WP-Safety

Clicky by Yoast Security & Risk Analysis

wordpress.org/plugins/clicky

Integrates the Clicky web analytics service into your blog and adds features for comment tracking & more.

4K active installs v2.0 PHP 5.6+ WP 5.9+ Updated Apr 6, 2023
affiliateanalyticsclickygetclickystatistics
85
A · Safe
CVEs total1
Unpatched0
Last CVEJul 27, 2016
Plugin page Download
Safety Verdict

Is Clicky by Yoast Safe to Use in 2026?

Generally Safe

Score 85/100

Clicky by Yoast has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jul 27, 2016Updated 2yr ago
Risk Assessment

The "clicky" plugin v2.0 exhibits a generally strong security posture based on the provided static analysis. The absence of any identified entry points without authentication checks, coupled with all SQL queries using prepared statements, are significant strengths. The plugin also shows good practices in output escaping, with a high percentage of outputs being properly handled. However, a notable concern is the complete lack of nonce checks, which can be a critical security measure for preventing CSRF attacks, especially if any user-initiated actions were present. The external HTTP requests, while not inherently a vulnerability, warrant attention as they could be a vector for attack if not properly validated or secured against certain types of attacks. The plugin's vulnerability history, while dated, shows a past issue with Cross-site Scripting, indicating that input sanitization is an area that requires ongoing diligence. Overall, the current version appears well-secured against common direct attack vectors, but the absence of nonce checks is a notable weakness. It is crucial to ensure that any future updates address the potential risks associated with external requests and maintain the current high standards for input sanitization and output escaping.

Key Concerns

  • Missing nonce checks
  • External HTTP requests present
  • Past XSS vulnerability history
Vulnerabilities
1

Clicky by Yoast Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

WF-42d56d6a-365a-4fa2-977f-a1328e0ec1b3-clickymedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Clicky by Yoast <= 1.5 - Stored Cross-Site Scripting

Jul 27, 2016 Patched in 1.6 (2736d)
Code Analysis
Analyzed Mar 16, 2026

Clicky by Yoast Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
5
26 escaped
Nonce Checks
0
Capability Checks
3
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

84% escaped31 total outputs
Attack Surface

Clicky by Yoast Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 14
actionadmin_enqueue_scriptsadmin\admin-page.php:21
actionadmin_enqueue_scriptsadmin\admin-page.php:22
actionadmin_headadmin\admin-page.php:24
filterplugin_action_linksadmin\admin.php:36
actionpublish_postadmin\admin.php:38
actionadmin_noticesadmin\admin.php:39
actionadmin_menuadmin\admin.php:40
actionadmin_initadmin\options-admin.php:24
actioninitclicky.php:52
actionplugins_loadedclicky.php:74
actionwp_headfrontend\frontend.php:30
actioncomment_postfrontend\frontend.php:31
actionwp_headfrontend\visitor-graph.php:98
actionadmin_bar_menufrontend\visitor-graph.php:99
Maintenance & Trust

Clicky by Yoast Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10
Last updatedApr 6, 2023
PHP min version5.6
Downloads353K

Community Trust

Rating96/100
Number of ratings11
Active installs4K
Alternatives

Clicky by Yoast Alternatives

Clicky Analytics

Clicky Analytics

clicky-analytics

A
100

This plugin will display Clicky Web Analytics data and statistics inside your WordPress Administration Dashboard.

10K No CVEs
Easy ToolBox

Easy ToolBox

easy-toolbox

A
100

This plugin is simple, all in one and really simplifies your life (SEO, Social networks, Google adsense, GetClicky, button +1, plusone, plus one, Twit &hellip;

10 No CVEs
Clicky Frontend Stats

Clicky Frontend Stats

frontend-stats-for-clicky

A
85

It enables you to use a shortcode that looks like this: [clickystats siteid="" sitekey=""] All you have to do is fill out you &hellip;

0 No CVEs
GA Google Analytics – Connect Google Analytics to WordPress

GA Google Analytics – Connect Google Analytics to WordPress

ga-google-analytics

A
100

Adds Google Analytics tracking code to your WordPress site. Supports many tracking features.

400K No CVEs
Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

burst-statistics

A
96

Analytics you'll actually use. Privacy-friendly, zero config, and designed to be actionable. Get insights, not just raw data.

200K 3 CVEs
Developer Profile

Clicky by Yoast Developer Profile

Joost de Valk

8 plugins · 9K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
2736 days
View full developer profile
Detection Fingerprints

How We Detect Clicky by Yoast

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/clicky/css/dist/clicky_admin.css/wp-content/plugins/clicky/js/admin.min.js
Script Paths
js/admin.min.js
Version Parameters
clicky_admin.css?ver=admin.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
yoast_boxinsideyoast
HTML Comments
Clicky Web Analytics - https://clicky.com, WordPress Plugin by Yoast - https://yoast.com/wordpress/plugins/clicky/ Clicky tracking not shown because you're an administrator and
JS Globals
yoast_i18n
FAQ

Frequently Asked Questions about Clicky by Yoast