AC-240B63068217
# CVE-2026-3891-Pix-for-WooCommerce-Plugin-Exploit
## ๐ก๏ธ Description
**CVE-2026-3891** is a critical **Unauthenticated Arbitrary File
Upload** vulnerability found in the **Pix for WooCommerce** WordPress
plugin in versions **up to and including 1.5.0**.
The vulnerability exists in the
`lkn_pix_for_woocommerce_c6_save_settings` functionality due to missing
authorization controls and insufficient file type validation. The
exploit automates the process of obtaining a valid nonce and
demonstrating the unrestricted upload of a PHP file to a web-accessible
directory.
By leveraging this vulnerability, an unauthenticated attacker may be
able to:
- **Upload Arbitrary Files** without authenticating to WordPress.
- **Upload Files with Dangerous Extensions** due to insufficient file
type validation.
- **Access Uploaded Files** directly through a web-accessible plugin
directory.
- **Achieve Remote Code Execution (RCE)** when uploaded PHP files are
executed by the affected web server.
------------------------------------------------------------------------
## ๐ Features
- **Unauthenticated Exploitation Flow**: Does not require valid
WordPress user credentials.
- **Automatic Nonce Retrieval**: Obtains and extracts the required
nonce automatically.
- **Automated File Upload**: Sends the required multipart upload
request to the vulnerable AJAX handler.
- **Direct URL Generation**: Displays the final URL of the uploaded
proof-of-concept file.
- **Clean CLI Output**: Provides a simple and colorized command-line
interface.
------------------------------------------------------------------------
## ๐ ๏ธ Installation & Requirements
1. **Requirement**: Install Python 3.
2. **Install Requests**:
``` bash
pip install requests
```
3. **Clone/Download**: Save the `CVE-2026-3891.py` file on your system.
------------------------------------------------------------------------
## ๐ป Usage
``` bash
python CVE-2026-3891.py
```
Enter the target WordPress URL when prompted:
``` text
[?] Enter target URL: http://localhost/wordpress
```
Example:
``` text
[*] Requesting nonce...
[+] Nonce obtained: **********
[*] Uploading woocommerce.php...
[+] File uploaded successfully!
[+] URL: http://target/wp-content/plugins/payment-gateway-pix-for-woocommerce/Includes/files/certs_c6/woocommerce.php
```

------------------------------------------------------------------------
## โ ๏ธ Disclaimer
This project is intended for **educational purposes and authorized
security testing only**. Do not use this exploit against systems without
explicit permission.
## ๐ค Author
**m4sh_wacker**