CVE-2026-7049
Published: 02 May 2026
Summary
CVE-2026-7049 is a high-severity SSRF (CWE-918) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates user-supplied URLs in the scan_video function to block arbitrary server-side requests to internal or unauthorized locations.
Enforces information flow control policies restricting outbound requests from the WordPress server to only approved destinations, preventing SSRF access to internal services.
Monitors and controls communications at system boundaries to block or detect unauthorized outbound connections initiated by the SSRF-vulnerable plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing WordPress plugin directly enables T1190 for remote unauthenticated exploitation; arbitrary URL requests from server facilitate internal network probing for T1046 Network Service Discovery and T1018 Remote System Discovery.
NVD Description
The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests…
more
to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.
Deeper analysisAI
CVE-2026-7049 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting the PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress in all versions up to and including 12.5.0.1. The flaw exists in the scan_video functionality, which allows the plugin to fetch content from arbitrary URLs. Published on 2026-05-02, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting high severity due to its network accessibility, low attack complexity, lack of privileges or user interaction needed, and changed scope.
Unauthenticated attackers can exploit this vulnerability remotely by triggering the scan_video function to originate web requests from the WordPress server to arbitrary locations. This enables querying or modifying information from internal services that are not directly accessible from the internet. The SSRF is blind, as response bodies are processed internally only for YouTube or Vimeo patterns and never relayed back to the attacker.
The provided references link to the plugin's source code in the WordPress trac repository, specifically highlighting lines 66, 83, and 92 in EmbeddedVideo.php across tags 12.4.1.1 and 12.5.0, which correspond to the vulnerable request-handling logic. No explicit patch or mitigation details are detailed in the available information.
Details
- CWE(s)