PixelYourSite WordPress Plugin Vulnerable to Stored XSS (CVE-2026-7613)
The Cost of Goods by PixelYourSite plugin for WordPress, specifically versions up to and including 1.2.12, is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. The National Vulnerability Database has assigned CVE-2026-7613 to this flaw, which stems from insufficient input sanitization and output escaping of the csvdata[0][cost_of_goods_value] parameter.
This critical oversight allows unauthenticated attackers to inject arbitrary web scripts. These malicious scripts then execute whenever a user accesses a page containing the injected content. The National Vulnerability Database assesses this with a CVSS score of 7.2 (HIGH), indicating a significant risk given its network-based attack vector and low attack complexity.
For defenders, this means a direct path for attackers to compromise user sessions, deface websites, or redirect users to malicious sites. The lack of authentication required for exploitation broadens the attack surface considerably. CISOs must understand that even seemingly benign plugins can introduce severe security risks if not rigorously secured.
What This Means For You
- If your organization uses the Cost of Goods by PixelYourSite plugin on your WordPress sites, assume compromise potential. Immediately verify your plugin version and update to a patched release. Audit your site for any unusual script injections, especially on pages that display data processed by this plugin.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7613 - PixelYourSite Stored XSS via csvdata parameter
title: CVE-2026-7613 - PixelYourSite Stored XSS via csvdata parameter
id: scw-2026-05-20-ai-1
status: experimental
level: high
description: |
Detects the specific POST request pattern targeting the 'csvdata[0][cost_of_goods_value]' parameter in the PixelYourSite plugin, which is vulnerable to Stored XSS (CVE-2026-7613). This indicates an attempt to inject malicious scripts into the WordPress site.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7613/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'csvdata%5B0%5D%5Bcost_of_goods_value%5D='
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7613 | Vulnerability | CVE-2026-7613 |
| CVE-2026-7613 | Affected Product | versions |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 20, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...