PixelYourSite is one of the most widely-used analytics and marketing integration plugins for WordPress, with 500k+ installs. It streamlines adding Facebook/Meta, Google, and other pixels/tags, and includes convenience features for exporting or downloading configuration artifacts. During testing, we identified CVE-2025-10723, a Local File Inclusion (LFI) / path traversal flaw in the plugin’s admin download endpoint. When an authenticated administrator requests a file through the download_container parameter, the handler concatenates that user-supplied path with an internal base directory and streams it directly. Because the code does not normalize or strictly validate the path (no canonicalization, no allowlist), ../ traversal lets an admin download arbitrary readable files from the server, including wp-config.php, SSH keys, and environment files. While exploitation requires admin privileges and a valid nonce, the impact is high due to the sensitivity of the exposed secrets (DB credentials, salts, API keys) and the potential for off-platform pivoting.
| CVE | CVE-2025-10723 |
| Plugin Version | PixelYourSite < 11.1.2 |
| Critical | High |
| All Time | 17 196 498 |
| Active installations | 500 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10723 https://wpscan.com/vulnerability/88a99f9d-dc7f-4c04-8734-77295c8656bf/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 10, 2025 | Plugin testing and vulnerability detection in the PixelYourSite – Your smart PIXEL (TAG) & API Manager have been completed |
| September 10, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 9, 2025 | Registered CVE-2025-10723 |
Discovery of the Vulnerability
While reviewing the “Download GTM Container” feature under PixelYourSite → Dashboard, we observed a pattern common to unsafe file downloaders: the server builds a filesystem path by concatenating a base directory with a request parameter (here, download_container), then passes the resulting string to a direct reader (e.g., readfile() or equivalent). The presence of the _wpnonce_template_logs nonce enforced only CSRF protection; there was no canonical path check (e.g., realpath()), no prefix validation against an allowed directory, and no allowlist of expected filenames/IDs. Consequently, supplying ../../../../wp-config.php in the download_container query string caused the server to traverse outside the intended folder and stream the target file back to the browser.
Understanding of LFI attack’s
In WordPress plugins, download/export helpers often accept an identifier (e.g., a slug or UUID) and resolve it to a known safe file path. Vulnerabilities arise when handlers treat a filename as a free-form path and skip canonicalization. Without a realpath()/wp_normalize_path() check and prefix enforcement, the classic ../ traversal grants access to files far beyond the intended repository. This class of bug maps to CWE-22: Improper Limitation of a Pathname to a Restricted Directory and is frequently seen in log viewers, backup downloaders, and “export” endpoints. Even when restricted to administrators, LFI is not benign: it can leak database credentials, auth salts, secrets for external APIs, or cloud metadata tokens, enabling compromise of infrastructure outside WordPress.
Exploiting the LFI Vulnerability
To exploit CVE-2025-10723, an attacker with Admin+ cookies:
POC:
While logged in as an Administrator, open PixelYourSite → Dashboard, copy the “Download GTM Container” link to obtain the nonce from _wpnonce_template_logs, then request the endpoint replacing the file argument with a traversal payload. Example: /wp-admin/admin.php?page=pixelyoursite&download_container=../../../../wp-config.php&_wpnonce_template_logs=<YOUR_VALID_NONCE> A successful response returns the contents of wp-config.php. The same technique can target other readable files by adjusting the traversal depth and filename.____
Database takeover & data exfiltration: wp-config.php typically exposes DB host, user, and password, enabling direct DB access to dump users, orders, PII, or API tokens.
Session & key abuse: WordPress AUTH/SALT keys can help craft session-related attacks or accelerate credential abuse.
Cloud & CI/CD pivoting: .env files, composer/npm configs, or service tokens may reveal cloud credentials, storage buckets, or pipeline secrets.
Broader server reconnaissance: Access to server configs and logs can assist in lateral movement or targeted RCE (e.g., identifying writable paths, misconfigurations, or vulnerable services).
Recommendations for Improved Security
Update PixelYourSite to a patched release as soon as it’s available.
Limit admin sprawl – reduce the number of administrator accounts; enforce strong MFA.
Secrets hygiene – rotate DB credentials and API keys if exploitation is suspected; move secrets out of web-readable paths, and restrict file permissions.
Monitoring – log access to the download endpoint and alert on suspicious parameters (e.g., ../, .env, .ssh, config).
Least privilege for agencies – assign narrower roles or temporary access tokens instead of permanent admin accounts.
By taking proactive measures to address LFI vulnerabilities like CVE-2025-10723 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #LFI #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.