Plataforma
wordpress
Componente
mma-call-tracking
Corrigido em
2.3.16
CVE-2026-1215 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the MMA Call Tracking plugin for WordPress. This flaw allows unauthenticated attackers to modify call tracking configuration settings if they can trick a site administrator into performing an action, such as clicking a malicious link. The vulnerability affects versions 0.0.0 through 2.3.15, and a patch is available in version 2.3.16.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of call tracking configuration settings. An attacker could manipulate these settings to redirect calls to a different number, alter tracking parameters, or disable call recording. This could lead to financial losses, data breaches (if call recordings contain sensitive information), and reputational damage. The attack requires the administrator to be tricked into clicking a malicious link, but successful exploitation could have significant consequences for the website and its users.
This vulnerability was publicly disclosed on 2026-02-11. No public proof-of-concept exploits are currently known. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The relatively low CVSS score suggests a lower probability of widespread exploitation, but the ease of exploitation (requiring only social engineering) warrants prompt remediation.
WordPress websites utilizing the MMA Call Tracking plugin, particularly those with shared hosting environments where plugin updates may be managed by the hosting provider, are at increased risk. Administrators who frequently click on links from untrusted sources are also more vulnerable to exploitation.
• wordpress / composer / npm:
grep -r 'mma_call_tracking_menu' /var/www/html/wp-content/plugins/
wp plugin list | grep mma-call-tracking• generic web:
curl -I https://example.com/wp-admin/admin.php?page=mma_call_tracking_menu | grep -i 'referer'disclosure
Status do Exploit
EPSS
0.01% (percentil 0%)
CISA SSVC
Vetor CVSS
The recommended mitigation is to immediately upgrade the MMA Call Tracking plugin to version 2.3.16 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests to the mmacalltracking_menu admin page that lack proper nonce validation. While not a complete solution, this can provide a temporary layer of protection. Regularly review WordPress plugin configurations for any unexpected changes and educate administrators about the risks of clicking on suspicious links.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e empregue mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-1215 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the MMA Call Tracking plugin for WordPress versions 0.0.0–2.3.15, allowing attackers to modify settings via forged requests.
You are affected if your WordPress site uses the MMA Call Tracking plugin and is running a version prior to 2.3.16. Check your plugin version immediately.
Upgrade the MMA Call Tracking plugin to version 2.3.16 or later to resolve the vulnerability. Consider a WAF as a temporary mitigation.
There are currently no reports of active exploitation, but the ease of exploitation warrants prompt remediation.
Refer to the MMA Call Tracking plugin's official website or WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.