CVE-2026-1215 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the MMA Call Tracking plugin for WordPress, affecting all versions up to and including 2.3.15. The root cause is the absence of nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from forged sources. Without this validation, attackers can craft malicious URLs or web pages that, when visited by an authenticated administrator, cause the plugin's configuration settings to be altered without their consent. This vulnerability does not require the attacker to be authenticated but does require the administrator to perform an action such as clicking a link, making user interaction necessary. The impact is limited to integrity, as attackers can modify call tracking configurations, potentially disrupting business operations or enabling further malicious activities. The CVSS v3.1 base score is 4.3 (medium), reflecting network attack vector, low complexity, no privileges required, but requiring user interaction and limited impact on integrity only. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. The vulnerability is classified under CWE-352, which covers CSRF weaknesses.

The primary impact of this vulnerability is the unauthorized modification of call tracking plugin settings, which can lead to inaccurate call data, misrouting of calls, or disabling of tracking features. This can disrupt marketing analytics, sales tracking, and customer service operations that rely on accurate call data. While the vulnerability does not expose sensitive data directly or cause denial of service, the integrity compromise could be leveraged as a foothold for further attacks, such as injecting malicious scripts or redirecting calls to fraudulent numbers. Organizations relying heavily on call tracking for business intelligence or customer engagement may experience operational disruptions and potential financial losses. Since exploitation requires administrator interaction, the risk is somewhat mitigated but remains significant in environments with many administrators or where phishing attacks are common. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is widely known.

1. Immediately update the MMA Call Tracking plugin to a version that includes nonce validation once available. If no patch exists yet, consider temporarily disabling the plugin or restricting access to the plugin's admin page to trusted administrators only. 2. Implement strict administrative access controls and enforce the principle of least privilege to minimize the number of users who can modify plugin settings. 3. Educate administrators about phishing and social engineering risks, emphasizing caution when clicking on links, especially those received via email or untrusted sources. 4. Use web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin's configuration endpoints. 5. Monitor plugin configuration changes through WordPress audit logs or third-party monitoring tools to detect unauthorized modifications promptly. 6. Consider adding custom nonce validation or other CSRF protections if immediate patching is not feasible. 7. Regularly review and harden WordPress security settings and keep all plugins and core software up to date to reduce exposure to similar vulnerabilities.