WP-Safety

CallTrackingMetrics Security & Risk Analysis

wordpress.org/plugins/call-tracking-metrics

CallTrackingMetrics integrates with your WordPress site to provide powerful call tracking and attribution.

3K active installs v2.1.8 PHP 8.2+ WP 6.5+ Updated Feb 16, 2026
advertisingcall-trackingconversation-analyticsgoogle-adsmarketing-attribution
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is CallTrackingMetrics Safe to Use in 2026?

Generally Safe

Score 100/100

CallTrackingMetrics has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The 'call-tracking-metrics' plugin v2.1.8 exhibits a generally positive security posture, with a strong emphasis on prepared statements for SQL queries and a high percentage of properly escaped output. The absence of known CVEs and recorded vulnerability history suggests a proactive approach to security by the developers or a lack of historical exposure. However, the plugin is not without its risks. The presence of three AJAX handlers without authentication checks represents a significant attack surface that could potentially be exploited. The use of the dangerous `unserialize` function, while not directly tied to a taint flow in this analysis, always carries inherent risks of deserialization vulnerabilities if not handled with extreme caution and strict input validation. While the current taint analysis shows no critical or high severity issues, the single flow with unsanitized paths warrants attention as it could be a precursor to more severe vulnerabilities in future versions or under different attack vectors. In conclusion, the plugin demonstrates good core security practices but requires immediate attention to the unprotected AJAX endpoints and careful monitoring of the `unserialize` function's usage.

Key Concerns

  • Unprotected AJAX handlers detected
  • Use of dangerous unserialize function
  • Flow with unsanitized paths found
Vulnerabilities
None known

CallTrackingMetrics Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

CallTrackingMetrics Code Analysis

Dangerous Functions
2
Raw SQL Queries
6
17 prepared
Unescaped Output
110
382 escaped
Nonce Checks
40
Capability Checks
14
File Operations
13
External Requests
5
Bundled Libraries
1

Dangerous Functions Found

unserialize$urls = is_array($fieldValue) ? $fieldValue : (is_serialized($fieldValue) ? unserialize($fieldValue)src\Service\GFService.php:461
unserialize$arrayValue = is_array($fieldValue) ? $fieldValue : (is_serialized($fieldValue) ? unserialize($fieldsrc\Service\GFService.php:491

Bundled Libraries

Guzzle

SQL Query Safety

74% prepared23 total queries

Output Escaping

78% escaped492 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

12 flows1 with unsanitized paths
ajaxLoadMoreLogs (call-tracking-metrics.php:1275)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

CallTrackingMetrics Attack Surface

Entry Points40
Unprotected3

AJAX Handlers 40

authwp_ajax_ctm_get_form_logscall-tracking-metrics.php:1169
authwp_ajax_ctm_clear_form_logscall-tracking-metrics.php:1170
authwp_ajax_ctm_get_form_log_statscall-tracking-metrics.php:1171
authwp_ajax_ctm_load_more_logscall-tracking-metrics.php:1194
authwp_ajax_ctm_load_more_dayscall-tracking-metrics.php:1195
authwp_ajax_ctm_test_api_connectionsrc\Admin\Ajax\ApiAjax.php:73
authwp_ajax_ctm_simulate_api_requestsrc\Admin\Ajax\ApiAjax.php:74
authwp_ajax_ctm_change_api_keyssrc\Admin\Ajax\ApiAjax.php:76
authwp_ajax_ctm_disable_apisrc\Admin\Ajax\ApiAjax.php:78
authwp_ajax_ctm_fetch_tracking_scriptsrc\Admin\Ajax\ApiAjax.php:80
authwp_ajax_ctm_get_available_formssrc\Admin\Ajax\FormImportAjax.php:67
authwp_ajax_ctm_import_formsrc\Admin\Ajax\FormImportAjax.php:68
authwp_ajax_ctm_preview_formsrc\Admin\Ajax\FormImportAjax.php:69
authwp_ajax_ctm_sync_formsrc\Admin\Ajax\FormImportAjax.php:70
authwp_ajax_ctm_update_formsrc\Admin\Ajax\FormImportAjax.php:71
authwp_ajax_ctm_preview_wp_formsrc\Admin\Ajax\FormImportAjax.php:72
authwp_ajax_ctm_get_form_usagesrc\Admin\Ajax\FormUsageAjax.php:42
authwp_ajax_ctm_clear_form_usage_cachesrc\Admin\Ajax\FormUsageAjax.php:43
authwp_ajax_ctm_get_form_logssrc\Admin\Ajax\LogAjax.php:30
authwp_ajax_ctm_clear_form_logssrc\Admin\Ajax\LogAjax.php:31
authwp_ajax_ctm_get_form_log_statssrc\Admin\Ajax\LogAjax.php:32
authwp_ajax_ctm_clear_all_logssrc\Admin\Ajax\LogAjax.php:33
authwp_ajax_ctm_get_recent_errorssrc\Admin\Ajax\LogAjax.php:34
authwp_ajax_ctm_get_error_rate_statssrc\Admin\Ajax\LogAjax.php:35
authwp_ajax_ctm_update_log_settingssrc\Admin\Ajax\LogAjax.php:36
authwp_ajax_ctm_load_more_group_entriessrc\Admin\Ajax\LogAjax.php:37
authwp_ajax_ctm_health_checksrc\Admin\Ajax\SystemAjax.php:32
authwp_ajax_ctm_analyze_issuesrc\Admin\Ajax\SystemAjax.php:33
authwp_ajax_ctm_email_system_infosrc\Admin\Ajax\SystemAjax.php:34
authwp_ajax_ctm_refresh_system_infosrc\Admin\Ajax\SystemAjax.php:35
authwp_ajax_ctm_auto_fix_issuessrc\Admin\Ajax\SystemAjax.php:36
authwp_ajax_ctm_full_diagnosticsrc\Admin\Ajax\SystemAjax.php:37
authwp_ajax_ctm_security_scansrc\Admin\Ajax\SystemAjax.php:38
authwp_ajax_ctm_performance_analysissrc\Admin\Ajax\SystemAjax.php:39
authwp_ajax_ctm_export_diagnostic_reportsrc\Admin\Ajax\SystemAjax.php:40
authwp_ajax_ctm_get_performance_metricssrc\Admin\Ajax\SystemPerformanceAjax.php:31
authwp_ajax_ctm_performance_analysissrc\Admin\Ajax\SystemPerformanceAjax.php:32
authwp_ajax_ctm_test_performancesrc\Admin\Ajax\SystemPerformanceAjax.php:33
authwp_ajax_wp_ajax_testsrc\Admin\Ajax\SystemPerformanceAjax.php:34
authwp_ajax_ctm_security_scansrc\Admin\Ajax\SystemSecurityAjax.php:31
WordPress Hooks 27
actionadmin_noticescall-tracking-metrics.php:60
actioninitcall-tracking-metrics.php:220
actionadmin_noticescall-tracking-metrics.php:253
actionadmin_initcall-tracking-metrics.php:267
actionadmin_menucall-tracking-metrics.php:268
actionwp_headcall-tracking-metrics.php:281
actioninitcall-tracking-metrics.php:284
actionadmin_menucall-tracking-metrics.php:287
actionwp_footercall-tracking-metrics.php:290
actionwp_footercall-tracking-metrics.php:291
actionadmin_enqueue_scriptscall-tracking-metrics.php:295
actionadmin_enqueue_scriptscall-tracking-metrics.php:309
actionwp_dashboard_setupcall-tracking-metrics.php:467
actionwpcf7_before_send_mailcall-tracking-metrics.php:574
filtergform_validationcall-tracking-metrics.php:580
actiongform_after_submissioncall-tracking-metrics.php:582
filtergform_validation_messagecall-tracking-metrics.php:584
actionadmin_initcall-tracking-metrics.php:1680
actionadmin_noticescall-tracking-metrics.php:1706
actionadmin_footercall-tracking-metrics.php:1718
actionadmin_initctm.php:12
actionadmin_headsrc\Admin\Options.php:211
actionadmin_noticessrc\Admin\Options.php:214
actionadmin_noticessrc\Admin\Options.php:942
actionadmin_noticessrc\Admin\Options.php:971
actionadmin_noticessrc\Admin\Options.php:1094
actionadmin_noticessrc\Admin\Options.php:1115
Maintenance & Trust

CallTrackingMetrics Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 16, 2026
PHP min version8.2
Downloads125K

Community Trust

Rating74/100
Number of ratings3
Active installs3K
Alternatives

CallTrackingMetrics Alternatives

RedPic ADS Manager Lite

RedPic ADS Manager Lite

rp-ads-manager

A
85

JS/HTML ads block manager. Allows you to create and insert blocks of code anywhere on the blog.

40 No CVEs
AdNgin-Adsense Revenue Optimization

AdNgin-Adsense Revenue Optimization

adngin-your-adsense-your-traffic-maximized-revenue-for-free

A
85

Your AdSense, Your Traffic, Maximized Revenue

10 No CVEs
AdScale AI Ads Meta/Google Ads

AdScale AI Ads Meta/Google Ads

adscale-ai

A
100

Scale WooCommerce sales with AI advertising. AI that builds audiences, Creating winning ads, launches Google & Meta ads, and optimizes ROAS 24/7.

10 No CVEs
LH Multisite Ads

LH Multisite Ads

lh-multisite-ads

A
85

Allows you to insert ads after paragraphs of your post content, throughout your multisite network.

10 No CVEs
REXADZ Monetization

REXADZ Monetization

rexadz-monetization

A
85

REXADZ is a simple and user-friendly ad solution that makes you money by automatically displaying targeted ads to your website visitors.

10 No CVEs
Developer Profile

CallTrackingMetrics Developer Profile

taf2

2 plugins · 3K total installs

89
trust score
Avg Security Score
93/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect CallTrackingMetrics

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/call-tracking-metrics/assets/js/ctm-script.js/wp-content/plugins/call-tracking-metrics/assets/css/ctm-styles.css
Script Paths
/wp-content/plugins/call-tracking-metrics/assets/js/ctm-script.js
Version Parameters
call-tracking-metrics/assets/js/ctm-script.js?ver=call-tracking-metrics/assets/css/ctm-styles.css?ver=

HTML / DOM Fingerprints

CSS Classes
ctm-field-mappingctm-log-tablectm-admin-options
HTML Comments
<!-- CTMS: Plugin active -->
Data Attributes
data-ctm-iddata-ctm-phone-fielddata-ctm-form-id
JS Globals
window.ctm_ajax_objectctm_ajax_object.ajax_urlctm_ajax_object.noncectm_ajax_object.ctm_api_url
REST Endpoints
/wp-json/call-tracking-metrics/v1/log/wp-json/call-tracking-metrics/v1/usage
Shortcode Output
[ctm_tracking_script]
FAQ

Frequently Asked Questions about CallTrackingMetrics