Skip to content
Threat Feed
medium advisory

CVE-2026-7613: Cost of Goods by PixelYourSite WordPress Plugin Stored XSS

The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts that execute when a user accesses an injected page.

CVE-2026-7613 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Cost of Goods by PixelYourSite plugin for WordPress. The vulnerability exists due to insufficient input sanitization and output escaping of the ‘csvdata[0][cost_of_goods_value]’ parameter. Unauthenticated attackers can exploit this flaw to inject arbitrary web scripts into pages, which will then execute whenever a user accesses the affected page. The affected versions of the Cost of Goods by PixelYourSite plugin are up to and including 1.2.12. This vulnerability was reported by Wordfence on May 20, 2026. Successful exploitation could lead to account compromise, data theft, or other malicious activities.

Attack Chain

  1. An unauthenticated attacker crafts a malicious HTTP request targeting the WordPress site.
  2. The request includes a payload containing a JavaScript injection within the csvdata[0][cost_of_goods_value] parameter.
  3. The attacker sends the crafted POST request to a WordPress endpoint that processes the Cost of Goods plugin data.
  4. The Cost of Goods plugin fails to properly sanitize or escape the injected JavaScript within the csvdata[0][cost_of_goods_value] parameter.
  5. The malicious payload is stored in the WordPress database.
  6. A user visits a page that displays the stored data from the Cost of Goods plugin.
  7. The injected JavaScript code is executed within the user’s browser, potentially performing actions such as stealing cookies or redirecting the user to a malicious website.

Impact

Successful exploitation of this stored XSS vulnerability could allow an attacker to compromise WordPress administrator accounts, inject malicious content into the website, or redirect users to phishing sites. As an unauthenticated user can inject arbitrary scripts, the impact could be widespread if an administrator views the injected content. Compromise of the administrator account could lead to complete control over the WordPress website.

Recommendation

  • Upgrade the Cost of Goods by PixelYourSite plugin to a version greater than 1.2.12 to patch CVE-2026-7613.
  • Deploy the Sigma rule Detect CVE-2026-7613 Exploitation — Cost of Goods Plugin XSS to identify potential exploitation attempts in web server logs.
  • Implement input validation and output encoding on all user-supplied data to prevent XSS vulnerabilities.
  • Monitor WordPress logs for suspicious activity related to the Cost of Goods plugin, such as unexpected modifications to plugin settings or data.

Detection coverage 2

Detect CVE-2026-7613 Exploitation — Cost of Goods Plugin XSS

medium

Detects CVE-2026-7613 exploitation — HTTP POST requests containing script tags or event handlers in the csvdata[0][cost_of_goods_value] parameter, indicating a stored XSS attempt in the Cost of Goods by PixelYourSite plugin.

sigma tactics: initial_access sources: webserver

Detect WordPress AJAX Request with Suspicious Parameters

low

Detects POST requests to admin-ajax.php with parameters commonly used in XSS attacks.

sigma tactics: initial_access sources: webserver

Detection queries are available on the platform. Get full rules →