CVE-2026-27072
Stored XSS in PixelYourSite Plugin Allows Persistent Script Injection
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pixelyoursite | pixelyoursite | to 11.2.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27072 is a medium priority Cross Site Scripting (XSS) vulnerability affecting the WordPress plugin "PixelYourSite β Your smart PIXEL (TAG) Manager" versions up to and including 11.2.0.1.'}, {'type': 'paragraph', 'content': 'This vulnerability allows an attacker to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβthat execute when visitors access the compromised site.'}, {'type': 'paragraph', 'content': 'Exploitation requires user interaction by a privileged user performing actions like clicking a malicious link, visiting a crafted page, or submitting a form.'}, {'type': 'paragraph', 'content': 'The vulnerability falls under the OWASP Top 10 category A3: Injection.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious scripts on your website, which may result in unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.
Such attacks can compromise the integrity and trustworthiness of your website, potentially harming your users and damaging your reputation.
Exploitation depends on privileged user interaction, meaning attackers may trick authorized users into triggering the malicious scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross Site Scripting (XSS) issue in the PixelYourSite WordPress plugin versions up to 11.2.0.1. Detection involves identifying if your site is running a vulnerable version of the plugin and monitoring for suspicious script injections or unusual behavior triggered by user interactions.
While no specific commands are provided in the resources, general detection steps include:
- Check the installed version of the PixelYourSite plugin to see if it is version 11.2.0.1 or earlier.
- Review web server logs and application logs for unusual requests or payloads containing script tags or suspicious HTML.
- Use web vulnerability scanners that can detect stored XSS vulnerabilities in WordPress plugins.
- Manually test input fields or forms managed by the plugin by submitting typical XSS payloads to see if they are improperly sanitized and reflected.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to update the PixelYourSite plugin to version 11.2.0.2 or later, where the vulnerability is patched.'}, {'type': 'paragraph', 'content': "Until the update can be applied, it is recommended to implement Patchstack's mitigation rules to block attacks targeting this vulnerability."}, {'type': 'paragraph', 'content': 'Additionally, consider restricting privileged user interactions that could trigger the exploit, such as avoiding clicking suspicious links or submitting untrusted forms.'}, {'type': 'paragraph', 'content': 'Enabling automatic updates for vulnerable plugins can also help ensure timely patching in the future.'}] [1]