Track Everything Security & Risk Analysis
wordpress.org/plugins/track-everythingTrack Everything makes using Google Analytics on a WordPress site easy. Attach tracking to forms, links, or any CSS selector.
Is Track Everything Safe to Use in 2026?
Use With Caution
Score 63/100Track Everything has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.
The 'track-everything' plugin version 2.0.1 presents a mixed security posture. On one hand, the static analysis shows a commendable absence of dangerous functions, raw SQL queries, file operations, and external HTTP requests. Furthermore, it boasts a small attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events exposed without proper checks.
However, significant concerns arise from the lack of output escaping, with 0% of outputs being properly sanitized. This is a critical weakness that can lead to Cross-Site Scripting (XSS) vulnerabilities. The taint analysis also reveals "flows with unsanitized paths," indicating potential avenues for malicious data injection, even if no critical or high severity issues were immediately flagged in this specific analysis. The vulnerability history is particularly alarming, with a known medium severity CVE that is currently unpatched. The pattern of past vulnerabilities, specifically CSRF, suggests a history of security oversights that need to be addressed.
In conclusion, while the plugin has strengths in limiting its attack surface and avoiding certain dangerous coding practices, the lack of output escaping and the presence of an unpatched vulnerability are serious risks. The plugin's security is significantly undermined by these weaknesses. Users should exercise extreme caution and prioritize patching the existing vulnerability and addressing the output sanitization issues.
Key Concerns
- Unpatched CVE
- 0% Output Escaping
- Unsanitized paths in Taint Analysis
Track Everything Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
Track Everything <= 2.0.1 - Cross-Site Request Forgery
Track Everything Code Analysis
Output Escaping
Data Flow Analysis
Track Everything Attack Surface
WordPress Hooks 5
Maintenance & Trust
Track Everything Maintenance & Trust
Maintenance Signals
Community Trust
Track Everything Alternatives
Track a click on Google Analytics
track-a-click-on-google-analytics
A simple shortcode to insert Google Analytics event tracking code on your links
Komito Analytics
komito-analytics
Komito Analytics is a free, open-source enhancement for the most popular web analytics software.
GA Google Analytics – Connect Google Analytics to WordPress
ga-google-analytics
Adds Google Analytics tracking code to your WordPress site. Supports many tracking features.
Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing
woocommerce-google-adwords-conversion-tracking-tag
Conversion tracking for WooCommerce. Google Ads, GA4, Meta/Facebook Pixel, TikTok & more. Recover 30% more conversions with server-side tracking!
Conversios: Google Analytics (GA4), Google Ads, Conversion and Analytics Tracking for Multi-Channels
enhanced-e-commerce-for-woocommerce-store
Track GA4 Analytics, Google Ads, Microsoft Ads, & Conversion with server-side tracking (CAPI) & product feed to improve ROAS, reports for WooCommerce.
Track Everything Developer Profile
1 plugin · 70 total installs
How We Detect Track Everything
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/track-everything/js/jquery.track-everything.js/wp-content/plugins/track-everything/js/script.js/wp-content/plugins/track-everything/css/admin.cssjs/jquery.track-everything.jsjs/script.jsjs/admin.jsjs/thanks.jstrack-everything/js/jquery.track-everything.js?ver=1.0.0track-everything/js/script.js?ver=track-everything/css/admin.css?ver=HTML / DOM Fingerprints
window.trackeverything