Search criteria
4 vulnerabilities found for PixelYourSite – Your smart PIXEL (TAG) & API Manager by pixelyoursite
CVE-2025-10588 (GCVE-0-2025-10588)
Vulnerability from cvelistv5 – Published: 2025-10-22 06:40 – Updated: 2025-10-22 13:32
VLAI?
Summary
The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pixelyoursite | PixelYourSite – Your smart PIXEL (TAG) & API Manager |
Affected:
* , ≤ 11.1.2
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T13:32:43.549408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:32:51.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "11.1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T06:40:57.974Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53c25e24-fac6-404c-be6c-678a383b48a1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3379001/pixelyoursite"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-10T09:23:52.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-21T17:47:54.000+00:00",
"value": "Disclosed"
}
],
"title": "PixelYourSite \u003c= 11.1.2 \u2013 Cross-Site Request Forgery to GDPR Options Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10588",
"datePublished": "2025-10-22T06:40:57.974Z",
"dateReserved": "2025-09-16T22:42:49.411Z",
"dateUpdated": "2025-10-22T13:32:51.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7870 (GCVE-0-2024-7870)
Vulnerability from cvelistv5 – Published: 2024-09-04 08:30 – Updated: 2024-09-04 14:10
VLAI?
Summary
The PixelYourSite – Your smart PIXEL (TAG) & API Manager and the PixelYourSite PRO plugins for WordPress are vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.7.1 and 10.4.2, respectively, through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, and to delete log files.
Severity ?
6.5 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| pixelyoursite | PixelYourSite Pro – Your smart PIXEL (TAG) Manager |
Affected:
* , ≤ 10.4.2
(semver)
|
|||||||
|
|||||||||
Credits
Grant Grubbs
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pixelyoursite:pixelyoursite_pro:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "pixelyoursite_pro",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "10.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:pixelyoursite:pixelyoursite:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "pixelyoursite",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T14:08:38.834612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T14:10:13.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite Pro \u2013 Your smart PIXEL (TAG) Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "10.4.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Grant Grubbs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager and the PixelYourSite PRO plugins for WordPress are vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.7.1 and 10.4.2, respectively, through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, and to delete log files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T08:30:37.877Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7fd7a515-6389-4152-8dac-d5497dd94f6d?source=cve"
},
{
"url": "https://github.com/WordpressPluginDirectory/pixelyoursite/blob/main/pixelyoursite/includes/logger/class-pys-logger.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/trunk/includes/class-pys.php#L114"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3143047/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-03T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager \u003c= 9.7.1 and PixelYourSite PRO \u003c= 10.4.2 - Unauthenticated Information Exposure and Log Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7870",
"datePublished": "2024-09-04T08:30:37.877Z",
"dateReserved": "2024-08-15T23:51:21.000Z",
"dateUpdated": "2024-09-04T14:10:13.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10588 (GCVE-0-2025-10588)
Vulnerability from nvd – Published: 2025-10-22 06:40 – Updated: 2025-10-22 13:32
VLAI?
Summary
The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pixelyoursite | PixelYourSite – Your smart PIXEL (TAG) & API Manager |
Affected:
* , ≤ 11.1.2
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T13:32:43.549408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:32:51.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "11.1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T06:40:57.974Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53c25e24-fac6-404c-be6c-678a383b48a1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3379001/pixelyoursite"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-10T09:23:52.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-21T17:47:54.000+00:00",
"value": "Disclosed"
}
],
"title": "PixelYourSite \u003c= 11.1.2 \u2013 Cross-Site Request Forgery to GDPR Options Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10588",
"datePublished": "2025-10-22T06:40:57.974Z",
"dateReserved": "2025-09-16T22:42:49.411Z",
"dateUpdated": "2025-10-22T13:32:51.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7870 (GCVE-0-2024-7870)
Vulnerability from nvd – Published: 2024-09-04 08:30 – Updated: 2024-09-04 14:10
VLAI?
Summary
The PixelYourSite – Your smart PIXEL (TAG) & API Manager and the PixelYourSite PRO plugins for WordPress are vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.7.1 and 10.4.2, respectively, through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, and to delete log files.
Severity ?
6.5 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| pixelyoursite | PixelYourSite Pro – Your smart PIXEL (TAG) Manager |
Affected:
* , ≤ 10.4.2
(semver)
|
|||||||
|
|||||||||
Credits
Grant Grubbs
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pixelyoursite:pixelyoursite_pro:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "pixelyoursite_pro",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "10.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:pixelyoursite:pixelyoursite:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "pixelyoursite",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T14:08:38.834612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T14:10:13.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite Pro \u2013 Your smart PIXEL (TAG) Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "10.4.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "9.7.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Grant Grubbs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager and the PixelYourSite PRO plugins for WordPress are vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.7.1 and 10.4.2, respectively, through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, and to delete log files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T08:30:37.877Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7fd7a515-6389-4152-8dac-d5497dd94f6d?source=cve"
},
{
"url": "https://github.com/WordpressPluginDirectory/pixelyoursite/blob/main/pixelyoursite/includes/logger/class-pys-logger.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/trunk/includes/class-pys.php#L114"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3143047/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-03T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager \u003c= 9.7.1 and PixelYourSite PRO \u003c= 10.4.2 - Unauthenticated Information Exposure and Log Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7870",
"datePublished": "2024-09-04T08:30:37.877Z",
"dateReserved": "2024-08-15T23:51:21.000Z",
"dateUpdated": "2024-09-04T14:10:13.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}