CVE-2026-7049

HIGH

PixelYourSite Pro <= 12.5.0.1 - Unauthenticated Blind Server-Side Request Forgery via 'urls[]' Parameter

Title source: cna

Description

The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.

References (10)

Core 10

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/273e25aa-4c00-4463-afc5-d8b2433af064?source=cve

https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/trunk/includes/events/EmbeddedVideo.php#L83

https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.5.0/includes/events/EmbeddedVideo.php#L83

https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/trunk/includes/events/EmbeddedVideo.php#L66

https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.5.0/includes/events/EmbeddedVideo.php#L66

https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/trunk/includes/events/EmbeddedVideo.php#L92

https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.5.0/includes/events/EmbeddedVideo.php#L92

https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.4.1.1/includes/events/EmbeddedVideo.php#L83

https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.4.1.1/includes/events/EmbeddedVideo.php#L66

https://plugins.trac.wordpress.org/browser/pixelyoursite-pro/tags/12.4.1.1/includes/events/EmbeddedVideo.php#L92

Scores

CVSS v3 7.2

EPSS 0.0039

EPSS Percentile 30.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (1)

pixelyoursite/PixelYourSite Pro – Your smart PIXEL (TAG) Manager < 12.5.0.1

Published May 02, 2026

Tracked Since May 02, 2026