Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite – Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in the PixelYourSite plugin.
Action: Immediate Patch
AI Analysis

Impact

The PixelYourSite – Your smart PIXEL (TAG) Manager plugin allows stored cross‑site scripting by improperly neutralizing user input during web page generation. This flaw permits an attacker who can add or edit pixel tags to inject malicious JavaScript into the admin interface or the front‑end of a WordPress site. The impact is key‑logging, session hijacking, or other client‑side attacks that threaten confidentiality and integrity, with the potential to affect all users who view the compromised site. The vulnerability is classified as CWE‑79.

Affected Systems

WordPress sites that use the PixelYourSite – Your smart PIXEL (TAG) Manager plugin at versions n/a through 11.2.0.1. This includes any site where the plugin is installed and active.

Risk and Exploitability

The CVSS score of 7.1 indicates a high potential for damage, while the EPSS score of less than 1% suggests low exploitation probability at this time. The flaw is not listed in the CISA KEV catalog, but the risk is elevated if an attacker can achieve the necessary privileges to create or modify pixel tags. An attacker with sufficient access can leverage the stored XSS to compromise visitors or administrators of the affected WordPress installation.

Generated by OpenCVE AI on April 15, 2026 at 23:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PixelYourSite – Your smart PIXEL (TAG) Manager plugin to version 11.2.0.2 or newer.
  • Remove or sanitize any pixel tags that were added before the update to eliminate existing malicious scripts.
  • Review other installed plugins and custom code for similar input handling weaknesses, and apply updates or patches as needed.

Generated by OpenCVE AI on April 15, 2026 at 23:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Pixelyoursite
Pixelyoursite pixelyoursite – Your Smart Pixel (tag) Manager
Wordpress
Wordpress wordpress
Vendors & Products Pixelyoursite
Pixelyoursite pixelyoursite – Your Smart Pixel (tag) Manager
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite – Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1.
Title WordPress PixelYourSite – Your smart PIXEL (TAG) Manager plugin <= 11.2.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Pixelyoursite Pixelyoursite – Your Smart Pixel (tag) Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:04.337Z

Reserved: 2026-02-17T13:23:51.341Z

Link: CVE-2026-27072

cve-icon Vulnrichment

Updated: 2026-02-23T14:32:35.409Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:45.037

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:00:14Z

Weaknesses