PixelYourSite <= 11.1.5 - Sensitive Information Exposure via Log File
Description
The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=11.1.5Source Code
WordPress.org SVNThis research plan targets **CVE-2025-14280**, a sensitive information exposure vulnerability in the **PixelYourSite** plugin. The vulnerability allows unauthenticated access to log files containing Meta (Facebook) API request/response data, which often includes sensitive API tokens, user PII (email…
Show full research plan
This research plan targets CVE-2025-14280, a sensitive information exposure vulnerability in the PixelYourSite plugin. The vulnerability allows unauthenticated access to log files containing Meta (Facebook) API request/response data, which often includes sensitive API tokens, user PII (emails, IPs), and event details.
1. Vulnerability Summary
- Vulnerability: Sensitive Information Exposure via Log File.
- Root Cause: The plugin writes sensitive Meta Conversions API (CAPI) communication data to a log file located in a predictable, publicly accessible directory (
wp-content/uploads/...) without adequate access controls or filename randomization. - Precondition: The "Meta API logs" setting must be enabled. While disabled by default, it is frequently used for troubleshooting API connection issues.
- Affected Versions: <= 11.1.5.
2. Attack Vector Analysis
- Endpoint: Direct HTTP GET request to the log file URL.
- Target URL (Inferred):
- Primary:
http://localhost:8080/wp-content/uploads/pixelyoursite/logs/meta_api.log - Secondary:
http://localhost:8080/wp-content/uploads/pys-logs/meta_api.log
- Primary:
- Authentication: None required.
- Payload: No specific payload; the attack is a direct file retrieval.
3. Code Flow (Inferred)
- Enabling Logs: The admin enables "Meta API logs" in the PYS Dashboard. This sets a flag in the
pys_coreorpys_facebookoption array in the database. - Triggering Logs: When a tracked event (e.g.,
PageView,AddToCart) occurs, the plugin sends a Conversions API request to Meta. - Logging Sink: If logging is enabled, the plugin calls a logging function (likely in a class like
PYS_Loggeror within theFacebookclass) that usesfile_put_contentsorfopento append data to a file. - Path Construction: The plugin uses
wp_upload_dir()to determine the base path and appends a predictable subdirectory likepixelyoursite/logs/and a filename likemeta_api.log. - Access: Since the directory lacks an
index.php,.htaccess(on Nginx), or a randomized filename, the log is served directly by the web server.
4. Nonce Acquisition Strategy
No nonce is required. This is a direct file access vulnerability. The attacker does not need to interact with the WordPress AJAX or REST API endpoints to read the log file.
5. Exploitation Strategy
The goal is to enable the logging feature, trigger an event, and then retrieve the log file as an unauthenticated user.
Locate Logging Code:
Use the following commands to confirm the log path and setting name:grep -r "meta_api.log" .grep -r "meta_api_log" .grep -r "wp_upload_dir" . | grep "log"
Enable Logging (Simulation):
The setting is likely stored in thepys_coreoption. Use WP-CLI to enable it:# Note: The exact option key might be 'pys_core' or 'pys_facebook' # and the sub-key might be 'meta_api_log_enabled' or similar. # Verification of option name is part of the research. wp option get pys_coreGenerate a Tracking Event:
Visit the homepage. PixelYourSite automatically triggers aPageViewevent for Meta CAPI if configured.// Using browser_navigate to trigger the event await browser_navigate("http://localhost:8080/");Retrieve the Log File:
Perform an unauthenticated GET request to the identified log path.# Target URL based on standard PYS structure GET /wp-content/uploads/pixelyoursite/logs/meta_api.log
6. Test Data Setup
- Install Plugin: Ensure PixelYourSite version 11.1.5 or lower is installed.
- Configure Facebook Pixel: A dummy Pixel ID and API Token must be set in the PYS settings for the plugin to attempt CAPI requests.
# Example (Verify exact option structure first): wp option patch insert pys_facebook pixel_id "123456789" wp option patch insert pys_facebook capi_token "EAAG..." wp option patch insert pys_facebook capi_enabled true wp option patch insert pys_facebook meta_api_log_enabled true - Verify Directory: Confirm the directory exists.
ls -la /var/www/html/wp-content/uploads/pixelyoursite/logs/
7. Expected Results
- The
http_requestto the log file should return anHTTP 200 OKstatus. - The response body should contain JSON or raw text logs starting with timestamps.
- Sensitive keys like
"access_token","event_name","user_data", and"client_user_agent"should be visible in the log.
8. Verification Steps
- Check Log Content:
# Check the file content directly in the container to verify what WAS exposed cat /var/www/html/wp-content/uploads/pixelyoursite/logs/meta_api.log - Compare with Exploit Output: Verify that the data retrieved via
http_requestmatches the file on disk. - Confirm Unauthenticated Access: Ensure the
http_requesttool is not sending any session cookies when fetching the log.
9. Alternative Approaches
- Filename Brute Force: If
meta_api.logis not found, check if the plugin uses timestamped logs (e.g.,meta_api-2023-10-27.log). - Directory Indexing: If the server is misconfigured to allow directory listing, try accessing
/wp-content/uploads/pixelyoursite/logs/directly to see all log files. - Other Log Files: Look for
pys.log,facebook.log, orgoogle_analytics.login the same directory, as the plugin supports multiple tags.
Research Grep Cheat Sheet
# Find where the plugin defines the log path
grep -rn "get_upload_path" .
grep -rn "get_upload_url" .
# Find the specific string for the Meta API log file
grep -rn "meta_api" . | grep ".log"
# Find the logic that checks if logging is enabled
grep -rn "meta_api_log_enabled" .
Summary
The PixelYourSite plugin for WordPress exposes sensitive Meta Conversions API (CAPI) logs in a publicly accessible directory with a predictable filename. Unauthenticated attackers can access these logs to retrieve sensitive information such as API access tokens, user PII (IP addresses, emails), and event details when the Meta API logging feature is enabled.
Vulnerable Code
// Inferred from Research Plan: Path construction for the log file // Likely located in a logging utility class or the main Facebook CAPI implementation $upload_dir = wp_upload_dir(); $log_directory = $upload_dir['basedir'] . '/pixelyoursite/logs/'; $log_file = $log_directory . 'meta_api.log'; if ( $this->getOption( 'meta_api_log_enabled' ) ) { // Appends sensitive request/response data to a predictable, publicly accessible file file_put_contents( $log_file, $log_data, FILE_APPEND ); }
Security Fix
@@ -10,5 +10,12 @@ - $log_file = $upload_dir['basedir'] . '/pixelyoursite/logs/meta_api.log'; + // Generate or retrieve a unique hash for the log filename to prevent predictability + $log_hash = get_option( 'pys_log_filename_hash' ); + if ( ! $log_hash ) { + $log_hash = wp_generate_password( 32, false ); + update_option( 'pys_log_filename_hash', $log_hash ); + } + + // Protect the directory with an index.php and randomized filename + $log_file = $upload_dir['basedir'] . '/pixelyoursite/logs/meta_api_' . $log_hash . '.log'; + if ( ! file_exists( $upload_dir['basedir'] . '/pixelyoursite/logs/index.php' ) ) { + file_put_contents( $upload_dir['basedir'] . '/pixelyoursite/logs/index.php', '<?php // Silence is golden' ); + }
Exploit Outline
The exploit involves directly accessing the predictable log file path via a web browser or HTTP client. 1. Precondition: The plugin's 'Meta API logs' setting must be enabled by an administrator (often done for debugging CAPI issues). 2. Endpoint: The attacker targets the default upload directory: `GET /wp-content/uploads/pixelyoursite/logs/meta_api.log`. 3. Payload: No special payload is required; the request is a standard unauthenticated GET request. 4. Authentication: None required. If the server does not restrict access to the uploads directory or if directory listing is enabled, the attacker can easily identify and download the file. 5. Data Extraction: The log contains raw JSON or text data from Meta API interactions, including the `access_token` for the Meta Pixel and potentially hashed user data used for matching events.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.