WP-Click-Tracker Security & Risk Analysis

wordpress.org/plugins/wp-click-track

Tracks link clicks from hrefs in posts and pages. REQUIRES PHP at least 5.2

90 active installs v0.7.3 PHP + WP 2.6+ Updated Apr 16, 2011
clickclickslinklinkstracking
64
C · Use Caution
CVEs total1
Unpatched1
Last CVEJul 14, 2025
Safety Verdict

Is WP-Click-Tracker Safe to Use in 2026?

Use With Caution

Score 64/100

WP-Click-Tracker has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jul 14, 2025Updated 15yr ago
Risk Assessment

The wp-click-track plugin exhibits a mixed security posture. While it demonstrates good practices in its use of prepared statements for SQL queries and avoids common attack vectors like direct file operations and external HTTP requests, significant concerns arise from its output escaping and taint analysis. The extremely low percentage of properly escaped outputs suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities, especially given that 100% of analyzed taint flows had unsanitized paths. The presence of 5 high-severity taint flows is particularly alarming and points to potential injection issues.

The plugin's vulnerability history, while showing only one medium CVE, is concerning due to its recent nature (2025-07-14) and the indication of a past XSS vulnerability type. The fact that this CVE is currently unpatched further exacerbates the risk. The lack of nonce checks on any entry points, coupled with only two capability checks across the entire code, means that many potential actions within the plugin might be susceptible to unauthorized execution if an attacker can leverage the identified output escaping and taint flow weaknesses.

In conclusion, the plugin has some strengths in its foundational security for database interactions but suffers from critical weaknesses in output sanitization and handling of potentially untrusted input. The combination of widespread unsanitized taint flows, poor output escaping, and an unpatched vulnerability creates a substantial risk profile that requires immediate attention. The minimal attack surface in terms of exposed handlers and routes is a mitigating factor, but it does not negate the severity of the identified code-level risks.

Key Concerns

  • Unpatched CVE
  • High severity taint flows (5)
  • Taint flows with unsanitized paths (100%)
  • Low proper output escaping (7%)
  • No nonce checks on entry points
  • Limited capability checks (2)
Vulnerabilities
1 published

WP-Click-Tracker Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-49954medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-Click-Tracker <= 0.7.3 - Reflected Cross-Site Scripting

Jul 14, 2025Unpatched
Version History

WP-Click-Tracker Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

WP-Click-Tracker Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
49 prepared
Unescaped Output
105
8 escaped
Nonce Checks
0
Capability Checks
2
File Operations
0
External Requests
1
Bundled Libraries
0

SQL Query Safety

96% prepared51 total queries

Output Escaping

7% escaped113 total outputs
Data Flows · Security
14 unsanitized

Data Flow Analysis

14 flows14 with unsanitized paths
wpct_mod_link_form (admin.inc.php:30)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP-Click-Tracker Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 26
actioninitclick-tracker.php:552
actionedit_form_advancedclick-tracker.php:557
actionedit_page_formclick-tracker.php:558
actionadmin_headclick-tracker.php:561
actionadmin_menuclick-tracker.php:562
actionwp_headclick-tracker.php:564
actioninitclick-tracker.php:565
actionadmin_initclick-tracker.php:566
actionadmin_initclick-tracker.php:567
actionwp_headclick-tracker.php:570
actionplugins_loadedclick-tracker.php:571
filterget_archives_linkclick-tracker.php:575
filterwp_list_bookmarksclick-tracker.php:579
filterget_comment_author_linkclick-tracker.php:583
filterthe_excerptclick-tracker.php:587
filterthe_contentclick-tracker.php:591
filterthe_meta_keyclick-tracker.php:595
filtercomment_textclick-tracker.php:599
filternext_post_linkclick-tracker.php:603
filterprevious_post_linkclick-tracker.php:604
filterthe_tagsclick-tracker.php:608
filterthe_categoryclick-tracker.php:612
filterwp_list_categoriesclick-tracker.php:613
actionwp_footerclick-tracker.php:617
actionwp_dashboard_setupclick-tracker.php:623
filtercontextual_helpcontextual_help.php:124
Maintenance & Trust

WP-Click-Tracker Maintenance & Trust

Maintenance Signals

WordPress version tested3.1.4
Last updatedApr 16, 2011
PHP min version
Downloads32K

Community Trust

Rating60/100
Number of ratings2
Active installs90
Developer Profile

WP-Click-Tracker Developer Profile

mithra62

3 plugins · 110 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP-Click-Tracker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-click-track/js/ajax.js
Version Parameters
wp-click-track/style.css?ver=wp-click-track/admin.css?ver=wp-click-track/js/ajax.js?ver=

HTML / DOM Fingerprints

JS Globals
sackajax
FAQ

Frequently Asked Questions about WP-Click-Tracker