WP-Safety

CP Referrer and Conversion Tracking Security & Risk Analysis

wordpress.org/plugins/cp-referrer-and-conversions-tracking

CP Referrer and Conversion Tracking registers how the website visitors reached the website, identifying the referral website. Also track conversions.

400 active installs v1.01.28 PHP + WP 4.0+ Updated Jan 26, 2026
conversionlogsrefererreferrerstats
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is CP Referrer and Conversion Tracking Safe to Use in 2026?

Generally Safe

Score 100/100

CP Referrer and Conversion Tracking has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "cp-referrer-and-conversions-tracking" plugin version 1.01.28 exhibits a generally strong security posture with several good practices observed. The absence of external HTTP requests, file operations, and a low proportion of SQL queries not using prepared statements are positive indicators. Furthermore, the plugin demonstrates robust output escaping and a significant number of capability checks, suggesting a thoughtful approach to sanitization and access control.

However, the static analysis reveals potential areas of concern. The presence of five instances of the `unserialize` function is a notable risk, as it can lead to object injection vulnerabilities if not handled with extreme care and input validation. Additionally, the taint analysis indicates two high-severity flows with unsanitized paths, which could be exploited for various attacks. While the plugin has no recorded vulnerability history, the presence of these code signals warrants caution.

In conclusion, while the plugin has a clean vulnerability record and implements many security best practices, the identified `unserialize` usage and high-severity taint flows represent specific risks that should be thoroughly investigated and mitigated. The lack of direct entry points with missing authentication is a strength, but the internal code risks remain.

Key Concerns

  • Dangerous function 'unserialize' used 5 times
  • Taint analysis: 2 high severity flows
  • Taint analysis: 3 unsanitized paths
Vulnerabilities
None known

CP Referrer and Conversion Tracking Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

CP Referrer and Conversion Tracking Code Analysis

Dangerous Functions
5
Raw SQL Queries
9
50 prepared
Unescaped Output
18
370 escaped
Nonce Checks
2
Capability Checks
9
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = unserialize($events[$i]->data);cp-admin-int-message-list.inc.php:185
unserialize$params = unserialize($item->posted_data);cp-admin-int-report.inc.php:74
unserialize$data = unserialize($logs[0]->data);cp-main-class.inc.php:271
unserialize$data = unserialize($item->data);cp-main-class.inc.php:375
unserialize$data = unserialize($item->posted_data);cp-main-class.inc.php:516

SQL Query Safety

85% prepared59 total queries

Output Escaping

95% escaped388 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

9 flows3 with unsanitized paths
<cp-admin-int-conversions-list.inc> (cp-admin-int-conversions-list.inc.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

CP Referrer and Conversion Tracking Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 37
actioninitaddons\abc.addon.php:33
actioncpabc_process_data_before_insertaddons\abc.addon.php:37
actioncpabc_process_dataaddons\abc.addon.php:39
actioninitaddons\ahb.addon.php:33
actioncpappb_process_data_before_insertaddons\ahb.addon.php:37
actioncpappb_process_dataaddons\ahb.addon.php:39
actioninitaddons\bccf.addon.php:33
actiondexbccf_process_data_before_insertaddons\bccf.addon.php:37
actiondexbccf_process_dataaddons\bccf.addon.php:39
actionwpcf7_before_send_mailaddons\cf7.addon.php:35
actioncpcff_process_data_before_insertaddons\cff.addon.php:37
actioncpcff_process_dataaddons\cff.addon.php:39
actioninitaddons\cfte.addon.php:33
actioncfte_process_data_before_insertaddons\cfte.addon.php:37
actioncfte_process_dataaddons\cfte.addon.php:39
actioninitaddons\cfwpp.addon.php:33
actioncpcfwpp_process_data_before_insertaddons\cfwpp.addon.php:37
actioncpcfwpp_process_dataaddons\cfwpp.addon.php:39
actioninitaddons\cppolls.addon.php:33
actioncppolls_process_data_before_insertaddons\cppolls.addon.php:37
actioncppolls_process_dataaddons\cppolls.addon.php:39
actioninitaddons\userregistration.addon.php:33
actionuser_registeraddons\userregistration.addon.php:37
actioncpappb_process_data_before_insertaddons\woocommerce.addon.php:35
actionwoocommerce_admin_order_data_after_billing_addressaddons\woocommerce.addon.php:37
actionwoocommerce_new_orderaddons\woocommerce.addon.php:39
actioninitaddons\wptsbk.addon.php:33
actioncptslotsb_process_data_before_insertaddons\wptsbk.addon.php:37
actioncptslotsb_process_dataaddons\wptsbk.addon.php:39
actionadmin_bar_menubanner.php:104
actioninitcp-referrer-tracking-plugin.php:60
actioncpreftrack_register_conversioncp-referrer-tracking-plugin.php:61
filtercpreftrack_referrercp-referrer-tracking-plugin.php:62
filtercron_schedulescp-referrer-tracking-plugin.php:65
actioncpreftrack_del_old_hook_fmincp-referrer-tracking-plugin.php:69
actionadmin_enqueue_scriptscp-referrer-tracking-plugin.php:74
actionadmin_menucp-referrer-tracking-plugin.php:76

Scheduled Events 1

cpreftrack_del_old_hook_fmin
Maintenance & Trust

CP Referrer and Conversion Tracking Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 26, 2026
PHP min version
Downloads14K

Community Trust

Rating94/100
Number of ratings12
Active installs400
Alternatives

CP Referrer and Conversion Tracking Alternatives

Block Referral Spam

Block Referral Spam

wp-block-referral-spam

A
85

This plugins blocks maximum Referral Spams. Now no more notice from Google and no more weird report in Google Analytics.

300 No CVEs
PopStats

PopStats

popstats

A
85

Popstats is a plugin to enhace statics of your blog, now you'll know more about your visitors.

30 No CVEs
Advanced WP Hide Referer

Advanced WP Hide Referer

advanced-wp-hide-referer

A
85

Hide Referer for WordPress removes the referer (referrer) from all external links on your blog. It does this by converting all outgoing

10 No CVEs
Stats for WP

Stats for WP

stats-for-wp

A
85

When users view your site, we will log user ID, view pages, referrers URL, user IP, user agent, ... and so on, to admin you understand how users worki &hellip;

0 No CVEs
WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

wp-mail-smtp

A
99

Make email delivery easy for WordPress. Connect with SMTP, Gmail, Outlook, SendGrid, Mailgun, SES, Zoho, + more. Rated #1 WordPress SMTP Email plugin.

4.0M 2 CVEs
Developer Profile

CP Referrer and Conversion Tracking Developer Profile

codepeople

34 plugins · 89K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
964 days
View full developer profile
Detection Fingerprints

How We Detect CP Referrer and Conversion Tracking

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cp-referrer-and-conversions-tracking/addons/cp-referrer-tracking-admin.js/wp-content/plugins/cp-referrer-and-conversions-tracking/addons/cp-referrer-tracking-admin.css/wp-content/plugins/cp-referrer-and-conversions-tracking/cp-referrer-tracking-public.js/wp-content/plugins/cp-referrer-and-conversions-tracking/cp-referrer-tracking-public.css
Script Paths
/wp-content/plugins/cp-referrer-and-conversions-tracking/addons/cp-referrer-tracking-admin.js/wp-content/plugins/cp-referrer-and-conversions-tracking/cp-referrer-tracking-public.js
Version Parameters
cp-referrer-and-conversions-tracking/addons/cp-referrer-tracking-admin.js?ver=cp-referrer-and-conversions-tracking/addons/cp-referrer-tracking-admin.css?ver=cp-referrer-and-conversions-tracking/cp-referrer-tracking-public.js?ver=cp-referrer-and-conversions-tracking/cp-referrer-tracking-public.css?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- BEGIN CP_REFERRER_TRACKING -->
JS Globals
window.cp_reftrack_prefix
FAQ

Frequently Asked Questions about CP Referrer and Conversion Tracking