WP-Safety

Point Tracker Security & Risk Analysis

wordpress.org/plugins/point-tracker

This plugin will allow site admins to create challenges and then participants can enter their activity.

0 active installs v1.6 PHP 5.6+ WP 4.4.2+ Updated Dec 31, 2018
challengecontentteam-activities
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Point Tracker Safe to Use in 2026?

Generally Safe

Score 85/100

Point Tracker has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The "point-tracker" plugin v1.6 presents a mixed security posture. While the absence of known CVEs and critical taint analysis findings is positive, several areas raise concerns. A significant attack surface exists with 9 unprotected AJAX handlers, which are prime targets for unauthorized actions. The low percentage of properly escaped output (12%) suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site. Additionally, the plugin relies on the bundled DataTables v1.10.9 library, which is considerably outdated and may contain known security flaws that are unpatched in this plugin.

Although the plugin demonstrates good practices in using prepared statements for SQL queries (82%) and has a reasonable number of capability checks (16), these strengths are overshadowed by the identified weaknesses. The lack of taint flow findings is encouraging but doesn't negate the inherent risks from unprotected AJAX endpoints and widespread output escaping issues. The vulnerability history being clean is a good sign, but it cannot compensate for the immediate, observable risks within the codebase. Overall, this plugin requires significant attention to address the unprotected entry points and output sanitization to mitigate potential security breaches.

Key Concerns

  • Unprotected AJAX handlers
  • Low output escaping percentage
  • Bundled outdated DataTables library
Vulnerabilities
None known

Point Tracker Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Point Tracker Release Timeline

v1.6Current
v1.5.1
v1.5
v1.4
v1.3.1
v1.3
v1.2
v1.1
v1.0
Code Analysis
Analyzed Mar 17, 2026

Point Tracker Code Analysis

Dangerous Functions
0
Raw SQL Queries
27
122 prepared
Unescaped Output
113
16 escaped
Nonce Checks
5
Capability Checks
16
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

DataTables1.10.9

SQL Query Safety

82% prepared149 total queries

Output Escaping

12% escaped129 total outputs
Attack Surface
9 unprotected

Point Tracker Attack Surface

Entry Points24
Unprotected9

AJAX Handlers 21

authwp_ajax_get-activitiesincludes\ajax\activity-ajax.php:2
authwp_ajax_get-activity-detailsincludes\ajax\activity-ajax.php:3
authwp_ajax_save-activityincludes\ajax\activity-ajax.php:4
authwp_ajax_delete-activityincludes\ajax\activity-ajax.php:5
authwp_ajax_ac-groupincludes\ajax\activity-ajax.php:6
authwp_ajax_get-challengeincludes\ajax\challenge-ajax.php:2
authwp_ajax_save-challengeincludes\ajax\challenge-ajax.php:3
authwp_ajax_delete-challengeincludes\ajax\challenge-ajax.php:4
authwp_ajax_pt-get-widget-dataincludes\ajax\challenge-ajax.php:5
authwp_ajax_get-logincludes\ajax\entry-ajax.php:3
authwp_ajax_save-entryincludes\ajax\entry-ajax.php:4
authwp_ajax_delete-participant-activityincludes\ajax\entry-ajax.php:5
noprivwp_ajax_save-entryincludes\ajax\entry-ajax.php:8
noprivwp_ajax_get-my-activityincludes\ajax\entry-ajax.php:9
noprivwp_ajax_delete-participant-activityincludes\ajax\entry-ajax.php:10
authwp_ajax_get-participantsincludes\ajax\participant-ajax.php:2
authwp_ajax_approve-participantincludes\ajax\participant-ajax.php:3
authwp_ajax_remove-participantincludes\ajax\participant-ajax.php:4
authwp_ajax_add-participantincludes\ajax\participant-ajax.php:5
authwp_ajax_join-challengeincludes\ajax\participant-ajax.php:6
authwp_ajax_clear-participantsincludes\ajax\participant-ajax.php:7

Shortcodes 3

[challenge] public\class-point-tracker-public.php:65
[challenge_list] public\class-point-tracker-public.php:69
[my_activity] public\class-point-tracker-public.php:73
WordPress Hooks 7
actionplugins_loadedincludes\class-point-tracker.php:160
actionadmin_enqueue_scriptsincludes\class-point-tracker.php:174
actionadmin_enqueue_scriptsincludes\class-point-tracker.php:175
actionadmin_menuincludes\class-point-tracker.php:177
actionwp_dashboard_setupincludes\class-point-tracker.php:179
actionwp_enqueue_scriptsincludes\class-point-tracker.php:193
actionwp_enqueue_scriptsincludes\class-point-tracker.php:194
Maintenance & Trust

Point Tracker Maintenance & Trust

Maintenance Signals

WordPress version tested5.0.25
Last updatedDec 31, 2018
PHP min version5.6
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Point Tracker Alternatives

Yoast SEO – Advanced SEO with real-time guidance and built-in AI

Yoast SEO – Advanced SEO with real-time guidance and built-in AI

wordpress-seo

A
89

Improve your SEO with real-time feedback, schema, and clear guidance. Upgrade for AI tools, Google Docs integration, and 24/7 support, no hidden fees.

10.0M 18 CVEs
Custom Post Type UI

Custom Post Type UI

custom-post-type-ui

A
93

Admin UI for creating custom content types like post types and taxonomies

1.0M 4 CVEs
One Click Demo Import

One Click Demo Import

one-click-demo-import

A
98

Import your demo content, widgets and theme settings with one click. Theme authors! Enable simple theme demo import for your users.

1.0M 2 CVEs
Easy Table of Contents

Easy Table of Contents

easy-table-of-contents

A
95

Adds a user friendly and fully automatic way to create and display a table of contents generated from the page content.

600K 6 CVEs
Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content

password-protected

A
96

Protect your WordPress site, pages, posts, WooCommerce products, and categories with single or multiple passwords.

300K 5 CVEs
Developer Profile

Point Tracker Developer Profile

Ryan

1 plugin · 0 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Point Tracker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/point-tracker/css/point-tracker-admin.min.css/wp-content/plugins/point-tracker/includes/jquery-ui-1.12.1/jquery-ui.min.css/wp-content/plugins/point-tracker/includes/datatables/DataTables-1.10.9/css/jquery.dataTables.min.css/wp-content/plugins/point-tracker/includes/datatables/Buttons-1.0.3/css/buttons.dataTables.min.css/wp-content/plugins/point-tracker/includes/font-awesome/font-awesome-v5.2.0.min.css/wp-content/plugins/point-tracker/js/point-tracker-admin.min.js/wp-content/plugins/point-tracker/includes/spin/spin.min.js/wp-content/plugins/point-tracker/includes/datatables/DataTables-1.10.9/js/jquery.dataTables.min.js+9 more
Script Paths
/wp-content/plugins/point-tracker/js/point-tracker-admin.min.js
Version Parameters
point-tracker-admin.min.css?ver=point-tracker-admin.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
point-tracker-admin-core
JS Globals
my_object
FAQ

Frequently Asked Questions about Point Tracker