Home

Description

The PixelYourSite WordPress plugin before 11.1.2 does not validate some URL parameters before using them to generate paths passed to function/s, allowing any admins to perform LFI attacks

PUBLISHED Reserved 2025-09-19 | Published 2025-10-24 | Updated 2025-10-24 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 11.1.2
affected

Credits

Dmitrii Ignatyev finder

WPScan coordinator

References

wpscan.com/...rability/88a99f9d-dc7f-4c04-8734-77295c8656bf/ exploit vdb-entry technical-description

cve.org (CVE-2025-10723)

nvd.nist.gov (CVE-2025-10723)

Download JSON