Security update PixelYourSite Free and Pro

We have identified and fixed a security vulnerability (XSS) in older versions of our plugins (PixelYourSite Professional ≤12.4.0.3, PixelYourSite Free ≤11.2.0.1).

We strongly recommend updating immediately:

PixelYourSite Free 11.2.0.2.

PixelYourSite Professional 12.4.1

Under specific conditions, this vulnerability could allow an attacker to execute malicious scripts within an authenticated administrator session. In some cases, this may have enabled unauthorized creation of WooCommerce REST API keys or orders with falsified data.

The vulnerability has been fully patched in the latest version of the plugins.

Required Actions:

  1. Update the plugin to the latest version immediately.
  2. Reset all administrator passwords.
  3. Review the list of administrator users and remove any unfamiliar accounts.
  4. Review WooCommerce → Advanced → REST API and delete any unknown or suspicious API keys.
  5. As an extra precaution, you can also regenerate existing REST API keys. Replace them in the services that use them.

As a precaution, we also recommend enabling two-factor authentication (2FA) for all administrator accounts.

If you no longer have access to updates and you still use an older version of the PixelYourSite Pro plugin, replace it with the free plugin instead (11.2.0.2).

Fake WooCommerce Orders

Some clients mentioned getting fake orders around the same time we issue the security fixes.

IMPORTANT: We have NO indication that such orders are related to PixelYourSite. 

Based on the logs we had access to, the requests are going through WooCommerce Store API endpoints (/wp-json/wc/store/v1/…), which are publicly accessible and used by the frontend checkout.
The pattern clearly indicates automated checkout brute script/bot activity (adding to cart, scanning common checkout URLs in multiple languages, updating cart via Store API).

There is no indication that these orders are an attempt to exploit the vulnerability in older versions, either. 

It looks like a simple coincidence. 

How to confirm:

Get the IP address associated with a fake order from the order’s details page.

Download the server access logs (or ask your host’ support to send them to you), and search for the IP address. The logs will reveal the steps taken by the boot on the site, and its usage of the store API.

We suggest using ChatGPT or Gemini to review the logs and better understand what’s going on: upload the log files, and ask questions like “explain the activity related to this IP”.

Update (17 March, 2026): research and forensic analysis by Bogumił Milewski (LinkedIn) shows that, in the investigated cases, fake WooCommerce orders were part of the exploit chain and not just a coincidence.

Based on forensic analysis of two real-world attacks observed on 9 March 2026 and 13 March 2026, the fake WooCommerce orders were not a coincidence in those cases. They were the delivery mechanism for the XSS exploit on vulnerable plugin versions.

Important: this issue has been fully patched in the current versions of PixelYourSite Free and PixelYourSite Professional. On updated sites, this specific vulnerability is no longer present, and orders of this type are not dangerous by themselves. We strongly recommend updating the plugin to the latest version immediately.

Additional forensic analysis of two real-world incidents observed on 9 March 2026 and 13 March 2026 indicates that, in those cases, fake WooCommerce orders were directly linked to the exploit chain on vulnerable plugin versions and were not just a coincidence.

Important: the current versions of PixelYourSite Free and PixelYourSite Professional are fully patched. On updated sites, this issue is no longer present, and these types of orders are not dangerous by themselves. We strongly recommend updating the plugin to the latest version immediately.

The forensic review also indicates that some fake or failed orders created before the patch may still contain suspicious data left behind from earlier exploitation attempts. For this reason, if your site was running a vulnerable version before updating, we recommend reviewing existing order records for suspicious values in pys_enrich_data.

You can use the following database query to identify potentially affected records:

SELECT order_id, meta_value
FROM wp_wc_orders_meta
WHERE meta_key = 'pys_enrich_data'
  AND (
    meta_value LIKE '%<script%'
    OR meta_value LIKE '%onerror%'
    OR meta_value LIKE '%javascript:%'
  );

This check can help identify older poisoned order records that may still remain in the database from before the patch was installed.

The current plugin versions are fully patched, and these orders are only a risk on sites that were running vulnerable versions before updating.

Get expert tracking tips in your inbox

Join 65,000+ marketers and site owners who already get our best guides:

Don’t stop here!

Subscribe to get more tips on tracking, analytics, and GDPR.

We’ll send you practical guides on Meta Pixel, CAPI, GA4, Google Ads, TikTok, Pinterest, GDPR compliance, and more, right to your inbox.

* We don’t spam, and all our emails have an “Unsubscribe” link that works. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Find out when we have the next BIG OFFER!

Over 70 000 business-owners have access to our BIG DISCOUNTS. Don't miss the next one: