{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27072", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:51.341Z", "datePublished": "2026-02-20T15:47:09.356Z", "dateUpdated": "2026-04-28T16:15:01.074Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "pixelyoursite", "product": "PixelYourSite \u2013 Your smart PIXEL (TAG) Manager", "vendor": "PixelYourSite", "versions": [{"changes": [{"at": "11.2.0.2", "status": "unaffected"}], "lessThanOrEqual": "11.2.0.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:13.870Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite \u2013 Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.<p>This issue affects PixelYourSite \u2013 Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite \u2013 Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite \u2013 Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.074Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/pixelyoursite/vulnerability/wordpress-pixelyoursite-your-smart-pixel-tag-manager-plugin-11-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress PixelYourSite \u2013 Your smart PIXEL (TAG) Manager plugin <= 11.2.0.1 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T14:33:54.711668Z", "id": "CVE-2026-27072", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:52:10.354Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27072", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T14:33:54.711668Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T14:32:35.409Z"}}], "cna": {"title": "WordPress PixelYourSite \u2013 Your smart PIXEL (TAG) Manager plugin <= 11.2.0.1 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PixelYourSite", "product": "PixelYourSite \u2013 Your smart PIXEL (TAG) Manager", "versions": [{"status": "affected", "changes": [{"at": "11.2.0.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "11.2.0.1"}], "packageName": "pixelyoursite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:55.005Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/pixelyoursite/vulnerability/wordpress-pixelyoursite-your-smart-pixel-tag-manager-plugin-11-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite \u2013 Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite \u2013 Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite \u2013 Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.<p>This issue affects PixelYourSite \u2013 Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:50.717Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27072", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:52:10.354Z", "dateReserved": "2026-02-17T13:23:51.341Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:47:09.356Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite \u2013 Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite \u2013 Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en PixelYourSite PixelYourSite \u2013 Your smart PIXEL (TAG) Manager pixelyoursite permite XSS Almacenado. Este problema afecta a PixelYourSite \u2013 Your smart PIXEL (TAG) Manager: desde n/a hasta &lt;= 11.2.0.1."}], "id": "CVE-2026-27072", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:45.037", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/pixelyoursite/vulnerability/wordpress-pixelyoursite-your-smart-pixel-tag-manager-plugin-11-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.2.0.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "PixelYourSite \u2013 Your smart PIXEL (TAG) Manager", "source": "cna", "vendor": "PixelYourSite"}, "product": "pixelyoursite_\u2013_your_smart_pixel_(tag)_manager", "vendor": "pixelyoursite"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:56:53.948879+00:00", "value": {"mitigation_remediation": ["Update the PixelYourSite \u2013 Your smart PIXEL (TAG) Manager plugin to version 11.2.0.2 or newer. ", "Remove or sanitize any pixel tags that were added before the update to eliminate existing malicious scripts. ", "Review other installed plugins and custom code for similar input handling weaknesses, and apply updates or patches as needed."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting in the PixelYourSite plugin."}, "threat_synthesis": {"affected_systems": "WordPress sites that use the PixelYourSite \u2013 Your smart PIXEL (TAG) Manager plugin at versions n/a through 11.2.0.1. This includes any site where the plugin is installed and active.", "description_and_impact": "The PixelYourSite \u2013 Your smart PIXEL (TAG) Manager plugin allows stored cross\u2011site scripting by improperly neutralizing user input during web page generation. This flaw permits an attacker who can add or edit pixel tags to inject malicious JavaScript into the admin interface or the front\u2011end of a WordPress site. The impact is key\u2011logging, session hijacking, or other client\u2011side attacks that threaten confidentiality and integrity, with the potential to affect all users who view the compromised site. The vulnerability is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high potential for damage, while the EPSS score of less than 1% suggests low exploitation probability at this time. The flaw is not listed in the CISA KEV catalog, but the risk is elevated if an attacker can achieve the necessary privileges to create or modify pixel tags. An attacker with sufficient access can leverage the stored XSS to compromise visitors or administrators of the affected WordPress installation."}}}}, "created": "2026-02-23T14:35:48.220679+00:00", "updated": "2026-04-16T00:00:14.156446+00:00", "vendors": ["pixelyoursite", "pixelyoursite$PRODUCT$pixelyoursite_\u2013_your_smart_pixel_(tag)_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}