Does Chartbeat have any unpatched vulnerabilities?

Yes — Chartbeat currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Chartbeat compatible with WordPress 4.7.32?

According to WordPress.org data, Chartbeat 2.0.7 has been tested up to WordPress 4.7.32. Check the plugin's changelog for the latest compatibility information.

How often is Chartbeat updated?

Chartbeat was last updated on Jul 1, 2020. Frequent updates are generally a positive security signal.

What is Chartbeat's security score?

Chartbeat has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Chartbeat Security & Risk Analysis

wordpress.org/plugins/chartbeat

The Chartbeat plugin automatically adds real-time data and a top pages widget to your blog. See who’s on your site, what they’re doing - right now

1K active installs v2.0.7 PHP + WP 2.8+ Updated Jul 1, 2020

ampanalyticschartbeatinstant-articles

C · Use Caution

CVEs total1

Unpatched1

Last CVEAug 26, 2025

Plugin page Download

Safety Verdict

Is Chartbeat Safe to Use in 2026?

Use With Caution

Score 63/100

Chartbeat has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Aug 26, 2025Updated 5yr ago

Risk Assessment

The Chartbeat plugin v2.0.7 demonstrates several good security practices, including the absence of dangerous functions, all SQL queries utilizing prepared statements, and a low number of entry points with none currently unprotected. The plugin also implements nonce and capability checks, which are crucial for securing its limited attack surface. However, a significant concern arises from its vulnerability history, specifically a known medium-severity Server-Side Request Forgery (SSRF) vulnerability that remains unpatched. The presence of an unpatched CVE, especially one related to SSRF, introduces a direct and exploitable risk to the WordPress site.

While the static analysis shows a relatively clean codebase with no critical or high-severity taint flows and proper output escaping for the majority of outputs, the unpatched SSRF vulnerability overshadows these strengths. The plugin's reliance on external HTTP requests, though only one is noted, could be a vector for such an SSRF if not handled with extreme care and proper validation, which is unfortunately not guaranteed given the past vulnerability. The overall security posture is mixed; strong internal code practices are undermined by a critical external threat in the form of an unpatched vulnerability.

Key Concerns

Unpatched CVE (Medium severity)

Vulnerabilities

Chartbeat Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-53250medium · 6.4Server-Side Request Forgery (SSRF)

Chartbeat <= 2.0.7 - Authenticated (Subscriber+) Server-Side Request Forgery

Aug 26, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Chartbeat Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

63 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared1 total queries

Output Escaping

86% escaped73 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

cbproxy_submit (chartbeat.php:479)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Chartbeat Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

noprivwp_ajax_cbproxy-submitchartbeat.php:476

authwp_ajax_cbproxy-submitchartbeat.php:477

WordPress Hooks 14

actionadmin_menuchartbeat.php:31

actionadmin_noticeschartbeat.php:35

actionadmin_initchartbeat.php:46

filteramp_post_template_analyticschartbeat.php:420

actioninstant_articles_article_headerchartbeat.php:442

actionwidgets_initchartbeat.php:509

filterposts_wherechartbeat.php:544

actionwp_dashboard_setupchartbeat.php:627

actionadmin_initchartbeat.php:628

filtermanage_posts_columnschartbeat.php:631

actionmanage_posts_custom_columnchartbeat.php:639

actionadmin_initchartbeat.php:673

actionwp_headchartbeat.php:675

actionwp_footerchartbeat.php:676

Maintenance & Trust

Chartbeat Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.32

Last updatedJul 1, 2020

PHP min version

Downloads584K

Community Trust

Rating50/100

Number of ratings2

Active installs1K

Alternatives

Chartbeat Alternatives

Head, Footer and Post Injections

header-footer

Head and Footer plugin lets you to add HTML code to the head and footer sections of your site pages, inside posts... and more!

300K 1 CVE

Amplitude – Analytics, Session Replay, A/B testing and CDP for your website

amplitude

100

Grow your website with confidence using our award winning digital analytics platform now available on WordPress

800 No CVEs

Easy UTM Builder

easy-utm-builder

100

Easy to build trackable URLs with UTM parameters in Bulk (complete site or specific post type) for Google Analytics!

400 No CVEs

utm.codes

utm-dot-codes

100

A WordPress plugin that makes building analytics friendly links quick and easy.

400 No CVEs

AMP Google Analytics 4 Support

amp-google-analytics-4-support

A WordPress plugin to add GA4 - Google Analytics 4 Support to AMP - Accelerated Mobile Pages.

200 No CVEs

Developer Profile

Chartbeat Developer Profile

Chartbeat

1 plugin · 1K total installs

trust score

Avg Security Score

63/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Chartbeat

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/chartbeat/media/chartbeat.png/wp-content/plugins/chartbeat/media/topwidget.compiled.js

Script Paths

//chartbeat.com/wordpress/?site=//chartbeat.com/dashboard///chartbeat.com/publishing/dashboard///chartbeat.com/apikeys/https://chartbeat.com/publishing/headline-optimization/

HTML / DOM Fingerprints

Data Attributes

id="chartbeat-iframe"

JS Globals

CBTopPagesWidget

FAQ