PT-2026-25155 · Linknacional · Xforwoocommerce

Alexis Lafontaine

Published

2026-03-13

Updated

2026-03-30

CVE-2026-3891

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Pix for WooCommerce versions up to and including 1.5.0

Description The Pix for WooCommerce plugin for WordPress is susceptible to arbitrary file uploads. This is due to a missing capability check and a lack of file type validation within the lkn pix for woocommerce c6 save settings function. This allows unauthenticated attackers to upload arbitrary files to the affected server, potentially leading to remote code execution. The lkn pix for woocommerce c6 save settings function is the point of entry for this issue.

Recommendations Versions up to and including 1.5.0 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the lkn pix for woocommerce c6 save settings function until a patch is available.

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2026-3891

Affected Products

Xforwoocommerce

PT-2026-25155 · Linknacional · Xforwoocommerce

CVE-2026-3891

Weakness Enumeration

Related Identifiers

Affected Products

References · 12