WP-Safety

CallRail Phone Call Tracking Security & Risk Analysis

wordpress.org/plugins/callrail-phone-call-tracking

Dynamically swap CallRail tracking phone numbers based on the visitor's referring source.

10K active installs v0.5.3 PHP + WP 3.0+ Updated Feb 11, 2026
adwordsanalyticscall-trackingconversion-trackingseo
99
A · Safe
CVEs total2
Unpatched0
Last CVEOct 24, 2023
Plugin page Download
Safety Verdict

Is CallRail Phone Call Tracking Safe to Use in 2026?

Generally Safe

Score 99/100

CallRail Phone Call Tracking has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Oct 24, 2023Updated 1mo ago
Risk Assessment

The plugin exhibits some good security practices, particularly in its avoidance of dangerous functions, the use of prepared statements for all SQL queries, and a generally high rate of output escaping. However, there are significant concerns regarding its attack surface. The presence of a REST API route without a permission callback represents a clear entry point that is not adequately protected, potentially allowing unauthorized access or manipulation of plugin functionality. While the taint analysis did not reveal any critical or high-severity unsanitized flows in this specific version, the past vulnerability history, including two medium-severity Cross-Site Scripting (XSS) vulnerabilities, suggests a recurring pattern of input sanitization weaknesses. The fact that these past vulnerabilities are now patched is positive, but the historical data warrants vigilance. Overall, the plugin has strengths in its internal code handling but requires attention to its external interfaces to mitigate risks.

Key Concerns

  • REST API route without permission callback
  • Historical XSS vulnerabilities
Vulnerabilities
2

CallRail Phone Call Tracking Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-5051medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CallRail Phone Call Tracking <= 0.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Oct 24, 2023 Patched in 0.5.3 (91d)
CVE-2022-36796medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CallRail Phone Call Tracking <= 0.4.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Sep 1, 2022 Patched in 0.4.10 (509d)
Code Analysis
Analyzed Mar 16, 2026

CallRail Phone Call Tracking Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
6 escaped
Nonce Checks
1
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

86% escaped7 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
callrail_options (callrail.php:83)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

CallRail Phone Call Tracking Attack Surface

Entry Points2
Unprotected1

REST API Routes 1

POST/wp-json/calltrk/v1/storecallrail.php:27

Shortcodes 1

[callrail_form] callrail.php:17
WordPress Hooks 5
actionadmin_menucallrail.php:11
actionadmin_noticescallrail.php:12
actionwp_footercallrail.php:13
actionrest_api_initcallrail.php:15
filtersanitize_option_masked_id_and_access_keycallrail.php:19
Maintenance & Trust

CallRail Phone Call Tracking Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 11, 2026
PHP min version
Downloads358K

Community Trust

Rating74/100
Number of ratings6
Active installs10K
Alternatives

CallRail Phone Call Tracking Alternatives

Nimbata Call Tracking

Nimbata Call Tracking

nimbata-call-tracking

B
78

Dynamically swap your site's phone number with a nimbata tracking numbers. Track which sources generate phone leads to your business.

400 1 unpatched
Freespee Call Tracking

Freespee Call Tracking

freespee-call-tracking

A
85

See which visitors ended up calling you, no coding required. Automated delivery of phone call data to your Google Analytics account.

10 No CVEs
Tracking Script Manager

Tracking Script Manager

tracking-script-manager

A
100

Easy tag management. Manage the tracking tags, codes and scripts you use in your WordPress site; easily add, update, reorder, delete, as required.

2K No CVEs
Technoscore Google Tracking

Technoscore Google Tracking

technoscore-google-tracking

A
85

Technoscore Google Tracking is best Google Analytics plugin for WordPress. See how visitors find and use your website, so you can keep them coming ba &hellip;

0 No CVEs
SEO SIMPLE PACK

SEO SIMPLE PACK

seo-simple-pack

A
91

This is a very simple SEO plugin. You can easily set and customize meta tags and OGP tags for each page.

100K 1 CVE
Developer Profile

CallRail Phone Call Tracking Developer Profile

CallRail

1 plugin · 10K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
300 days
View full developer profile
Detection Fingerprints

How We Detect CallRail Phone Call Tracking

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/callrail-phone-call-tracking/swap.js
Script Paths
//cdn.callrail.com/companies/[escaped_api_key]/wp-0-5-3/swap.js
Version Parameters
callrail-phone-call-tracking/style.css?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- CallRail WordPress Integration -->
Data Attributes
id="cr-form-class="regular-text code"
JS Globals
window.crwpVer
REST Endpoints
/calltrk/v1/store
Shortcode Output
<div id="cr-form-</div>
FAQ

Frequently Asked Questions about CallRail Phone Call Tracking