Description
The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 11.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2026-27072 is likely a duplicate of this issue.
Published: 2026-02-13
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Code Execution via Stored XSS
Action: Patch Now
AI Analysis

Impact

The PixelYourSite plugin for WordPress contains a stored cross‑site scripting flaw that allows attackers to embed arbitrary scripts in website pages. The flaw resides in the pysTrafficSource and pys_landing_page parameters and results from missing input sanitisation and output escaping. When a victim user visits a page that includes the attacker‑controlled data, the injected script runs in the user’s browser, potentially compromising session data, defacing content or redirecting the user to malicious sites.

Affected Systems

WordPress sites that have installed the PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin version 11.2.0 or older. The vulnerability applies across all installations of that plugin, regardless of other configuration.

Risk and Exploitability

The flaw carries a CVSS score of 7.2 and an EPSS probability of less than 1 %. It is not listed in the CISA KEV catalog, but its unauthenticated nature and stored‑payload characteristic make it attractive to attackers. Exploitation requires only that an attacker submit a malicious payload via the vulnerable parameters, which will then be stored and executed for any user who views the affected page. No elevated privileges or additional malware delivery is necessary.

Generated by OpenCVE AI on April 15, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of PixelYourSite that addresses the stored XSS vulnerability.
  • Clean any existing order enrichment entries that may contain script tags in pysTrafficSource or pys_landing_page using the plugin’s settings or direct database queries.
  • Deploy a Content‑Security‑Policy header that restricts script sources to trusted domains to mitigate the impact of any remaining XSS payloads.
  • If an update cannot be applied immediately, manually enforce output escaping on the affected fields before rendering them in templates.

Generated by OpenCVE AI on April 15, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 11.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 11.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2026-27072 is likely a duplicate of this issue.

Tue, 17 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Pixelyoursite
Pixelyoursite pixelyoursite – Your Smart Pixel (tag) & Api Manager
Wordpress
Wordpress wordpress
Vendors & Products Pixelyoursite
Pixelyoursite pixelyoursite – Your Smart Pixel (tag) & Api Manager
Wordpress
Wordpress wordpress

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 11.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title PixelYourSite <= 11.2.0 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Pixelyoursite Pixelyoursite – Your Smart Pixel (tag) & Api Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:13.845Z

Reserved: 2026-02-03T16:57:17.381Z

Link: CVE-2026-1841

cve-icon Vulnrichment

Updated: 2026-02-17T20:36:24.091Z

cve-icon NVD

Status : Deferred

Published: 2026-02-13T22:16:10.833

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses