WordPress Security Bulletin: Pix for WooCommerce Plugin Vulnerability (CVE-2026-3891)

Security Alert Summary

The Pix for WooCommerce plugin for WordPress contains an arbitrary file upload vulnerability. Missing capability checks and missing file type validation in a settings save function allow unauthenticated attackers to upload files to the site, which may enable remote code execution in some environments.

CVE Details

• CVE ID: CVE-2026-3891
• Affected plugin/component: Pix for WooCommerce plugin for WordPress
• Affected versions: All versions up to, and including, 1.5.0
• Published: March 13, 2026 at 7:55:10 PM UTC
• Last modified: March 13, 2026 at 7:55:10 PM UTC
• CVSS v3.1: Base Score 9.8, Severity CRITICAL, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Authentication / Privileges / User Interaction: Authentication required: No (unauthenticated); Privileges required: None; User interaction: None; Attack Vector: Network; Attack Complexity: Low
• Primary impact: Confidentiality: High; Integrity: High; Availability: High
• Weakness (CWE): CWE-434

Technical Details

The vulnerability is caused by the lkn_pix_for_woocommerce_c6_save_settings function not performing a capability check and not validating uploaded file types. Because these checks are missing, unauthenticated requests can supply and store arbitrary files on the affected site’s server.

Arbitrary file uploads can allow an attacker to place scripts or other executable content where the web server can execute them; the CVE entry states that remote code execution may be possible. Whether execution is achievable depends on the server configuration and other environment-specific factors not specified in the CVE.

How This Could Impact Your Website

In a realistic scenario, an external attacker could upload a malicious file to your site. That file could be used to read or modify data, alter site content, or disrupt availability. Internal staff or contractors whose accounts or email addresses are stored on the site may be exposed, increasing the risk of targeted phishing or social engineering against editors or administrators. The potential for uploaded files to be executed by the server increases risk to the entire site, though actual impact depends on server configuration and other controls in place.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributors.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins.
• Monitor site activity and server logs for unusual file uploads or behavior.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/payment-gateway-pix-for-woocommerce/tags/1.4.0/Includes/LknPaymentPixForWoocommercePixC6.php#L694
• https://plugins.trac.wordpress.org/changeset/3480639/payment-gateway-pix-for-woocommerce#file56
• https://www.wordfence.com/threat-intel/vulnerabilities/id/20188fd3-c330-4c76-912b-72731e14c450?source=cve