CVE-2026-1844

HIGH

PixelYourSite Pro < 12.4.0.2 - Stored XSS via pysTrafficSource and pys_landing_page

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-1844. PoCs published by XiaomingX, adamshaikhma, tingvoshage22.

AI-analyzed exploit summary The repository claims to provide a PoC for an unauthenticated stored XSS vulnerability in PixelYourSite PRO but lacks any actual exploit code. Instead, it directs users to an external download link (tinyurl), which is a common tactic for distributing malware or monetizing fake exploits.

Description

The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exploits (3)

github SUSPICIOUS 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-1844

View Code ZIP pw:eip

The repository claims to provide a PoC for an unauthenticated stored XSS vulnerability in PixelYourSite PRO but lacks any actual exploit code. Instead, it directs users to an external download link (tinyurl), which is a common tactic for distributing malware or monetizing fake exploits.

Classification

Suspicious 95%

Attack Type

Xss

Complexity

Theoretical

Reliability

Theoretical

Target: PixelYourSite PRO for WordPress (versions up to and including 12.4.0.2)

No auth needed

Prerequisites: none specified

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec SUSPICIOUS 2 stars

by adamshaikhma · poc

https://github.com/adamshaikhma/CVE-2026-1844

View Code ZIP pw:eip

The repository claims to provide an exploit for CVE-2026-1844, a stored XSS vulnerability in PixelYourSite PRO, but only contains a README with a download link to an external source (tinyurl.com). No actual exploit code or technical details are provided.

Classification

Suspicious 90%

Attack Type

Xss

Complexity

Theoretical

Reliability

Theoretical

Target: PixelYourSite PRO WordPress plugin up to version 12.4.0.2

No auth needed

Prerequisites: Access to a vulnerable instance of PixelYourSite PRO

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SUSPICIOUS 1 stars

by tingvoshage22 · poc

https://github.com/tingvoshage22/CVE-2026-1844-exploit

View Code ZIP pw:eip

The repository claims to exploit an unauthenticated stored XSS vulnerability in PixelYourSite PRO but provides no actual exploit code, instead redirecting users to an external download link via a URL shortener.

Classification

Suspicious 90%

Attack Type

Xss

Complexity

Theoretical

Reliability

Theoretical

Target: PixelYourSite PRO WordPress plugin <= 12.4.0.2

No auth needed

Prerequisites: Access to a vulnerable WordPress instance with PixelYourSite PRO installed

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 17, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://www.pixelyoursite.com/plugins/pixelyoursite-professional

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/0fa6a112-ee69-43eb-bded-daba2c2c4dc5?source=cve

Scores

CVSS v3 7.2

EPSS 0.0028

EPSS Percentile 19.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

pixelyoursite/PixelYourSite Pro – Your smart PIXEL (TAG) Manager < 12.4.0.2

Published Feb 13, 2026

Tracked Since Feb 18, 2026