Analytics Control Plus Security & Risk Analysis
wordpress.org/plugins/analytics-control-plusSet up Google Analytics with options (demographics and enhanced link tracking), no JavaScript editing. Does bounce timeout, so more accurate stats.
Is Analytics Control Plus Safe to Use in 2026?
Generally Safe
Score 85/100Analytics Control Plus has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The plugin 'analytics-control-plus' version 1.15 presents a generally good security posture with several positive indicators. The static analysis reveals no critical vulnerabilities such as dangerous functions, raw SQL queries, or external HTTP requests. Importantly, there are no identified taint flows, indicating that the code is not susceptible to data injection or manipulation through known pathways. The absence of any recorded CVEs in its vulnerability history further suggests a mature and relatively secure plugin.
However, a significant concern arises from the output escaping. With 10 total outputs and 0% properly escaped, there is a high risk of Cross-Site Scripting (XSS) vulnerabilities. Any dynamic data displayed by the plugin could be exploited by attackers to inject malicious scripts, leading to session hijacking, defacement, or other harmful actions. The presence of a shortcode and nonce/capability checks are positive, but the lack of proper output escaping overshadows these strengths, making it the primary area of risk.
In conclusion, while the plugin demonstrates a strong foundation by avoiding common pitfalls like raw SQL and dangerous functions, the complete lack of output escaping is a critical flaw. This makes the plugin vulnerable to XSS attacks. The plugin's history of no vulnerabilities is a positive sign, but it does not mitigate the immediate risk posed by the unescaped output. A balanced view is that the plugin has good underlying security practices but requires immediate attention to its output handling.
Key Concerns
- 0% output escaping
Analytics Control Plus Security Vulnerabilities
Analytics Control Plus Code Analysis
Output Escaping
Analytics Control Plus Attack Surface
Shortcodes 1
WordPress Hooks 4
Maintenance & Trust
Analytics Control Plus Maintenance & Trust
Maintenance Signals
Community Trust
Analytics Control Plus Alternatives
Block Referral Spam
wp-block-referral-spam
This plugins blocks maximum Referral Spams. Now no more notice from Google and no more weird report in Google Analytics.
Toplytics
toplytics
Displays the most visited posts as a widget using data from Google Analytics. Designed to be used under high-traffic or low server resources.
Adjusted Bounce Rate
adjusted-bounce-rate
A well-designed plugin that improves the accuracy of your bounce rate, time on page, and session duration metrics in Google Analytics.
WP TagMan
wp-tagman
This is a simple plugin that allows you to insert the Google Tag Manager container into your site.
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
google-analytics-for-wordpress
The best free Google Analytics plugin for WordPress. See how visitors find and use your website so you can grow your business with powerful analytics.
Analytics Control Plus Developer Profile
2 plugins · 30 total installs
How We Detect Analytics Control Plus
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/analytics-control-plus/js/analytics-control-plus.js/wp-content/plugins/analytics-control-plus/css/analytics-control-plus.css/wp-content/plugins/analytics-control-plus/js/analytics-control-plus.jsanalytics-control-plus/js/analytics-control-plus.js?ver=analytics-control-plus/css/analytics-control-plus.css?ver=HTML / DOM Fingerprints
<!-- This metabox displays settings for Analytics Control Plus -->data-acp-dont-trackanalyticsControlPlus[ga_event]