{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3572", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-04T21:11:07.500Z", "datePublished": "2026-03-20T23:25:12.024Z", "dateUpdated": "2026-04-08T16:56:16.105Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:56:16.105Z"}, "affected": [{"vendor": "iTracker360", "product": "iTracker360", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "title": "iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ef842ad-3d23-4206-af3b-b3f55486766f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L187"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L187"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L115"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-03-18T17:50:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-20T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:40:46.739639Z", "id": "CVE-2026-3572", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:41:07.962Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3572", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:40:46.739639Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:41:02.815Z"}}], "cna": {"title": "iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "iTracker360", "product": "iTracker360", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-18T17:50:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-20T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ef842ad-3d23-4206-af3b-b3f55486766f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L187"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L187"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L116"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L115"}], "descriptions": [{"lang": "en", "value": "The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-20T23:25:12.024Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3572", "state": "PUBLISHED", "dateUpdated": "2026-03-24T13:41:07.962Z", "dateReserved": "2026-03-04T21:11:07.500Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-20T23:25:12.024Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin iTracker360 para WordPress es vulnerable a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados lo que lleva a Cross-Site Scripting Almacenado en todas las versiones hasta la 2.2.0 inclusive. Esto se debe a la falta de verificaci\u00f3n de nonce en el env\u00edo del formulario de configuraci\u00f3n y a una sanitizaci\u00f3n de entrada insuficiente combinada con la falta de escape de salida. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios a trav\u00e9s de una petici\u00f3n falsificada siempre que puedan enga\u00f1ar a un administrador para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-3572", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T00:16:28.747", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L115"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L116"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L187"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L115"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L116"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L187"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ef842ad-3d23-4206-af3b-b3f55486766f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "iTracker360", "source": "cna", "vendor": "iTracker360"}, "product": "itracker360", "vendor": "itracker360"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:25:28.933745+00:00", "value": {"mitigation_remediation": ["Update iTracker360 to the latest version released after 2.2.0.", "If an update is not available, deactivate or uninstall the plugin until a fixed release is available.", "Verify that input handling for the 'itracker_license' field is properly sanitized and escaped in any custom code.", "Regularly review WordPress user activity logs for unusual form submissions.", "Apply general WordPress hardening practices, such as limiting who can perform plugin updates."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "Version 2.2.0 and earlier of the iTracker360 WordPress plugin are affected. The flaw exists in the settings handling function that is present in all releases up to the specified version.", "description_and_impact": "The vulnerability allows an unauthenticated attacker to submit a forged request that bypasses nonce verification in the iTracker360 settings page. The input is not sanitized nor escaped, enabling the injection of arbitrary JavaScript that is stored in the 'itracker_license' field and executed whenever an administrator loads the settings form. This results in stored cross\u2011site scripting, which can compromise the confidentiality, integrity, and availability of the site for anyone who can view the page.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, but because the flaw relies on a CSRF token missing check, an attacker only needs to persuade an administrator to click a crafted link or submit a form. The EPSS score is unavailable and the vulnerability has not yet been catalogued by CISA, so the current attack likelihood may not be high. Nevertheless, if the site has an admin user who can be tricked, the stored XSS can lead to credential theft, session hijacking, or defacement."}}}}, "created": "2026-03-23T09:51:39.724428+00:00", "updated": "2026-03-25T14:33:39.274082+00:00", "vendors": ["itracker360", "itracker360$PRODUCT$itracker360", "wordpress", "wordpress$PRODUCT$wordpress"]}