Skip to content
CVSS 7.2 · HIGH

CVE-2026-7049

The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.

View on NVD

Analysis

PixelYourSite Pro is a widely used commercial WordPress plugin. This vulnerability allows unauthenticated SSRF, which is a significant risk for sites hosted on cloud infrastructure where an attacker could probe internal services or cloud metadata APIs.

Severity

Score: 7.2(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: LOW
I: LOW
A: NONE
Weakness (CWE): CWE-918

EPSS

Probability of exploitation (next 30 days): 0.0003 (0.0%)
Percentile: 7.2%
EPSS: 2026-05-06

Technical description

The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.

Published: 5/2/2026, 6:16:04 AM
Last modified: 5/5/2026, 7:15:59 PM

References

HomeEventsBlogResourcesTeam