Description
The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.
Published: 2026-05-02
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PixelYourSite Pro plugin for WordPress contains a blind Server‑Side Request Forgery that permits an unauthenticated attacker to instruct the application to make HTTP requests to any URL specified through the 'scan_video' endpoint or the 'urls[]' parameter. The responses are parsed only for YouTube or Vimeo patterns and never returned to the attacker, so the SSRF is non‑interactive. Nevertheless, the flaw can allow an attacker to probe internal services or modify data on internal hosts that are reachable from the WordPress server.

Affected Systems

All versions of the PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin up to and including version 12.5.0.1 are affected. The vulnerability is present in the 12.4.1.1 and 12.5.0 releases and throughout the trunk code at the referenced source lines.

Risk and Exploitability

The CVSS score of 7.2 indicates a high risk. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation is known at this time. The likely attack vector is an unauthenticated HTTP request that includes the 'urls[]' parameter or uses the 'scan_video' endpoint, which is processed server‑side.

Generated by OpenCVE AI on May 2, 2026 at 11:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PixelYourSite Pro plugin to any version newer than 12.5.0.1 where the SSRF flaw is patched.
  • If an upgrade is not immediately possible, disable or remove the 'scan_video' functionality or modify the code to enforce a whitelist of allowed destinations and reject all other requests.
  • Configure a web application firewall or network proxy rule to block outbound HTTP or HTTPS traffic from the WordPress instance to internal IP ranges or disallowed external domains.

Generated by OpenCVE AI on May 2, 2026 at 11:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 02 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Pixelyoursite
Pixelyoursite pixelyoursite Pro – Your Smart Pixel (tag) Manager
Wordpress
Wordpress wordpress
Vendors & Products Pixelyoursite
Pixelyoursite pixelyoursite Pro – Your Smart Pixel (tag) Manager
Wordpress
Wordpress wordpress

Sat, 02 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.
Title PixelYourSite Pro <= 12.5.0.1 - Unauthenticated Blind Server-Side Request Forgery via 'urls[]' Parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Pixelyoursite Pixelyoursite Pro – Your Smart Pixel (tag) Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-04T17:11:20.543Z

Reserved: 2026-04-25T17:47:53.216Z

Link: CVE-2026-7049

cve-icon Vulnrichment

Updated: 2026-05-04T17:11:14.244Z

cve-icon NVD

Status : Deferred

Published: 2026-05-02T06:16:04.647

Modified: 2026-05-05T19:15:59.927

Link: CVE-2026-7049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:45:41Z

Weaknesses