CVE-2025-10723 is a path traversal vulnerability classified under CWE-22 affecting the PixelYourSite WordPress plugin prior to version 11.1.2. The flaw stems from insufficient validation of certain URL parameters that are used to construct file paths within the plugin. Specifically, these parameters are passed to functions that handle file operations without proper sanitization or restriction to a safe directory, allowing an attacker with administrative privileges to manipulate the pathname and perform Local File Inclusion (LFI) attacks. LFI can enable attackers to read arbitrary files on the web server, potentially exposing sensitive information such as configuration files, credentials, or other private data stored on the server. The vulnerability requires the attacker to have admin-level access to the WordPress site, which limits the attack surface but does not eliminate risk, especially in environments where admin accounts may be compromised or shared. No CVSS score has been assigned yet, and no known exploits are currently in the wild. The vulnerability was publicly disclosed on October 24, 2025, with the patch released in version 11.1.2 of the plugin. The PixelYourSite plugin is widely used for integrating tracking pixels and analytics in WordPress sites, making it a common target in the digital marketing ecosystem. The technical root cause is the improper limitation of pathname inputs, allowing directory traversal sequences (e.g., ../) to escape intended directories. This vulnerability can lead to significant confidentiality breaches and potentially integrity issues if attackers can include malicious files or scripts.

For European organizations, the impact of CVE-2025-10723 can be significant, especially for those relying on WordPress sites with PixelYourSite installed for marketing and analytics purposes. Successful exploitation could lead to unauthorized disclosure of sensitive internal files, including credentials, configuration files, or proprietary data, undermining confidentiality. This could facilitate further attacks such as privilege escalation or lateral movement within the network. The integrity of the website could also be compromised if attackers leverage LFI to include malicious scripts or manipulate site behavior. Availability impact is less direct but could occur if attackers disrupt normal operations through file manipulation. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and e-commerce, face increased compliance risks and potential reputational damage. Since exploitation requires admin access, the threat is heightened in environments with weak access controls or compromised admin accounts. The absence of known exploits reduces immediate risk but does not preclude targeted attacks, especially given the public disclosure.

1. Immediately update the PixelYourSite plugin to version 11.1.2 or later to apply the official patch addressing this vulnerability. 2. Restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 3. Implement strict input validation and sanitization on all URL parameters, especially those that influence file paths, to prevent directory traversal attempts. 4. Employ web application firewalls (WAFs) with rules designed to detect and block path traversal patterns and suspicious file access attempts. 5. Regularly audit and monitor logs for unusual file access or inclusion activities that could indicate exploitation attempts. 6. Limit file system permissions for the web server user to the minimum necessary, preventing access to sensitive directories outside the web root. 7. Educate administrators on the risks of sharing credentials and the importance of secure password practices. 8. Consider isolating critical WordPress instances or using containerization to limit the blast radius of potential compromises.