Comment Location Tracker Security & Risk Analysis
wordpress.org/plugins/comment-ip-traceTraces the IP of comment authors in Wordpress on the comments admin page.
Is Comment Location Tracker Safe to Use in 2026?
Generally Safe
Score 85/100Comment Location Tracker has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The 'comment-ip-trace' plugin exhibits a mixed security posture. On the positive side, it has a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events. All SQL queries are correctly using prepared statements, and there are no known past vulnerabilities, suggesting a generally stable development history.
However, significant concerns arise from the static analysis. The presence of the 'unserialize' function is a known risk vector, especially when handling data from untrusted sources. The taint analysis reveals 4 flows with unsanitized paths, with 2 of high severity, indicating potential for data manipulation or unauthorized actions if these paths are triggered by malicious input. Furthermore, 100% of output escaping is missing, meaning any data processed or displayed by the plugin could be vulnerable to cross-site scripting (XSS) attacks. The absence of nonce and capability checks on any potential entry points, although currently zero, is a structural weakness that could become a problem if the attack surface expands in future versions.
While the plugin has a clean vulnerability history and a small attack surface, the critical findings in taint analysis and the complete lack of output escaping present a considerable risk. The use of 'unserialize' without clear sanitization of the input data is particularly concerning. The current lack of exploitation may be due to the limited attack surface, but the inherent risks are present and should be addressed.
Key Concerns
- High severity taint flows found
- Unsanitized paths in taint flows
- Dangerous function 'unserialize' used
- 0% output escaping
- No nonce checks
- No capability checks
Comment Location Tracker Security Vulnerabilities
Comment Location Tracker Code Analysis
Dangerous Functions Found
SQL Query Safety
Output Escaping
Data Flow Analysis
Comment Location Tracker Attack Surface
WordPress Hooks 6
Maintenance & Trust
Comment Location Tracker Maintenance & Trust
Maintenance Signals
Community Trust
Comment Location Tracker Alternatives
Customized Recent Comments
customized-recent-comments
Display recent comments on your blog with complete control over the layout and format of comments.
Featured Comments
feature-comments
Lets the admin add "featured" or "buried" css class to selected comments. Handy to highlight comments that add value to your post.
Actify
actify
A plugin that boosts readers’ interaction with the online content, by allowing them to perform a series of actions.
Additional Plugins Descriptions
additional-plugins-descriptions
Allows you to write additional descriptions for plugins.
Akismet Anti-spam: Spam Protection
akismet
The best anti-spam protection to block spam comments and spam in a contact form. The most trusted antispam solution for WordPress and WooCommerce.
Comment Location Tracker Developer Profile
2 plugins · 30 total installs
How We Detect Comment Location Tracker
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/comment-ip-trace/css/cit-style.css/wp-content/plugins/comment-ip-trace/js/cit-admin.js/wp-content/plugins/comment-ip-trace/js/cit-frontend.js/wp-content/plugins/comment-ip-trace/js/cit-admin.js/wp-content/plugins/comment-ip-trace/js/cit-frontend.jscomment-ip-trace/css/cit-style.css?ver=comment-ip-trace/js/cit-admin.js?ver=comment-ip-trace/js/cit-frontend.js?ver=HTML / DOM Fingerprints
cit-admin-comment-details<!-- $$ Mind is Money $$ -->data-cit-admin-comment-details