Share
## https://sploitus.com/exploit?id=C1F0C6AE-3E9F-5D65-90F4-8A01538561C7
# CVE-2026-3891
Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload
# ๐ฃ Pix for WooCommerce If protocol is missing โ script auto-adds `http://`
---
### 2๏ธโฃ Add Your Shell
Put your shell file in same directory:
```
shell.php
```
---
### 3๏ธโฃ Run Exploit
```bash
python3 CVE-2026-3891.py
```
---
### 4๏ธโฃ Interactive Inputs
The script will ask:
- Targets file (default: `list.txt`)
- Threads (default: `8`)
- Shell filename (e.g. `shell.php`)
---
## โก Exploitation Flow
1. ๐ฏ Target loaded
2. ๐ Nonce requested
3. ๐ค Shell upload
4. ๐ฅ File uploaded twice
5. ๐ Shell path generated automatically
---
## ๐ Shell Location
```
/wp-content/plugins/payment-gateway-pix-for-woocommerce/Includes/files/certs_c6/.php
```
---
## ๐ค Output
### โ Success
- Displays formatted result
- Shows:
- Target
- Shell path
- Full URL
### โ Failure
```
FAIL http://target.com (reason)
```
---
### ๐ Saved Results
```
shells.txt
```
---
## ๐ Live Progress
```
Progress 5/20 OK:3 FAIL:2
```
---
## โ ๏ธ Disclaimer
This project is provided **for educational and authorized security testing only**.
- Do NOT use on systems without permission
- Unauthorized access is illegal
- The author is NOT responsible for misuse
---
## ๐ค Author
**Nxploited**
- ๐จโ๐ป Khaled Alenazi
- ๐ฌ Telegram: @Kxploit
- ๐ข Channel: https://t.me/KNxploited