What is CVE-2026-7049?

A high-severity Server-Side Request Forgery (SSRF) vulnerability exists in the PixelYourSite Pro plugin for WordPress. All versions up to 12.5.0.1 are affected, allowing unauthenticated attackers to exploit internal services. Immediate patching is recommended.

What is the severity of CVE-2026-7049?

CVE-2026-7049 has a severity rating of HIGH with a CVSS base score of 7.2.

CVE-2026-7049 | High Vulnerability in WordPress PixelYourSite Pro Plugin

The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to, and including, 12.5.0.1 via the scan_video. This vulnerability allows unauthenticated attackers to make web requests to arbitrary locations originating from the web application. Such exploits can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.

The CVSS score for this vulnerability is 7.2, classified as high severity. This level of severity indicates a significant risk to organizations that utilize this plugin, particularly considering the potential for unauthorized access to internal services.

Risk to organizations includes unauthorized access to internal resources, which could lead to data leakage or manipulation. Attackers may leverage this vulnerability to interact with sensitive systems that are not intended for public access.

Organizations should prioritize patching immediately. Failing to address this vulnerability could expose internal services to unauthorized exploitation.

Vulnerability Details

The vulnerability is detailed as follows: The PixelYourSite Pro plugin has been identified to have a Server-Side Request Forgery (SSRF) issue, allowing unauthenticated attackers to send requests to arbitrary locations. The CVSS score of 7.2 signifies high severity with a low attack complexity and no privileges required. The vulnerability was published on May 2, 2026.

The CWE classification for this vulnerability is CWE-918.

Technical Analysis

The root cause of this vulnerability lies in improper validation of user input that allows an attacker to send requests to internal networks. The attack vector is network-based, requiring no user interaction. The attack complexity is low, making it easier for attackers to exploit this vulnerability. The impact on confidentiality and integrity is low, while the availability impact is none.

Risk & Impact Analysis

Organizations face real-world risks associated with this vulnerability, particularly those using the affected versions of the PixelYourSite Pro plugin. The potential for unauthorized access to internal services poses a critical threat, especially for organizations that handle sensitive data.

The blast radius for this vulnerability could extend to numerous services within an organization, depending on the network configuration and internal policies. Organizations should address this vulnerability in their priority patch cycle to mitigate any potential risks.

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions prior to vendor patch are affected, specifically versions up to and including 12.5.0.1.

Mitigation & Remediation

To mitigate this vulnerability, organizations should update to the latest version of the PixelYourSite Pro plugin. If an immediate patch is unavailable, consider implementing network controls to limit access to internal services and monitoring for unusual network activities. For further assistance, organizations may seek penetration testing to validate the security posture.

Detection Guidance

Organizations should monitor logs for indicators of unexpected outbound traffic that may suggest SSRF exploitation. Additionally, behavioral anomalies in response to internal service requests should be closely observed.

AppSecure Threat Intelligence Insight

Long-term significance of this vulnerability highlights the ongoing risks associated with SSRF vulnerabilities in web applications. Security teams should be aware of patterns that allow for such vulnerabilities and review their input validation mechanisms. For further information on securing web applications, organizations are encouraged to explore our web application penetration testing guide. Furthermore, understanding the defensive measures against SSRF vulnerabilities can be enhanced through our cloud penetration testing guide. Finally, reviewing the current trends in vulnerability management can provide insights into proactive risk mitigation, available in our vulnerability management program design article.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-7049: High Vulnerability in WordPress PixelYourSite Pro Plugin