PixelYourSite Pro Plugin SSRF Vulnerability (CVE-2026-7049)
The PixelYourSite Pro plugin for WordPress, a popular tag manager, is vulnerable to a high-severity Server-Side Request Forgery (SSRF) flaw, identified as CVE-2026-7049. The National Vulnerability Database reports this affects all plugin versions up to and including 12.5.0.1. The vulnerability resides in the scan_video function, allowing unauthenticated attackers to initiate web requests from the compromised WordPress application to arbitrary internal or external locations.
This SSRF is blind, meaning the fetched response bodies are not directly returned to the attacker. Instead, the plugin internally parses them for YouTube/Vimeo patterns. Despite being blind, this vulnerability still poses a significant risk. Attackers can leverage it to query and potentially modify information from internal services, map internal networks, or trigger actions on other systems accessible from the web server. The CVSS score of 7.2 (HIGH) reflects the broad attack vector (network-exploitable, no privileges, no user interaction) and the high impact on confidentiality and integrity, even if indirectly.
For defenders, this means any WordPress site running PixelYourSite Pro is a potential pivot point. The attacker’s calculus here is clear: blind SSRF is a valuable foothold. It allows reconnaissance of internal infrastructure and can bypass perimeter defenses by using the web server as an unwitting proxy. Even without direct data exfiltration, the ability to interact with internal services can lead to further compromise or data manipulation.
What This Means For You
- If your organization uses WordPress with the PixelYourSite Pro plugin, you need to prioritize patching. Immediately upgrade to a version beyond 12.5.0.1. Review your web application firewall (WAF) rules to identify and block suspicious outbound requests originating from your WordPress instances, especially those targeting internal IP ranges or unusual external services. Assume compromise if you cannot confirm patching.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
PixelYourSite Pro Plugin SSRF via scan_video - CVE-2026-7049
title: PixelYourSite Pro Plugin SSRF via scan_video - CVE-2026-7049
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
Detects requests to the PixelYourSite Pro plugin's AJAX endpoint with the 'scan_video' action, which is vulnerable to SSRF (CVE-2026-7049). This allows unauthenticated attackers to perform requests from the web server to arbitrary locations, potentially querying internal services.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7049/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'action=pys_ajax'
- 'pys_ajax_action=scan_video'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7049 | SSRF | PixelYourSite Pro plugin for WordPress |
| CVE-2026-7049 | SSRF | Versions up to, and including, 12.5.0.1 |
| CVE-2026-7049 | SSRF | Vulnerable function: scan_video |
| CVE-2026-7049 | SSRF | Unauthenticated attacker |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 02, 2026 at 09:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7605 — JeecgBoot Server-Side Request Forgery
CVE-2026-7605 — A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downloadImageData of the file CommonController.java of the...
WordPress Profile Builder Pro: Unauthenticated PHP Object Injection Risks Site Takeover
CVE-2026-7647 — The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is...
CVE-2026-6916 — Cross-Site Scripting (XSS)
CVE-2026-6916 — The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site...