{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1215", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-19T21:46:26.880Z", "datePublished": "2026-02-11T08:26:25.664Z", "dateUpdated": "2026-04-08T16:53:42.156Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:42.156Z"}, "affected": [{"vendor": "messagemetric", "product": "MMA Call Tracking", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for unauthenticated attackers to modify call tracking configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "MMA Call Tracking <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5689bd2b-1518-4b3b-81a3-cc92575f6c1f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/trunk/mma_call_tracking.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/tags/2.3.15/mma_call_tracking.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/trunk/mma_call_tracking.php#L967"}, {"url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/tags/2.3.15/mma_call_tracking.php#L967"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-02-10T20:08:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:37:08.232130Z", "id": "CVE-2026-1215", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:44:56.384Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1215", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:37:08.232130Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:37:08.928Z"}}], "cna": {"title": "MMA Call Tracking <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "messagemetric", "product": "MMA Call Tracking", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.3.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-10T20:08:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5689bd2b-1518-4b3b-81a3-cc92575f6c1f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/trunk/mma_call_tracking.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/tags/2.3.15/mma_call_tracking.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/trunk/mma_call_tracking.php#L967"}, {"url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/tags/2.3.15/mma_call_tracking.php#L967"}], "descriptions": [{"lang": "en", "value": "The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for unauthenticated attackers to modify call tracking configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-11T08:26:25.664Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1215", "state": "PUBLISHED", "dateUpdated": "2026-02-11T15:44:56.384Z", "dateReserved": "2026-01-19T21:46:26.880Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-11T08:26:25.664Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for unauthenticated attackers to modify call tracking configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin MMA Call Tracking para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 2.3.15, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce al guardar la configuraci\u00f3n del plugin en la p\u00e1gina de administraci\u00f3n 'mma_call_tracking_menu'. Esto hace posible que atacantes no autenticados modifiquen la configuraci\u00f3n de seguimiento de llamadas a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1215", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-11T09:15:51.177", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/tags/2.3.15/mma_call_tracking.php#L61"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/tags/2.3.15/mma_call_tracking.php#L967"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/trunk/mma_call_tracking.php#L61"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mma-call-tracking/trunk/mma_call_tracking.php#L967"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5689bd2b-1518-4b3b-81a3-cc92575f6c1f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.15]"}}], "product": "mma_call_tracking", "vendor": "messagemetric"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:37:24.992713+00:00", "value": {"mitigation_remediation": ["Upgrade the MMA Call Tracking plugin to the latest version, which restores nonce verification on the settings page.", "If an update is not immediately possible, restrict access to the settings page using IP whitelisting or two\u2011factor authentication to prevent attackers from injecting forged requests.", "Review and monitor the plugin\u2019s configuration for unexpected changes and audit admin activity logs for anomalies."], "summary": {"action": "Apply Patch", "impact": "CSRF \u2013 unauthorized settings alteration"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Messagemetric MMA Call Tracking plugin for WordPress in all releases up to and including version 2.3.15. Any WordPress site using this plugin and not yet updated is potentially exposed to the CSRF attack described above.", "description_and_impact": "The MMA Call Tracking plugin for WordPress contains a Cross\u2011Site Request Forgery flaw that allows an unauthenticated attacker to alter plugin settings due to the missing nonce validation on the mma_call_tracking_menu admin page. By forging a request, an attacker can modify configuration parameters such as tracking numbers or callback settings without the site administrator's knowledge. This can disrupt call handling, alter analytics, or downgrade tracking quality, resulting in loss of accurate data potential business impact.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw is not listed in CISA's KEV catalog. Exploitation requires the attacker to convince an administrator to click a malicious link or submit a crafted form that bypasses the nonce check. Because the vulnerability is confined to configuration pages and does not grant arbitrary code execution, the risk is limited to unauthorized changes to call tracking configuration."}}}}, "created": "2026-02-11T21:46:03.830636+00:00", "updated": "2026-04-15T18:45:11.414573+00:00", "vendors": ["messagemetric", "messagemetric$PRODUCT$mma_call_tracking", "wordpress", "wordpress$PRODUCT$wordpress"]}