Cross-Site Request Forgery Vulnerability in MMA Call Tracking Plugin for WordPress
CVE-2026-1215

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Mma Call Tracking
Vendor
CVE Published:
11 February 2026

What is CVE-2026-1215?

The MMA Call Tracking plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) attacks due to insufficient nonce validation when saving configurations on the admin page. This vulnerability allows attackers to exploit the weakness by crafting a malicious request that, if executed by an unsuspecting site administrator, could result in unauthorized changes to the call tracking settings. Any version of the plugin up to and including 2.3.15 is affected, making it imperative for users to apply vendor-recommended security practices to mitigate possible exploits.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

MMA Call Tracking * <= 2.3.15

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/mma-call-track...
https://plugins.trac.wordpress.org/browser/mma-call-track...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Afnaan
JSON
.