Refine your search
4 vulnerabilities found for PixelYourSite Pro – Your smart PIXEL (TAG) Manager by pixelyoursite
CVE-2026-7049 (GCVE-0-2026-7049)
Vulnerability from cvelistv5
Published
2026-05-02 05:29
Modified
2026-05-04 17:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pixelyoursite | PixelYourSite Pro – Your smart PIXEL (TAG) Manager |
Version: 0 ≤ 12.5.0.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T17:11:09.524155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:11:20.543Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite Pro \u2013 Your smart PIXEL (TAG) Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "12.5.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osvaldo Noe Gonzalez Del Rio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite Pro \u2013 Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T05:29:27.706Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/273e25aa-4c00-4463-afc5-d8b2433af064?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/trunk/includes/events/EmbeddedVideo.php#L83"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.5.0/includes/events/EmbeddedVideo.php#L83"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/trunk/includes/events/EmbeddedVideo.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.5.0/includes/events/EmbeddedVideo.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/trunk/includes/events/EmbeddedVideo.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.5.0/includes/events/EmbeddedVideo.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.4.1.1/includes/events/EmbeddedVideo.php#L83"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.4.1.1/includes/events/EmbeddedVideo.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.4.1.1/includes/events/EmbeddedVideo.php#L92"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-25T18:04:23.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T16:53:58.000Z",
"value": "Disclosed"
}
],
"title": "PixelYourSite Pro \u003c= 12.5.0.1 - Unauthenticated Blind Server-Side Request Forgery via \u0027urls[]\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7049",
"datePublished": "2026-05-02T05:29:27.706Z",
"dateReserved": "2026-04-25T17:47:53.216Z",
"dateUpdated": "2026-05-04T17:11:20.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1844 (GCVE-0-2026-1844)
Vulnerability from cvelistv5
Published
2026-02-13 21:23
Modified
2026-04-08 16:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pixelyoursite | PixelYourSite Pro – Your smart PIXEL (TAG) Manager |
Version: 0 ≤ 12.4.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1844",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T20:34:57.217665Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T20:35:06.976Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite Pro \u2013 Your smart PIXEL (TAG) Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "12.4.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osvaldo Noe Gonzalez Del Rio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027pysTrafficSource\u0027 parameter and the \u0027pys_landing_page\u0027 parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:35:47.049Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fa6a112-ee69-43eb-bded-daba2c2c4dc5?source=cve"
},
{
"url": "https://www.pixelyoursite.com/plugins/pixelyoursite-professional"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-03T18:06:57.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-13T08:43:25.000Z",
"value": "Disclosed"
}
],
"title": "PixelYourSite PRO \u003c= 12.4.0.2 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1844",
"datePublished": "2026-02-13T21:23:04.880Z",
"dateReserved": "2026-02-03T18:02:12.987Z",
"dateUpdated": "2026-04-08T16:35:47.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-7870 (GCVE-0-2024-7870)
Vulnerability from cvelistv5
Published
2024-09-04 08:30
Modified
2026-04-08 17:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
The PixelYourSite – Your smart PIXEL (TAG) & API Manager and the PixelYourSite PRO plugins for WordPress are vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.7.1 and 10.4.2, respectively, through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, and to delete log files.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| pixelyoursite | PixelYourSite – Your smart PIXEL (TAG) & API Manager |
Version: 0 ≤ 9.7.1 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pixelyoursite:pixelyoursite_pro:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "pixelyoursite_pro",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "10.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:pixelyoursite:pixelyoursite:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "pixelyoursite",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T14:08:38.834612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T14:10:13.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PixelYourSite Pro \u2013 Your smart PIXEL (TAG) Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "10.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Grant Grubbs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager and the PixelYourSite PRO plugins for WordPress are vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.7.1 and 10.4.2, respectively, through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, and to delete log files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:03:26.406Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7fd7a515-6389-4152-8dac-d5497dd94f6d?source=cve"
},
{
"url": "https://github.com/WordpressPluginDirectory/pixelyoursite/blob/main/pixelyoursite/includes/logger/class-pys-logger.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/trunk/includes/class-pys.php#L114"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3143047/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-03T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager \u003c= 9.7.1 and PixelYourSite PRO \u003c= 10.4.2 - Unauthenticated Information Exposure and Log Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7870",
"datePublished": "2024-09-04T08:30:37.877Z",
"dateReserved": "2024-08-15T23:51:21.000Z",
"dateUpdated": "2026-04-08T17:03:26.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-2584 (GCVE-0-2023-2584)
Vulnerability from cvelistv5
Published
2023-06-09 05:33
Modified
2026-04-08 16:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.3.6 (9.6.1 in the Pro version) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| pixelyoursite | PixelYourSite – Your smart PIXEL (TAG) & API Manager |
Version: 0 ≤ 9.3.6 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ebf1e83-50b8-4f56-ba76-10100375edda?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/trunk/modules/head_footer/head_footer.php?rev=2773949#L73"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2912301%40pixelyoursite%2Ftrunk\u0026old=2897911%40pixelyoursite%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:29:35.333884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:43:08.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "9.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PixelYourSite Pro \u2013 Your smart PIXEL (TAG) Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.3.6 (9.6.1 in the Pro version) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:56:13.669Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ebf1e83-50b8-4f56-ba76-10100375edda?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/trunk/modules/head_footer/head_footer.php?rev=2773949#L73"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2912301%40pixelyoursite%2Ftrunk\u0026old=2897911%40pixelyoursite%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file2"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-08T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "PixelYourSite \u003c= 9.3.6 and PixelYourSite Pro \u003c= 9.6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2584",
"datePublished": "2023-06-09T05:33:19.003Z",
"dateReserved": "2023-05-08T17:27:38.235Z",
"dateUpdated": "2026-04-08T16:56:13.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}