WP-Safety

Wp Tracking Codes Security & Risk Analysis

wordpress.org/plugins/wp-tracking-codes

The tracking codes in one place. Support: Google Tag Manager, GA 4 Global Tag, Google ADS Remarketing Global Tag,Google Merchant Reviews,Facebook Pixe …

900 active installs v1.9.3 PHP 7.2+ WP 5.2.0+ Updated Oct 29, 2024
adsfacebookga4gtmtracking-codes
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Wp Tracking Codes Safe to Use in 2026?

Generally Safe

Score 92/100

Wp Tracking Codes has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The "wp-tracking-codes" v1.9.3 plugin exhibits a strong security posture based on the provided static analysis. The absence of identified AJAX handlers, REST API routes, shortcodes, and cron events significantly limits the potential attack surface. Furthermore, the code demonstrates good practices with no dangerous functions, no file operations, no external HTTP requests, and SQL queries exclusively using prepared statements. The high percentage of properly escaped output is also a positive indicator. The plugin also has no recorded vulnerabilities, which is a strong testament to its security over time.

While the lack of identified taint flows and critical security signals is reassuring, the complete absence of nonce and capability checks across all entry points (even though the stated entry points are zero) represents a potential concern. If any entry points were to be introduced in future versions or through hooks, they would be entirely unprotected without these fundamental security mechanisms. This is a generalized weakness rather than a specific exploit found in the current version.

In conclusion, the plugin appears to be well-secured in its current state, with a clean vulnerability history and good coding practices observed in the static analysis. The primary area for improvement or caution lies in the potential lack of robust authentication and authorization checks should the attack surface expand. However, based on the current data, the risk is assessed as low.

Key Concerns

  • No nonce checks implemented
  • No capability checks implemented
Vulnerabilities
None known

Wp Tracking Codes Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Wp Tracking Codes Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
26 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

93% escaped28 total outputs
Attack Surface

Wp Tracking Codes Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 15
actionadmin_menuincludes\class-register-codes.php:32
actionadmin_initincludes\class-register-codes.php:33
actionwp_headincludes\class-render-data-layer-gtm.php:32
actionadmin_noticesincludes\class-render-data-layer-gtm.php:38
actionwp_footerincludes\class-render-google-merchant.php:33
actionadmin_noticesincludes\class-render-google-merchant.php:40
actioninitwp-tracking-codes.php:55
actionwp_headwp-tracking-codes.php:59
actionwp_footerwp-tracking-codes.php:61
actionwp_headwp-tracking-codes.php:63
actionwp_headwp-tracking-codes.php:65
filtertemplate_includewp-tracking-codes.php:66
filterwp_body_openwp-tracking-codes.php:67
actionbefore_woocommerce_initwp-tracking-codes.php:68
actionplugins_loadedwp-tracking-codes.php:235
Maintenance & Trust

Wp Tracking Codes Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedOct 29, 2024
PHP min version7.2
Downloads28K

Community Trust

Rating100/100
Number of ratings4
Active installs900
Alternatives

Wp Tracking Codes Alternatives

Server Side Tracking via GTM for Google Analytics 4, Meta Conversions API & Google Ads

Server Side Tracking via GTM for Google Analytics 4, Meta Conversions API & Google Ads

server-side-tagging-via-google-tag-manager-for-wordpress

A
100

Fix missing WooCommerce conversions using server-side GTM tracking. Improve GA4, Google Ads & Meta Conversions API accuracy.

20 No CVEs
TrackSharp: Server-Side GA4 Tracking + Attribution Audit for WooCommerce

TrackSharp: Server-Side GA4 Tracking + Attribution Audit for WooCommerce

tracksharp

A
100

Secure server-side GA4 tracking for WooCommerce + a built-in Audit Dashboard to detect Google Ads & Meta attribution risks.

0 No CVEs
GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

duracelltomi-google-tag-manager

A
98

Advanced tag management for WordPress with Google Tag Manager

700K 3 CVEs
Meta pixel for WordPress

Meta pixel for WordPress

official-facebook-pixel

A
98

Grow your business with Meta for WordPress!

400K 2 CVEs
Kliken: Ads + Pixel for Meta

Kliken: Ads + Pixel for Meta

kliken-ads-pixel-for-meta

A
100

Drive Sales on Facebook and Instagram in 5 minutes—upload your catalog, implement the Meta Pixel & Conversions API, and grow via Meta Advantage+ now.

50K No CVEs
Developer Profile

Wp Tracking Codes Developer Profile

Heitor_tito

1 plugin · 900 total installs

88
trust score
Avg Security Score
92/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Wp Tracking Codes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-tracking-codes/assets/js/main.js
Script Paths
https://www.googletagmanager.com/gtag/js?id=https://connect.facebook.net/en_US/fbevents.jshttps://www.googletagmanager.com/gtm.js?id=
Version Parameters
wp-tracking-codes/assets/js/main.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- Global site tag (gtag.js) - Google Analytics --><!-- Global site tag (gtag.js) - Google Ads --><!-- Facebook Pixel Code --><!-- End Facebook Pixel Code -->+4 more
JS Globals
dataLayergtagfbq
FAQ

Frequently Asked Questions about Wp Tracking Codes