Unauthenticated attackers can upload malicious files, including web shells, to WordPress servers running the Pix for WooCommerce plugin, leading to complete site takeover.

The lkn_pix_for_woocommerce_c6_save_settings function lacks both a capability check (authorization) and file type validation. This allows any unauthenticated visitor to upload arbitrary files, such as PHP scripts, directly to the server's web directory.

This is a critical vulnerability with a CVSS score of 9.8. Successful exploitation allows for unauthenticated remote code execution (RCE). An attacker can gain full control over the WordPress installation, steal customer data, deface the website, or use the server to launch further attacks, causing severe reputational and financial damage.

Immediate Action: Update the Pix for WooCommerce plugin to the latest patched version immediately. If no patch is available, deactivate and remove the plugin.

Proactive Monitoring: Scan the WordPress wp-content/uploads directory for suspicious PHP files and review web server logs for POST requests to the affected function.

Compensating Controls: Use a Web Application Firewall (WAF) with rules to block PHP file uploads and restrict directory execution permissions for the uploads folder.

Public Exploit Available: false

The lack of basic security checks in a file upload function is a critical failure. Administrators must update the plugin immediately to mitigate the risk of a total site compromise. Given the severity, we recommend a full security audit of the WordPress environment to ensure no backdoors were planted if the plugin was already exposed.