CVE-2025-10723: 
WordPress vulnerability analysis and mitigation

The PixelYourSite WordPress plugin before version 11.1.2 contains a Local File Inclusion (LFI) vulnerability identified as CVE-2025-10723. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on October 3, 2025. The security flaw affects the plugin's URL parameter validation mechanism, potentially exposing sensitive information to administrators with malicious intent (WPScan).

The vulnerability stems from improper validation of URL parameters before they are used to generate paths passed to functions. The CVSS v3.1 base score is 2.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, indicating that while the attack requires high privileges, it has low attack complexity and can be executed remotely (NVD).

The vulnerability allows authenticated administrators to perform Local File Inclusion attacks, potentially accessing sensitive files on the server, including critical configuration files such as wp-config.php which may contain database credentials and other sensitive information (WPScan).

The vulnerability has been patched in PixelYourSite version 11.1.2. Users are strongly advised to update their installations to this version or later to mitigate the security risk (WPScan).