Does bStat have any unpatched vulnerabilities?

No. All known vulnerabilities in bStat have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is bStat compatible with WordPress 4.0.38?

According to WordPress.org data, bStat 6.1 has been tested up to WordPress 4.0.38. Check the plugin's changelog for the latest compatibility information.

How often is bStat updated?

bStat was last updated on Unknown. Frequent updates are generally a positive security signal.

What is bStat's security score?

bStat has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

bStat Security & Risk Analysis

wordpress.org/plugins/bstats

Log and analyze activity.

10 active installs v6.1 PHP + WP 3.7+ Updated Unknown

activityactivity-streambsuitestatswebstats

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is bStat Safe to Use in 2026?

Generally Safe

Score 100/100

bStat has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs

Risk Assessment

The "bstats" v6.1 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and having no recorded vulnerabilities in its history, suggesting a generally secure development process or minimal exposure. However, the static analysis reveals significant security concerns, primarily related to its attack surface. All six identified AJAX handlers lack authentication checks, presenting a substantial risk for unauthorized actions. Furthermore, while most outputs are properly escaped, the presence of one flow with an unsanitized path flagged as high severity taint is a critical concern that could lead to various security issues if exploited. The lack of capability checks on AJAX handlers exacerbates these risks, allowing any authenticated user, regardless of their role, to potentially interact with these vulnerable endpoints.

Key Concerns

AJAX handlers without authentication checks
High severity unsanitized taint flow
AJAX handlers without capability checks
Outputs not properly escaped

Vulnerabilities

None known

bStat Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

bStat Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

55 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared5 total queries

Output Escaping

76% escaped72 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

<bstat-viewer> (components\templates\bstat-viewer.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

6 unprotected

bStat Attack Surface

Entry Points6

Unprotected6

AJAX Handlers 6

authwp_ajax_bstatcomponents\class-bstat-admin.php:6

noprivwp_ajax_bstatcomponents\class-bstat-admin.php:7

authwp_ajax_bstat_report_goal_itemscomponents\class-bstat-report.php:15

authwp_ajax_bstat_report_goal_flowcomponents\class-bstat-report.php:16

authwp_ajax_bstat_report_top_sessionscomponents\class-bstat-report.php:17

authwp_ajax_bstat_report_top_userscomponents\class-bstat-report.php:18

WordPress Hooks 21

actionwp_insert_commentcomponents\class-bstat-comments.php:10

actiondelete_commentcomponents\class-bstat-comments.php:13

actioncomment_approved_to_unapprovedcomponents\class-bstat-comments.php:14

actioncomment_approved_to_spamcomponents\class-bstat-comments.php:15

actioncomment_approved_to_trashcomponents\class-bstat-comments.php:16

actioncomment_unapproved_to_approvedcomponents\class-bstat-comments.php:17

actionedit_commentcomponents\class-bstat-comments.php:18

actioncomment_postcomponents\class-bstat-comments.php:19

actioninitcomponents\class-bstat-report.php:14

actionadmin_menucomponents\class-bstat-report.php:60

actionadmin_noticescomponents\class-bstat-report.php:80

actionuser_registercomponents\class-bstat-wpcore.php:11

actionset_auth_cookiecomponents\class-bstat-wpcore.php:14

actionactivated_plugincomponents\class-bstat-wpcore.php:17

actiondeactivated_plugincomponents\class-bstat-wpcore.php:18

actionwidget_update_callbackcomponents\class-bstat-wpcore.php:22

actioninitcomponents\class-bstat.php:20

actiontemplate_redirectcomponents\class-bstat.php:43

actionbstat_insertcomponents\class-bstat.php:55

actionset_auth_cookiecomponents\class-bstat.php:58

actionparse_querycomponents\class-bstat.php:61

Maintenance & Trust

bStat Maintenance & Trust

Maintenance Signals

WordPress version tested4.0.38

Last updatedUnknown

PHP min version

Downloads6K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

bStat Alternatives

Disable User Gravatar

disable-user-gravatar

Stops WordPress from grabbing a user avatar using their registrated email from gravatar.com.

3K No CVEs

User Activity Tracking and Log

user-activity-tracking-and-log

Track time and monitor user activity & history on your website, LMS online learning system, membership or WooCommerce site.

3K 2 CVEs

Activity Plus Reloaded for BuddyPress

bp-activity-plus-reloaded

Note: This plugin will be discontinued by March 31st, 2025 in favor of BuddyPress Attachment plugin. Please migrate to the new plugin before that date …

1K 2 unpatched

BuddyKit – Additional features for BuddyPress

buddykit

BuddyKit adds several features like Live Notifications and Media Activities to your BuddyPress powered websites.

100 No CVEs

Simple Webstats

simple-webstats

100

Privacy-focused cookie-free web analytics for WordPress.

90 No CVEs

Developer Profile

bStat Developer Profile

Casey Bisson

7 plugins · 290 total installs

trust score

Avg Security Score

84/100

Avg Patch Time

3405 days

View full developer profile

Detection Fingerprints

How We Detect bStat

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/bstats/css/bstat-report.css/wp-content/plugins/bstats/js/bstat-report.js

Script Paths

/wp-content/plugins/bstats/js/bstat-report.js

Version Parameters

bstats/css/bstat-report.css?ver=bstats/js/bstat-report.js?ver=

HTML / DOM Fingerprints

CSS Classes

bstats-report

HTML Comments

comment tracking is kept separate as an example of how to build other integrations

Data Attributes

data-role="goal-flow"

JS Globals

bstats_report_vars

REST Endpoints

/wp-json/bstats/v1/sessions/wp-json/bstats/v1/goals/wp-json/bstats/v1/goal

FAQ