CVE-2026-3891:

Critical arbitrary file upload vulnerability in Pix for WooCommerce WordPress plugin allows unauthenticated remote code execution.

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:Mar 13, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.1
EPSS Percentile:32%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Critical arbitrary file upload vulnerability in Pix for WooCommerce WordPress plugin allows unauthenticated remote code execution.

Overview

This vulnerability, identified as CVE-2026-3891, poses a severe risk to WordPress sites using the Pix for WooCommerce plugin. With a CVSS v3.1 base score of 9.8 (Critical), it requires no user interaction or privileges to exploit. The vulnerability affects the plugin's file handling mechanism, allowing attackers to bypass security measures and upload malicious files. This could lead to complete system compromise, including unauthorized access to sensitive data, website defacement, or use of the server for further malicious activities.

Remediation

To mitigate this vulnerability, site administrators should immediately update the Pix for WooCommerce plugin to the latest version that addresses this security issue. If an update is not available, it is strongly recommended to disable or remove the plugin until a patch is released. Additionally, implementing strong file upload restrictions, regularly monitoring for unauthorized file changes, and maintaining robust access controls are crucial steps in preventing similar vulnerabilities. Website owners should also consider using Web Application Firewalls (WAF) and keeping all WordPress core files, themes, and plugins up to date.