CVE-2026-3891

Name of the Vulnerable Software and Affected Versions Pix for WooCommerce versions up to and including 1.5.0

Description The Pix for WooCommerce plugin for WordPress is susceptible to arbitrary file uploads. This is due to a missing capability check and a lack of file type validation within the lkn pix for woocommerce c6 save settings function. This allows unauthenticated attackers to upload arbitrary files to the affected server, potentially leading to remote code execution. The lkn pix for woocommerce c6 save settings function is the point of entry for this issue.

Recommendations Versions up to and including 1.5.0 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the lkn pix for woocommerce c6 save settings function until a patch is available.