Does Track The Click have any unpatched vulnerabilities?

No. All known vulnerabilities in Track The Click have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Track The Click compatible with WordPress 6.6.5?

According to WordPress.org data, Track The Click 0.4.0 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

Is Track The Click compatible with PHP 7.0+?

Track The Click requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Track The Click updated?

Track The Click was last updated on Sep 5, 2024. Frequent updates are generally a positive security signal.

What is Track The Click's security score?

Track The Click has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Track The Click Security & Risk Analysis

wordpress.org/plugins/track-the-click

Track how many clicks your links get.

8K active installs v0.4.0 PHP 7.0+ WP + Updated Sep 5, 2024

click-trackinglinkreferralseotrack-outbound-link

A · Safe

CVEs total1

Unpatched0

Last CVESep 26, 2023

Download

Safety Verdict

Is Track The Click Safe to Use in 2026?

Generally Safe

Score 91/100

Track The Click has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 26, 2023Updated 1yr ago

Risk Assessment

The 'track-the-click' plugin v0.4.0 exhibits a mixed security posture. While it demonstrates good practices in output escaping (94%) and uses prepared statements for a high percentage of its SQL queries (86%), there are significant areas of concern. The presence of a dangerous function like 'exec' is a red flag, as it can be exploited for command injection if not handled with extreme care. Furthermore, the plugin exposes 3 REST API routes, with 2 of them lacking permission callbacks, creating a substantial attack surface that is accessible without proper authentication. This is compounded by a complete absence of nonce checks, a fundamental security mechanism in WordPress.

The vulnerability history indicates a past high-severity SQL injection vulnerability, which is concerning given the number of SQL queries and the presence of 'exec'. Although this vulnerability is currently patched, the history suggests a potential for such issues. The taint analysis showing zero flows with unsanitized paths is positive, but it's important to remember that taint analysis is not exhaustive, especially for older or less complex code. The overall risk is moderate, primarily driven by the unprotected REST API endpoints and the presence of 'exec'.

Key Concerns

REST API routes without permission callbacks
Dangerous function found (exec)
No nonce checks
Vulnerability history (1 high)
SQL queries without prepared statements

Vulnerabilities

Track The Click Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2023-5041high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Track The Click <= 0.3.11 - Authenticated (Author+) SQL Injection via 'stats' REST Endpoint

Sep 26, 2023 Patched in 0.3.12 (119d)

Code Analysis

Analyzed Mar 16, 2026

Track The Click Code Analysis

Dangerous Functions

Raw SQL Queries

24 prepared

Unescaped Output

75 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

execif ( exec( 'timedatectl | grep zone', $output, $return ) ) {admin\class-track-the-click-admin.php:849

SQL Query Safety

86% prepared28 total queries

Output Escaping

94% escaped80 total outputs

Attack Surface

2 unprotected

Track The Click Attack Surface

Entry Points3

Unprotected2

REST API Routes 3

GET/wp-json/track-the-click/v1/statsadmin\class-track-the-click-admin.php:803

GET/wp-json/track-the-click/v3/click/(?P<cachebreak>\d+)public\class-track-the-click-public.php:179

GET/wp-json/track-the-click/v3/getpagelinkclicks/(?P<cachebreak>\d+)public\class-track-the-click-public.php:218

WordPress Hooks 21

actionplugins_loadedincludes\class-track-the-click.php:176

actionadmin_enqueue_scriptsincludes\class-track-the-click.php:191

actionadmin_enqueue_scriptsincludes\class-track-the-click.php:192

actionadmin_menuincludes\class-track-the-click.php:194

actionadmin_menuincludes\class-track-the-click.php:195

actionadmin_menuincludes\class-track-the-click.php:196

actionadmin_initincludes\class-track-the-click.php:197

actionupdate_option_track_the_click_licenseincludes\class-track-the-click.php:199

actionwp_dashboard_setupincludes\class-track-the-click.php:201

actionrest_api_initincludes\class-track-the-click.php:203

actionwp_enqueue_scriptsincludes\class-track-the-click.php:218

actionwp_enqueue_scriptsincludes\class-track-the-click.php:219

filterscript_loader_tagincludes\class-track-the-click.php:220

actionrest_api_initincludes\class-track-the-click.php:222

actionrest_api_initincludes\class-track-the-click.php:223

actiontrack_the_click_delete_old_dataincludes\class-track-the-click.php:225

filterpre_set_site_transient_update_pluginsincludes\EDD_SL_Plugin_Updater.php:75

filterplugins_apiincludes\EDD_SL_Plugin_Updater.php:76

actionafter_plugin_rowincludes\EDD_SL_Plugin_Updater.php:77

actionadmin_initincludes\EDD_SL_Plugin_Updater.php:78

actionplugins_loadedtrack-the-click.php:88

Scheduled Events 1

track_the_click_delete_old_data

Maintenance & Trust

Track The Click Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedSep 5, 2024

PHP min version7.0

Downloads68K

Community Trust

Rating94/100

Number of ratings18

Active installs8K

Alternatives

Track The Click Alternatives

Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links

broken-link-checker-seo

Broken Link Checker by AIOSEO ensures all links on your website are working. Check your site for broken links and easily fix them to improve SEO.

300K 3 CVEs

LuckyWP Table of Contents

luckywp-table-of-contents

Creates SEO-friendly table of contents for your posts/pages. Works automatically or manually (via shortcode, Gutenberg block or widget).

100K 5 CVEs

Internal Link Juicer: SEO Auto Linker for WordPress

internal-links

Improve your SEO and your user experience through internal linkbuilding. Automated links between your posts based on a smart keyword configuration.

90K 2 CVEs

Redirect 404 to Homepage

404-to-homepage

100

Redirect 404 missing pages to the homepage using SEO 301 redirection. Super lightweight!

70K No CVEs

Link Whisper Free

link-whisper

The AI-powered internal linking plugin for WordPress. Build internal links faster, find linking opportunities, and improve SEO automatically.

30K 2 unpatched

Developer Profile

Track The Click Developer Profile

tracktheclick

1 plugin · 8K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

119 days

View full developer profile

Detection Fingerprints

How We Detect Track The Click

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/track-the-click/css/track-the-click-admin.css/wp-content/plugins/track-the-click/css/jquery-ui.css/wp-content/plugins/track-the-click/js/track-the-click-admin.js

Script Paths

/wp-content/plugins/track-the-click/js/track-the-click-admin.js

Version Parameters

track-the-click-admin.css?ver=track-the-click-admin.js?ver=

HTML / DOM Fingerprints

JS Globals

ajax_var

REST Endpoints

/wp-json/track-the-click/v1/clicks

FAQ