PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7613 pixelyoursite CVE debrief

CVE-2026-7613 is a stored cross-site scripting issue in the Cost of Goods by PixelYourSite WordPress plugin, affecting versions up to and including 1.2.12. Because the flaw is reachable through the csvdata[0][cost_of_goods_value] parameter and can be triggered by unauthenticated input, site owners should treat it as a high-priority web application risk.

Vendor
pixelyoursite
Product
Cost of Goods by PixelYourSite
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

WordPress administrators, managed hosting providers, security teams, and anyone running the Cost of Goods by PixelYourSite plugin up to version 1.2.12 should review exposure immediately. This is especially important for sites where user-supplied content is rendered back into pages without strict sanitization and escaping.

Technical summary

According to the supplied source data, the plugin is vulnerable to stored XSS because it performs insufficient input sanitization and output escaping on the csvdata[0][cost_of_goods_value] parameter. The issue allows arbitrary web scripts to be stored in affected pages and executed when a user later accesses an injected page. NVD lists the weakness as CWE-79 and assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (7.2 HIGH).

Defensive priority

High. The issue is network-reachable, requires no privileges, and can impact both data integrity and user sessions in the browser context, so exposed installations should be reviewed promptly.

Recommended defensive actions

  • Update the Cost of Goods by PixelYourSite plugin to a fixed version as soon as one is available from the vendor.
  • If you cannot update immediately, disable or remove the plugin on internet-facing sites until remediation is possible.
  • Review pages and stored content associated with the csvdata[0][cost_of_goods_value] field for unexpected script content or malformed HTML.
  • Check for signs of browser-side compromise, including unexpected redirects, injected markup, or suspicious administrative actions.
  • Validate that server-side input sanitization and output escaping are enforced anywhere plugin data is stored or rendered.
  • Re-scan affected WordPress instances after remediation to confirm the vulnerable version is no longer present.

Evidence notes

The description, CVSS vector, and CWE mapping come from the supplied NVD source item and its Wordfence references. NVD currently marks the vulnerability status as Deferred in the provided metadata. The plugin name and affected version ceiling are taken from the supplied CVE description and source references; vendor attribution in the dataset is low-confidence and should be reviewed.

Official resources

Published by NVD on 2026-05-20T17:16:29.163Z and modified on 2026-05-20T17:33:05.830Z, per the supplied timeline.