Skip to content
CVSS 7.2 · HIGH

CVE-2026-7049

The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.

Ver en NVD

Análisis

The PixelYourSite Pro plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery (SSRF). Attackers can trigger the server to make requests to internal or external services, although the response is not directly returned to the attacker.

Severidad

Puntaje: 7.2(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: LOW
I: LOW
A: NONE
Tipo de falla (CWE): CWE-918

EPSS

Probabilidad de explotación (próx. 30 días): 0.0003 (0.0%)
Percentil: 7.2%
EPSS: 2026-05-06

Descripción técnica

The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.

Publicada: 2/5/2026, 6:16:04
Última modificación: 5/5/2026, 19:15:59

Referencias

InicioEventosBlogRecursosEquipo