CVE-2026-7049: PixelYourSite Pro WordPress SSRF Flaw

CVE-2026-7049 Overview

CVE-2026-7049 is a Server-Side Request Forgery (SSRF) vulnerability in the PixelYourSite Pro WordPress plugin, affecting all versions up to and including 12.5.0.1. The flaw resides in the scan_video functionality and allows unauthenticated attackers to coerce the WordPress server into making arbitrary outbound HTTP requests. Attackers can leverage the vulnerable endpoint to query and interact with internal services that would otherwise be unreachable from the public internet. The issue is tracked under [CWE-918] and is documented in the Wordfence Vulnerability Analysis.

Critical Impact

Unauthenticated remote attackers can pivot through vulnerable WordPress sites to reach internal infrastructure, cloud metadata endpoints, and other services that trust the originating host.

Affected Products

• PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress
• All versions through 12.5.0.1
• WordPress sites running the vulnerable EmbeddedVideo.php component

Discovery Timeline

• 2026-05-02 - CVE-2026-7049 published to NVD
• 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-7049

Vulnerability Analysis

The vulnerability stems from the plugin's scan_video handler within includes/events/EmbeddedVideo.php. The handler accepts a user-supplied URL and issues a server-side HTTP request without enforcing destination allowlists or scheme restrictions. Because no authentication is required to reach the endpoint, any remote attacker can drive outbound traffic from the WordPress host.

The SSRF is classified as blind. Response bodies are parsed internally for YouTube and Vimeo embed patterns and are never returned to the requester. Attackers therefore cannot directly exfiltrate response content, but they can still infer service state through timing, error behavior, and side effects of the triggered requests.

The attack scope is changed because requests originate from the WordPress server's network position. This enables interaction with localhost services, cloud instance metadata services, and internal HTTP APIs that rely on network-layer trust.

Root Cause

The root cause is missing validation of the user-controlled URL passed to the video scanning routine. The plugin trusts the input as a media reference and forwards it to an HTTP fetcher without verifying the host, IP range, or protocol. Reference lines 66, 83, and 92 of EmbeddedVideo.php show the unsafe fetch sequence in the WordPress plugin trunk source.

Attack Vector

An unauthenticated attacker sends a crafted request to the public WordPress endpoint that invokes scan_video, supplying a URL targeting an internal resource such as http://127.0.0.1, http://169.254.169.254, or an internal RFC1918 address. The server executes the outbound request, and the attacker observes blind SSRF side effects. No user interaction is required.

The vulnerability is described in prose because no verified public proof-of-concept code is available. See the Wordfence Vulnerability Analysis for additional technical context.

Detection Methods for CVE-2026-7049

Indicators of Compromise

• Outbound HTTP requests from WordPress hosts to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) originating from PHP worker processes.
• Web server access logs showing unauthenticated requests invoking scan_video with URL parameters pointing to non-video destinations.
• Repeated requests to the cloud metadata endpoint 169.254.169.254 from the WordPress application server.

Detection Strategies

• Inspect access logs for high-frequency calls to PixelYourSite Pro AJAX or REST routes referencing scan_video and unusual url parameters.
• Correlate WordPress process network telemetry with outbound destinations that are not on the YouTube or Vimeo content delivery networks.
• Alert on PHP-FPM or Apache child processes initiating connections to link-local, loopback, or private network ranges.

Monitoring Recommendations

• Enable egress logging at the host or perimeter firewall and baseline normal destinations for WordPress workloads.
• Forward web server, PHP, and network flow logs to a centralized analytics platform for correlation across requests and outbound connections.
• Review WordPress audit logs for the presence and version of the PixelYourSite Pro plugin to identify exposed sites in the estate.

How to Mitigate CVE-2026-7049

Immediate Actions Required

• Upgrade PixelYourSite Pro to a version newer than 12.5.0.1 once the vendor publishes a fix.
• Restrict egress from WordPress hosts so that only required external destinations are reachable, blocking access to internal subnets and metadata services.
• Disable or remove the PixelYourSite Pro plugin on sites where video scanning is not required until a patched release is deployed.

Patch Information

At the time of NVD publication, all versions through 12.5.0.1 are listed as vulnerable. Administrators should monitor the PixelYourSite Pro plugin repository and the Wordfence advisory for an updated release that introduces URL validation in the EmbeddedVideo component.

Workarounds

• Place the WordPress site behind a Web Application Firewall (WAF) rule that blocks requests to scan_video containing URLs targeting private, loopback, or link-local addresses.
• Configure the WordPress host to require IMDSv2 on AWS, or equivalent token-protected metadata access on Azure and GCP, to neutralize cloud metadata abuse.
• Apply outbound network policies that allow only known video provider domains for the PHP worker user, denying all other destinations.

# Example egress restriction using iptables (adapt to environment)
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j REJECT