Description
The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1.
Published: 2025-12-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The PixelYourSite WordPress plugin writes log files that, when the "Meta API logs" option is enabled, are accessible from the web. Unauthenticated attackers can read these files and obtain potentially confidential data. The weakness is a classic information‑exposure flaw identified as CWE‑200.

Affected Systems

All versions of PixelYourSite up to and including 11.1.5 are affected. The vulnerability is resolved in 11.1.5.1; upgrading to that version removes the exposed log‑file path and stops the disclosure.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, while the EPSS score of less than 1% reflects a very low likelihood of exploitation. Because the log files can be read over HTTP without authentication, the attack vector is unauthenticated network access, but in practice attackers would need to know the URL of the log file or rely on the credentials of a site administrator who has left the setting enabled.

Generated by OpenCVE AI on April 22, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PixelYourSite to version 11.1.5.1.
  • If an upgrade is not immediately possible, disable the "Meta API logs" setting to prevent log files from being generated or exposed.
  • Verify that log files placed in the wp-content/uploads/pixelyoursite directory are not world‑readable; if they exist, delete or secure them.

Generated by OpenCVE AI on April 22, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Pixelyoursite
Pixelyoursite pixelyoursite
Wordpress
Wordpress wordpress
Vendors & Products Pixelyoursite
Pixelyoursite pixelyoursite
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
Description The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1.
Title PixelYourSite <= 11.1.5 - Sensitive Information Exposure via Log File
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Pixelyoursite Pixelyoursite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:52.110Z

Reserved: 2025-12-08T17:15:54.201Z

Link: CVE-2025-14280

cve-icon Vulnrichment

Updated: 2025-12-30T21:57:54.263Z

cve-icon NVD

Status : Deferred

Published: 2025-12-29T19:15:54.870

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:00:12Z

Weaknesses