VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Oct 22, 2025· Updated Apr 15, 2026

CVE-2025-10588

CVE-2025-10588

Description

The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PixelYourSite WordPress plugin <=11.1.2 has a CSRF vulnerability allowing unauthenticated attackers to modify GDPR settings by tricking an admin.

Vulnerability

The PixelYourSite plugin for WordPress, versions up to and including 11.1.2, contains a Cross-Site Request Forgery (CSRF) vulnerability in the adminEnableGdprAjax() function. This function fails to properly validate the nonce value when processing requests to enable GDPR AJAX mode and related consent integrations, despite checking for the presence of the nonce field [1].

Exploitation

An unauthenticated attacker can craft a malicious request that, when triggered by an authenticated administrator (e.g., by clicking a link), silently modifies the plugin's GDPR settings. The request only requires a valid _wpnonce field and pys[enable_gdpr_ajax] parameter, but the nonce value is not verified against the user's session, allowing arbitrary state changes [1].

Impact

Successful exploitation enables an attacker to toggle GDPR features such as GDPR AJAX mode and cookie law info integration. This could lead to unauthorized data processing or consent bypass, undermining site compliance with privacy regulations [1].

Mitigation

The vendor has not yet released a patched version; the vulnerability remains unpatched as of publication. Administrators are advised to limit access to admin pages and avoid clicking untrusted links until an update is available [1].

References
  1. CVE-2025-10588 – PixelYourSite – Cross-Site Request Forgery (CSRF) to option updating – POC

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.