cleantalk
Vulnerabilities and Security Researches

MMA Call Tracking, CVE-2026-1215

CVE, Research URL

CVE-2026-1215

Home page URL

Security reports for MMA Call Tracking

Application

MMA Call Tracking

Published on
Feb 11, 2026
Research Description
The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for unauthenticated attackers to modify call tracking configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 2.3.15.
Status
vulnerable
Previous vulnerability researches
Prodigy Commerce (CVE-2024-54251) , Dec 11, 2024
Prodigy Commerce (CVE-2026-0926) , Apr 15, 2026
Prodigy Commerce (CVE-2024-54250) , Dec 15, 2024
New vulnerability
WP App Bar (CVE-2026-1074) , Apr 16, 2026
EM Cost Calculator (CVE-2026-2506) , Apr 16, 2026
GetGenie – Ai Content Writer with Keyword Research and Competitor Analysis (CVE-2026-1003) , Apr 16, 2026
AI ChatBot with ChatGPT and Content Generator by AYS (CVE-2026-1336) , Apr 16, 2026
Sphere Manager (CVE-2026-1905) , Apr 16, 2026