CVE-2026-1844 in PixelYourSite Pro Plugin
Summary
by MITRE • 02/14/2026
The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2026-1844 affects the PixelYourSite PRO plugin for WordPress, representing a critical stored cross-site scripting vulnerability that undermines the security integrity of affected websites. This flaw exists in all plugin versions up to and including 12.4.0.2, making it a widespread concern for WordPress administrators who have not yet updated their installations. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating a persistent threat vector that can be exploited by unauthenticated attackers without requiring any privileged access or credentials.
The technical exploitation of this vulnerability occurs through two specific parameters: 'pysTrafficSource' and 'pys_landing_page' which are processed by the plugin without proper validation or sanitization. When these parameters receive malicious input containing script code, the plugin fails to adequately escape or filter the content before storing it in the database or rendering it in subsequent page outputs. This stored malicious content becomes executable whenever any user accesses a page that contains the injected script, effectively turning every affected page into a potential attack vector. The vulnerability maps directly to CWE-79, which defines Cross-Site Scripting (XSS) as a weakness where untrusted data is improperly incorporated into web page content without proper validation or escaping.
The operational impact of CVE-2026-1844 extends beyond simple script execution, as it provides attackers with the capability to perform various malicious activities including session hijacking, credential theft, and redirection to malicious websites. Attackers can craft payloads that exploit the stored XSS vulnerability to steal administrator cookies, potentially gaining full control over affected WordPress installations. The unauthenticated nature of this attack means that any visitor to the compromised site could be targeted, making it particularly dangerous for high-traffic websites or those with significant user engagement. This vulnerability also aligns with ATT&CK technique T1566.001, which describes the use of web shells and malicious scripts to establish persistence and maintain access to compromised systems.
Mitigation strategies for this vulnerability must include immediate plugin updates to version 12.4.0.3 or later, which contain the necessary patches to address the input sanitization issues. WordPress administrators should also implement additional security measures such as input validation at multiple layers, comprehensive output escaping for all dynamic content, and regular security audits of plugin installations. The vulnerability demonstrates the critical importance of proper input validation and output escaping practices, which are fundamental requirements in secure coding standards and should be implemented according to OWASP Top Ten security guidelines. Organizations should also consider implementing web application firewalls and monitoring systems to detect and prevent exploitation attempts, while maintaining regular backups to ensure rapid recovery in case of successful attacks.