
WP-Click-Tracker Security & Risk Analysis
wordpress.org/plugins/wp-click-trackTracks link clicks from hrefs in posts and pages. REQUIRES PHP at least 5.2
Is WP-Click-Tracker Safe to Use in 2026?
Use With Caution
Score 64/100WP-Click-Tracker has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.
The wp-click-track plugin exhibits a mixed security posture. While it demonstrates good practices in its use of prepared statements for SQL queries and avoids common attack vectors like direct file operations and external HTTP requests, significant concerns arise from its output escaping and taint analysis. The extremely low percentage of properly escaped outputs suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities, especially given that 100% of analyzed taint flows had unsanitized paths. The presence of 5 high-severity taint flows is particularly alarming and points to potential injection issues.
The plugin's vulnerability history, while showing only one medium CVE, is concerning due to its recent nature (2025-07-14) and the indication of a past XSS vulnerability type. The fact that this CVE is currently unpatched further exacerbates the risk. The lack of nonce checks on any entry points, coupled with only two capability checks across the entire code, means that many potential actions within the plugin might be susceptible to unauthorized execution if an attacker can leverage the identified output escaping and taint flow weaknesses.
In conclusion, the plugin has some strengths in its foundational security for database interactions but suffers from critical weaknesses in output sanitization and handling of potentially untrusted input. The combination of widespread unsanitized taint flows, poor output escaping, and an unpatched vulnerability creates a substantial risk profile that requires immediate attention. The minimal attack surface in terms of exposed handlers and routes is a mitigating factor, but it does not negate the severity of the identified code-level risks.
Key Concerns
- Unpatched CVE
- High severity taint flows (5)
- Taint flows with unsanitized paths (100%)
- Low proper output escaping (7%)
- No nonce checks on entry points
- Limited capability checks (2)
WP-Click-Tracker Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
WP-Click-Tracker <= 0.7.3 - Reflected Cross-Site Scripting
WP-Click-Tracker Release Timeline
WP-Click-Tracker Code Analysis
SQL Query Safety
Output Escaping
Data Flow Analysis
WP-Click-Tracker Attack Surface
WordPress Hooks 26
Maintenance & Trust
WP-Click-Tracker Maintenance & Trust
Maintenance Signals
Community Trust
WP-Click-Tracker Alternatives
Linker – URL shortener & track outbound link clicks
linker
Track Outbound Link Clicks Easily: Shorten & track your site links by using your own domain name. e.g. "your-domain.com/go/link"
Linkt – A Plugin for Affiliate Links, Branded Links and Custom Link Tracking & Management
linkt
Simplify your affiliate link management and tracking with Linkt, the ultimate WordPress plugin for creating, categorizing, and analyzing your website …
ShortLinks Pro – Affiliate Links, Link Shortening, Click Tracking & Marketing
shortlinkspro
Shorten, track, manage and share any URL using your own domain name!
Link Visit Counter
link-visit-counter
Track and monitor clicks on links within your website using a simple, professional WordPress plugin with an admin interface.
Affiliate Link Click Tracker
custom-link-click-tracker
Track affiliate, internal, or external link clicks for your given URL prefix. Get post title, link url, device type, and click time for analysis.
WP-Click-Tracker Developer Profile
3 plugins · 110 total installs
How We Detect WP-Click-Tracker
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/wp-click-track/js/ajax.jswp-click-track/style.css?ver=wp-click-track/admin.css?ver=wp-click-track/js/ajax.js?ver=HTML / DOM Fingerprints
sackajax