Description
The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2026-03-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to submit a forged request that bypasses nonce verification in the iTracker360 settings page. The input is not sanitized nor escaped, enabling the injection of arbitrary JavaScript that is stored in the 'itracker_license' field and executed whenever an administrator loads the settings form. This results in stored cross‑site scripting, which can compromise the confidentiality, integrity, and availability of the site for anyone who can view the page.

Affected Systems

Version 2.2.0 and earlier of the iTracker360 WordPress plugin are affected. The flaw exists in the settings handling function that is present in all releases up to the specified version.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, but because the flaw relies on a CSRF token missing check, an attacker only needs to persuade an administrator to click a crafted link or submit a form. The EPSS score is unavailable and the vulnerability has not yet been catalogued by CISA, so the current attack likelihood may not be high. Nevertheless, if the site has an admin user who can be tricked, the stored XSS can lead to credential theft, session hijacking, or defacement.

Generated by OpenCVE AI on March 21, 2026 at 07:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iTracker360 to the latest version released after 2.2.0.
  • If an update is not available, deactivate or uninstall the plugin until a fixed release is available.
  • Verify that input handling for the 'itracker_license' field is properly sanitized and escaped in any custom code.
  • Regularly review WordPress user activity logs for unusual form submissions.
  • Apply general WordPress hardening practices, such as limiting who can perform plugin updates.

Generated by OpenCVE AI on March 21, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Itracker360
Itracker360 itracker360
Wordpress
Wordpress wordpress
Vendors & Products Itracker360
Itracker360 itracker360
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Itracker360 Itracker360
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:16.105Z

Reserved: 2026-03-04T21:11:07.500Z

Link: CVE-2026-3572

cve-icon Vulnrichment

Updated: 2026-03-24T13:41:02.815Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T00:16:28.747

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-3572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:39Z

Weaknesses