Platform
wordpress
Component
mma-call-tracking
Fixed in
2.3.16
CVE-2026-1215 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the MMA Call Tracking plugin for WordPress. This flaw allows unauthenticated attackers to modify call tracking configuration settings if they can trick a site administrator into performing an action, such as clicking a malicious link. The vulnerability affects versions 0.0.0 through 2.3.15, and a patch is available in version 2.3.16.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of call tracking configuration settings. An attacker could manipulate these settings to redirect calls to a different number, alter tracking parameters, or disable call recording. This could lead to financial losses, data breaches (if call recordings contain sensitive information), and reputational damage. The attack requires the administrator to be tricked into clicking a malicious link, but successful exploitation could have significant consequences for the website and its users.
This vulnerability was publicly disclosed on 2026-02-11. No public proof-of-concept exploits are currently known. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The relatively low CVSS score suggests a lower probability of widespread exploitation, but the ease of exploitation (requiring only social engineering) warrants prompt remediation.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the MMA Call Tracking plugin to version 2.3.16 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests to the mmacalltracking_menu admin page that lack proper nonce validation. While not a complete solution, this can provide a temporary layer of protection. Regularly review WordPress plugin configurations for any unexpected changes and educate administrators about the risks of clicking on suspicious links.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1215 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the MMA Call Tracking plugin for WordPress versions 0.0.0–2.3.15, allowing attackers to modify settings via forged requests.
You are affected if your WordPress site uses the MMA Call Tracking plugin and is running a version prior to 2.3.16. Check your plugin version immediately.
Upgrade the MMA Call Tracking plugin to version 2.3.16 or later to resolve the vulnerability. Consider a WAF as a temporary mitigation.
There are currently no reports of active exploitation, but the ease of exploitation warrants prompt remediation.
Refer to the MMA Call Tracking plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.