WP-Safety

Campaign URL Builder Security & Risk Analysis

wordpress.org/plugins/campaign-url-builder

Generate link for Analytics tools like Google Analytics and a short link.

200 active installs v1.8.2 PHP + WP 3.0.1+ Updated Feb 15, 2023
analyticsgoogle-analyticslink-generatortracking-linkutm
84
B · Generally Safe
CVEs total2
Unpatched0
Last CVEFeb 16, 2023
Plugin page Download
Safety Verdict

Is Campaign URL Builder Safe to Use in 2026?

Mostly Safe

Score 84/100

Campaign URL Builder is generally safe to use though it hasn't been updated recently. 2 past CVEs were resolved.

2 known CVEsLast CVE: Feb 16, 2023Updated 3yr ago
Risk Assessment

The "campaign-url-builder" plugin v1.8.2 presents a mixed security posture. While the static analysis reveals a limited attack surface with no exposed AJAX handlers or REST API routes without authentication, and a moderate percentage of properly escaped output, there are significant concerns regarding its database interaction and historical vulnerability patterns. The plugin performs a substantial number of SQL queries without using prepared statements, which is a major risk for SQL injection vulnerabilities. Additionally, the presence of historical medium severity Cross-Site Scripting (XSS) vulnerabilities, even though currently unpatched, suggests a pattern of input sanitization weaknesses that warrant caution.

Despite the absence of critical or high severity taint flows in the static analysis and the fact that all known CVEs are currently patched, the reliance on raw SQL and the history of XSS issues indicate potential areas for future exploitation if not addressed proactively. The plugin demonstrates good practices in controlling its attack surface, but the fundamental insecure handling of database queries is a critical weakness that cannot be overlooked. Therefore, while the immediate threat may be mitigated by current patching, the underlying code quality concerning SQL security and past XSS issues suggests a moderate to high risk for ongoing vigilance.

Key Concerns

  • SQL queries without prepared statements
  • History of medium severity XSS vulnerabilities
  • Moderate output unescaped (30%)
Vulnerabilities
2 published

Campaign URL Builder Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-0538medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Campaign URL Builder <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Feb 16, 2023 Patched in 1.8.2 (341d)
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-buildermedium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Campaign URL Builder <= 1.8.1 - Authenticated (Admin+) Stored Cross-Site Scripting via Create Link

Feb 15, 2023 Patched in 1.8.2 (342d)
Version History

Campaign URL Builder Release Timeline

v1.8.2Current
v1.8.12 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.8.02 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.7.02 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.6.02 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.5.02 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.4.32 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.4.22 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.4.12 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.4.0.12 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.4.02 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.3.12 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.3.02 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.2.12 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.2.02 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.1.02 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
v1.0.12 CVEs
WF-06294c35-6d58-4270-b143-757831fc5da6-campaign-url-builder CVE-2023-0538
Code Analysis
Analyzed Mar 16, 2026

Campaign URL Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
13
0 prepared
Unescaped Output
38
88 escaped
Nonce Checks
6
Capability Checks
7
File Operations
1
External Requests
3
Bundled Libraries
0

SQL Query Safety

0% prepared13 total queries

Output Escaping

70% escaped126 total outputs
Attack Surface

Campaign URL Builder Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[Campaign-URL-Builder] public\class-reatlat_cub-public.php:201
WordPress Hooks 13
filterplugin_row_metaadmin\class-reatlat_cub-admin.php:342
actionplugins_loadedincludes\class-reatlat_cub.php:50
actionadmin_menuincludes\class-reatlat_cub.php:60
actionadd_meta_boxesincludes\class-reatlat_cub.php:63
actionadd_meta_boxesincludes\class-reatlat_cub.php:64
actionplugins_loadedincludes\class-reatlat_cub.php:69
actionadmin_enqueue_scriptsincludes\class-reatlat_cub.php:70
actionadmin_enqueue_scriptsincludes\class-reatlat_cub.php:71
actionadmin_noticesincludes\class-reatlat_cub.php:72
actionadmin_footerincludes\class-reatlat_cub.php:73
actioninitincludes\class-reatlat_cub.php:86
actionwp_enqueue_scriptsincludes\class-reatlat_cub.php:93
actionwp_enqueue_scriptsincludes\class-reatlat_cub.php:94
Maintenance & Trust

Campaign URL Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10
Last updatedFeb 15, 2023
PHP min version
Downloads12K

Community Trust

Rating100/100
Number of ratings8
Active installs200
Alternatives

Campaign URL Builder Alternatives

utm.codes

utm.codes

utm-dot-codes

A
100

A WordPress plugin that makes building analytics friendly links quick and easy.

400 No CVEs
UTM Generator

UTM Generator

tru-utm-generator

A
85

Generate UTM links

10 No CVEs
UTM Code Generator for Google Analytics Tracking URL

UTM Code Generator for Google Analytics Tracking URL

utm-generator

A
85

In order to make the visitors tracking easy, Google analytics created the UTM tracker, for this reason

10 No CVEs
Rakam Link Tracking

Rakam Link Tracking

rakam-link-tracking

A
85

An Extension for WordPress that allows you to Link Tracking.

0 No CVEs
UTM – URL Builder for GA4

UTM – URL Builder for GA4

utm-url-builder-ga4

A
85

Add a UTM & URL builder to your site for GA4.

0 No CVEs
Developer Profile

Campaign URL Builder Developer Profile

Alex Zappa

3 plugins · 600 total installs

69
trust score
Avg Security Score
85/100
Avg Patch Time
342 days
View full developer profile
Detection Fingerprints

How We Detect Campaign URL Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/campaign-url-builder/css/cub.css/wp-content/plugins/campaign-url-builder/js/cub.js
Script Paths
/wp-content/plugins/campaign-url-builder/js/cub.js
Version Parameters
campaign-url-builder/css/cub.css?ver=campaign-url-builder/js/cub.js?ver=

HTML / DOM Fingerprints

CSS Classes
cub-shortcode-output
Data Attributes
data-cub-form-id
JS Globals
cub_ajax_url
Shortcode Output
<div class="cub-shortcode-output">
FAQ

Frequently Asked Questions about Campaign URL Builder