Does AFS Analytics have any unpatched vulnerabilities?

No. All known vulnerabilities in AFS Analytics have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is AFS Analytics compatible with WordPress 6.8.5?

According to WordPress.org data, AFS Analytics 4.22 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is AFS Analytics compatible with PHP 5.3+?

AFS Analytics requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is AFS Analytics updated?

AFS Analytics was last updated on Jun 5, 2025. Frequent updates are generally a positive security signal.

What is AFS Analytics's security score?

AFS Analytics has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

AFS Analytics Security & Risk Analysis

wordpress.org/plugins/addfreestats

Full featured Web Analytics solution. Easy to use, in addition or as an alternative to google analytics.

600 active installs v4.22 PHP 5.3+ WP 3.5.0+ Updated Jun 5, 2025

afsanalyticsanalyticsheatmapsweb-analyticswebsite-statistics

A · Safe

CVEs total2

Unpatched0

Last CVEJun 12, 2025

Plugin page Download

Safety Verdict

Is AFS Analytics Safe to Use in 2026?

Generally Safe

Score 98/100

AFS Analytics has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jun 12, 2025Updated 10mo ago

Risk Assessment

The addfreestats plugin v4.22 exhibits a mixed security posture. On the positive side, there are no currently unpatched known vulnerabilities, and the plugin avoids dangerous functions and bundled outdated libraries. The presence of nonce checks, capability checks, and a reasonable rate of prepared SQL statements and output escaping suggest some adherence to secure coding practices.

However, significant concerns arise from the static analysis. A critical finding is the single AJAX handler that lacks authentication checks, creating a direct entry point for potential unauthorized actions. Furthermore, the taint analysis reveals three flows with unsanitized paths, which, although not classified as critical or high severity in this instance, represent a latent risk for cross-site scripting (XSS) or other input validation vulnerabilities if exploited.

The plugin's vulnerability history, with two medium-severity CVEs in the past, specifically related to missing authorization and XSS, further underscores the importance of addressing the identified weaknesses. While the current version may not have known exploits, the historical pattern suggests a tendency towards vulnerabilities that exploit input handling and access control. The conclusion is that while the plugin has made some improvements, the unprotected AJAX endpoint and unsanitized input paths demand immediate attention to mitigate potential security risks.

Key Concerns

Unprotected AJAX handler
Flows with unsanitized paths detected
SQL queries lack prepared statements (71%)
Output escaping not consistently applied (34%)
Known past vulnerabilities (2 medium)

Vulnerabilities

AFS Analytics Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-49864medium · 5.3Missing Authorization

AFS Analytics <= 4.21 - Missing Authorization

Jun 12, 2025 Patched in 4.22 (6d)

CVE-2022-37402medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AFS Analytics <= 4.15 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 31, 2022 Patched in 4.16 (449d)

Code Analysis

Analyzed Mar 16, 2026

AFS Analytics Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

33 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

29% prepared7 total queries

Output Escaping

66% escaped50 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths

render_tabs (includes\controllers\settings\class-afsa-setting-page.php:102)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

AFS Analytics Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_afsa_stats_serveraddfreestats.php:58

WordPress Hooks 15

actionplugins_loadedaddfreestats.php:47

actionadmin_initaddfreestats.php:49

actionadmin_menuaddfreestats.php:50

actionadmin_enqueue_scriptsaddfreestats.php:51

actionwp_enqueue_scriptsaddfreestats.php:53

actionwp_headaddfreestats.php:54

actionwp_footeraddfreestats.php:55

actionedit_form_after_titleincludes\class-afsa-admin.php:16

actionsave_postincludes\class-afsa-admin.php:17

actionadmin_headincludes\class-afsa-admin.php:19

actionadmin_footerincludes\class-afsa-admin.php:20

actionwp_admin_enqueue_scriptsincludes\class-afsa-admin.php:22

actionwp_dashboard_setupincludes\class-afsa-admin.php:24

actionwp_dashboard_setupincludes\class-afsa-admin.php:118

filterupdate_footerincludes\controllers\renderer\class-afsa-renderer.php:12

Maintenance & Trust

AFS Analytics Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJun 5, 2025

PHP min version5.3

Downloads54K

Community Trust

Rating82/100

Number of ratings9

Active installs600

Alternatives

AFS Analytics Alternatives

AFS Analytics for WooCommerce

afs-analytics-for-woocommerce

100

Advanced eCommerce Analytics solution. Grow your online business by measuring user satisfaction and site efficiency.

20 No CVEs

Plausible Analytics

plausible-analytics

Plausible Analytics is a privacy-friendly web analytics plugin for WordPress that is an easy-to-use, lightweight and more accurate alternative to Goo …

10K 3 CVEs

Mouseflow for WordPress

mouseflow-for-wordpress

Mouseflow gives you free and easy-to-use conversion and user experience analytics for your website. Analyze conversion funnels, heatmaps and even sess …

7K No CVEs

Web-Stat

web-stat

Free, real-time stats for your web site with full visitors details. Add Web-Stat in just one click and check out your site's activity, live!

6K 1 CVE

Lucky Orange

lucky-orange

100

Less time crunching numbers, more time growing your business.

2K No CVEs

Developer Profile

AFS Analytics Developer Profile

AFS Analytics

2 plugins · 620 total installs

trust score

Avg Security Score

99/100

Avg Patch Time

228 days

View full developer profile

Detection Fingerprints

How We Detect AFS Analytics

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/addfreestats/css/dashboard.css/wp-content/plugins/addfreestats/css/intro.css/wp-content/plugins/addfreestats/css/settings.css/wp-content/plugins/addfreestats/css/welcome.css/wp-content/plugins/addfreestats/js/admin.js/wp-content/plugins/addfreestats/js/intro.js/wp-content/plugins/addfreestats/js/dashboard.js/wp-content/plugins/addfreestats/js/settings.js

Script Paths

/wp-content/plugins/addfreestats/js/intro.js/wp-content/plugins/addfreestats/js/settings.js/wp-content/plugins/addfreestats/js/dashboard.js/wp-content/plugins/addfreestats/js/admin.js

Version Parameters

addfreestats/css/dashboard.css?ver=addfreestats/css/intro.css?ver=addfreestats/css/settings.css?ver=addfreestats/css/welcome.css?ver=addfreestats/js/admin.js?ver=addfreestats/js/intro.js?ver=addfreestats/js/dashboard.js?ver=addfreestats/js/settings.js?ver=

HTML / DOM Fingerprints

CSS Classes

afsa_dashboard_widgetafsa_welcome_wrap

HTML Comments

Data Attributes

data-afsa-iddata-afsa-user-id

JS Globals

AFSA_CONFIGAFSA_SETTINGSAFSA_DASHBOARD_PARAMSAFSA_ADMIN_PARAMS

REST Endpoints

/wp-json/afsa/v1/stats

FAQ