Pixelyoursite

By the Year

In 2026 there have been 7 vulnerabilities in Pixelyoursite with an average score of 7.6 out of ten. Last year, in 2025 Pixelyoursite had 4 security vulnerabilities published. That is, 3 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 3.50.

Recent Pixelyoursite Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-7613	May 20, 2026	WordPress PixelYourSite <=1.2.12 Stored XSS via csvdata[0][cost_of_goods_value] The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-7637	May 20, 2026	Boost WP Plugin PHP Object Injection v2.0.3 (STYXKEY Cookie) The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVE-2026-9010	May 20, 2026	Boost WP Plugin <=2.0.3 Time-Based SQLi via current_url & user_name The Boost plugin for WordPress is vulnerable to time-based SQL Injection via the 'current_url' and 'user_name' parameters in versions up to, and including, 2.0.3 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-7049	May 02, 2026	PixelYourSite Pro <=12.5.0.1 SSRF via scan_video The PixelYourSite Pro Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.
CVE-2026-27072	Feb 20, 2026	PixelYourSite <=11.2.0.1 PIXEL Manager StoredXSS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1.	Pixelyoursite
CVE-2026-1844	Feb 13, 2026	WordPress PixelYourSite PRO 12.4.0.2 XSS via pysTS/pysLP The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-1841	Feb 13, 2026	PixelYourSite Plugin 11.2.0 Stored XSS via pysTrafficSource/pys_landing_page The PixelYourSite Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 11.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Pixelyoursite
CVE-2025-14280	Dec 29, 2025	The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1.
CVE-2025-10723	Oct 24, 2025	PixelYourSite WP Plugin LFI via Unvalidated URL Paths Pre-11.1.2 The PixelYourSite WordPress plugin before 11.1.2 does not validate some URL parameters before using them to generate paths passed to function/s, allowing any admins to perform LFI attacks	Pixelyoursite
CVE-2025-10588	Oct 22, 2025	CVE-2025-10588 PixelYourSite <11.1.2 CSRF via Missing Nonce The PixelYourSite Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.