Refine your search
4 vulnerabilities found for PixelYourSite – Your smart PIXEL (TAG) & API Manager by pixelyoursite
CVE-2025-14280 (GCVE-0-2025-14280)
Vulnerability from nvd
Published
2025-12-29 18:20
Modified
2025-12-29 18:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pixelyoursite | PixelYourSite – Your smart PIXEL (TAG) & API Manager |
Version: * ≤ 11.1.5 |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "11.1.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marcin Dudek"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the \"Meta API logs\" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T18:20:49.929Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe77926-8a43-42ce-9d3d-3aac2334dcbd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/tags/11.1.4.2/includes/logger/class-pys-logger.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3424175/pixelyoursite"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3416113/pixelyoursite"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-08T17:33:13.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-29T05:47:53.000+00:00",
"value": "Disclosed"
}
],
"title": "PixelYourSite \u003c= 11.1.5 - Sensitive Information Exposure via Log File"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14280",
"datePublished": "2025-12-29T18:20:49.929Z",
"dateReserved": "2025-12-08T17:15:54.201Z",
"dateUpdated": "2025-12-29T18:20:49.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10588 (GCVE-0-2025-10588)
Vulnerability from nvd
Published
2025-10-22 06:40
Modified
2025-12-18 17:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pixelyoursite | PixelYourSite – Your smart PIXEL (TAG) & API Manager |
Version: * ≤ 11.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T13:32:43.549408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:32:51.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "11.1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T17:54:14.999Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53c25e24-fac6-404c-be6c-678a383b48a1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3379001/pixelyoursite"
},
{
"url": "https://research.cleantalk.org/cve-2025-10588/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-10T09:23:52.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-21T17:47:54.000+00:00",
"value": "Disclosed"
}
],
"title": "PixelYourSite \u003c= 11.1.2 \u2013 Cross-Site Request Forgery to GDPR Options Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10588",
"datePublished": "2025-10-22T06:40:57.974Z",
"dateReserved": "2025-09-16T22:42:49.411Z",
"dateUpdated": "2025-12-18T17:54:14.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14280 (GCVE-0-2025-14280)
Vulnerability from cvelistv5
Published
2025-12-29 18:20
Modified
2025-12-29 18:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pixelyoursite | PixelYourSite – Your smart PIXEL (TAG) & API Manager |
Version: * ≤ 11.1.5 |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "11.1.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marcin Dudek"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the \"Meta API logs\" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T18:20:49.929Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe77926-8a43-42ce-9d3d-3aac2334dcbd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pixelyoursite/tags/11.1.4.2/includes/logger/class-pys-logger.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3424175/pixelyoursite"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3416113/pixelyoursite"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-08T17:33:13.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-29T05:47:53.000+00:00",
"value": "Disclosed"
}
],
"title": "PixelYourSite \u003c= 11.1.5 - Sensitive Information Exposure via Log File"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14280",
"datePublished": "2025-12-29T18:20:49.929Z",
"dateReserved": "2025-12-08T17:15:54.201Z",
"dateUpdated": "2025-12-29T18:20:49.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10588 (GCVE-0-2025-10588)
Vulnerability from cvelistv5
Published
2025-10-22 06:40
Modified
2025-12-18 17:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pixelyoursite | PixelYourSite – Your smart PIXEL (TAG) & API Manager |
Version: * ≤ 11.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T13:32:43.549408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:32:51.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager",
"vendor": "pixelyoursite",
"versions": [
{
"lessThanOrEqual": "11.1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PixelYourSite \u2013 Your smart PIXEL (TAG) \u0026 API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T17:54:14.999Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53c25e24-fac6-404c-be6c-678a383b48a1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3379001/pixelyoursite"
},
{
"url": "https://research.cleantalk.org/cve-2025-10588/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-10T09:23:52.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-21T17:47:54.000+00:00",
"value": "Disclosed"
}
],
"title": "PixelYourSite \u003c= 11.1.2 \u2013 Cross-Site Request Forgery to GDPR Options Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10588",
"datePublished": "2025-10-22T06:40:57.974Z",
"dateReserved": "2025-09-16T22:42:49.411Z",
"dateUpdated": "2025-12-18T17:54:14.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}