WP-Safety

Issues Tracker Security & Risk Analysis

wordpress.org/plugins/issues-tracker

Issues Tracker allows you view and search WordPress logs, receive security advice, track 404 errors, and view your server settings.

50 active installs v1.16 PHP 5.4+ WP 4.6+ Updated Dec 2, 2024
debugerror-trackingloggingsecuritywp_debug
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Issues Tracker Safe to Use in 2026?

Generally Safe

Score 92/100

Issues Tracker has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The "issues-tracker" plugin v1.16 exhibits significant security concerns primarily due to a large, unprotected attack surface and inadequate output escaping. With 20 AJAX handlers, all lacking authentication checks, any unauthenticated user could potentially interact with these endpoints. This is further exacerbated by the taint analysis, which reveals 7 flows with unsanitized paths, including 4 of high severity, indicating potential for code injection or manipulation. The limited proper output escaping (18%) suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities across many output points.

While the plugin has no recorded CVEs or bundled outdated libraries aside from Freemius v1.0 which is generally well-maintained, this positive history should not overshadow the immediate risks identified in the static analysis. The absence of capability checks on AJAX handlers is a critical oversight. The plugin demonstrates some good practices by using prepared statements for most SQL queries and including a single nonce check, but these are insufficient to mitigate the overarching security gaps. The conclusion is that this plugin, in its current state, presents a substantial security risk that requires immediate attention, particularly regarding the unprotected AJAX endpoints and the identified taint flows.

Key Concerns

  • All AJAX handlers lack auth checks
  • High severity unsanitized taint flows
  • Many unsanitized path taint flows
  • Low percentage of properly escaped output
  • No capability checks on AJAX handlers
  • Bundled Freemius v1.0 library
Vulnerabilities
None known

Issues Tracker Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Issues Tracker Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
14 prepared
Unescaped Output
94
21 escaped
Nonce Checks
1
Capability Checks
0
File Operations
16
External Requests
3
Bundled Libraries
2

Bundled Libraries

DataTablesFreemius1.0

SQL Query Safety

78% prepared18 total queries

Output Escaping

18% escaped115 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

9 flows7 with unsanitized paths
istkr_404_recheck_path (controllers\404Controller.php:266)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
20 unprotected

Issues Tracker Attack Surface

Entry Points20
Unprotected20

AJAX Handlers 20

authwp_ajax_istkr_get_log_datacontrollers\HooksController.php:20
authwp_ajax_istkr_get_log_statcontrollers\HooksController.php:21
authwp_ajax_istkr_run_checkcontrollers\HooksController.php:23
authwp_ajax_istkr_change_advisor_notifications_statuscontrollers\HooksController.php:24
authwp_ajax_istkr_log_viewer_clear_logcontrollers\HooksController.php:27
authwp_ajax_istkr_log_viewer_download_logcontrollers\HooksController.php:28
authwp_ajax_istkr_change_log_viewer_notifications_statuscontrollers\HooksController.php:29
authwp_ajax_istkr_log_viewer_live_updatecontrollers\HooksController.php:30
authwp_ajax_istkr_log_viewer_enable_loggingcontrollers\HooksController.php:32
authwp_ajax_istkr_toggle_debug_modecontrollers\HooksController.php:36
authwp_ajax_istkr_toggle_debug_scriptscontrollers\HooksController.php:39
authwp_ajax_istkr_toggle_debug_log_scriptscontrollers\HooksController.php:42
authwp_ajax_istkr_toggle_display_errorscontrollers\HooksController.php:45
authwp_ajax_istkr_get_404_logcontrollers\HooksController.php:52
authwp_ajax_istkr_change_404_notifications_statuscontrollers\HooksController.php:53
authwp_ajax_istkr_get_current_user_emailcontrollers\HooksController.php:54
authwp_ajax_istkr_get_404_countcontrollers\HooksController.php:55
authwp_ajax_istkr_404_clear_logcontrollers\HooksController.php:57
authwp_ajax_istkr_404_recheck_pathcontrollers\HooksController.php:58
authwp_ajax_istkr_404_remove_pathcontrollers\HooksController.php:59
WordPress Hooks 7
actionadmin_enqueue_scriptscontrollers\HooksController.php:16
actiontemplate_redirectcontrollers\HooksController.php:51
actionadmin_initcontrollers\HooksController.php:65
actionadmin_noticescontrollers\HooksController.php:67
actionadmin_initcontrollers\HooksController.php:70
actionadmin_headcontrollers\HooksController.php:98
actionadmin_menucontrollers\MenuController.php:10
Maintenance & Trust

Issues Tracker Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedDec 2, 2024
PHP min version5.4
Downloads4K

Community Trust

Rating100/100
Number of ratings3
Active installs50
Alternatives

Issues Tracker Alternatives

Log Deprecated Notices

Log Deprecated Notices

log-deprecated-notices

A
85

Logs the usage of deprecated files, functions, and function arguments, and identifies where the deprecated functionality is being used.

1K No CVEs
Log Deprecated Notices Extender

Log Deprecated Notices Extender

log-deprecated-notices-extender

A
85

This developer-oriented WordPress plugin extends Andrew Nacin's Log Deprecated Notices to show a link in the WP 3.3+ Toolbar.

10 No CVEs
MilesWeb Tools

MilesWeb Tools

milesweb-tools

A
100

MilesWeb Tools is a powerful WordPress plugin designed to enhance your site's functionality and security. It helps you manage security settings, …

7K No CVEs
Developer Loggers for Simple History

Developer Loggers for Simple History

developer-loggers-for-simple-history

A
99

Useful loggers for SimpleHistory for developers during development of a site or to maintain a live site.

400 1 CVE
Debug Bar – Enable WP_DEBUG from admin dashboard

Debug Bar – Enable WP_DEBUG from admin dashboard

enable-wp-debug-from-admin-dashboard

A
92

[ ✅ 𝐒𝐄𝐂𝐔𝐑𝐄 𝐏𝐋𝐔𝐆𝐈𝐍𝐒 b𝓎 𝒫𝓊𝓋𝑜𝓍] You can easily enable WP_DEBUG using a toolbar button. READ DESCRIPTION!

200 1 CVE
Developer Profile

Issues Tracker Developer Profile

Oleksandr Lysyi

2 plugins · 1K total installs

85
trust score
Avg Security Score
96/100
Avg Patch Time
44 days
View full developer profile
Detection Fingerprints

How We Detect Issues Tracker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/issues-tracker/assets/css/themes/dark-mode.css/wp-content/plugins/issues-tracker/assets/css/themes/default.css/wp-content/plugins/issues-tracker/assets/css/variables.css/wp-content/plugins/issues-tracker/assets/css/issues-tracker.css/wp-content/plugins/issues-tracker/assets/js/issues-tracker.js
Script Paths
/wp-content/plugins/issues-tracker/assets/js/issues-tracker.js
Version Parameters
issues-tracker/assets/css/themes/dark-mode.css?ver=issues-tracker/assets/css/themes/default.css?ver=issues-tracker/assets/css/variables.css?ver=issues-tracker/assets/css/issues-tracker.css?ver=issues-tracker/assets/js/issues-tracker.js?ver=

HTML / DOM Fingerprints

CSS Classes
istkr-tableistkr-log-vieweristkr-advisoristkr-404
Data Attributes
data-type="issues-tracker"
JS Globals
issues_tracker_ajax_object
REST Endpoints
/wp-json/issues-tracker/v1/log/wp-json/issues-tracker/v1/advisor/wp-json/issues-tracker/v1/404
FAQ

Frequently Asked Questions about Issues Tracker