WP-Safety

DM User Tracking Security & Risk Analysis

wordpress.org/plugins/dm-user-tracking-plugin

An extensive, customisable, fully featured user tracking plugin.

10 active installs v1.9.1 PHP + WP 3.5.1+ Updated Unknown
activityauditingdmloggingtracking
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is DM User Tracking Safe to Use in 2026?

Generally Safe

Score 100/100

DM User Tracking has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The dm-user-tracking-plugin v1.9.1 presents a mixed security posture. While the plugin exhibits a strong attack surface management with no apparent unprotected entry points (AJAX, REST API, shortcodes), several concerning code signals emerge. The significant use of the `unserialize` function, coupled with a high percentage of SQL queries not using prepared statements, introduces potential risks for arbitrary code execution and SQL injection vulnerabilities. Furthermore, the low percentage of properly escaped output indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website.

The taint analysis reveals a high-severity flow with unsanitized paths, which could be exploited to achieve critical security outcomes. The absence of any recorded vulnerabilities in its history might suggest a lack of past exploitation or thorough security auditing, but it does not guarantee future security. The plugin's reliance on potentially unsafe functions and improper data handling practices, despite a seemingly secure attack surface, warrants careful consideration and mitigation efforts.

Key Concerns

  • High number of SQL queries without prepared statements
  • High-severity taint flow with unsanitized path
  • Dangerous function: unserialize used
  • Low percentage of properly escaped output
  • File operations present
  • External HTTP requests present
Vulnerabilities
None known

DM User Tracking Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

DM User Tracking Code Analysis

Dangerous Functions
6
Raw SQL Queries
39
0 prepared
Unescaped Output
81
18 escaped
Nonce Checks
8
Capability Checks
2
File Operations
3
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserializeif (unserialize($curr[$k]) != false) {php_includes\stats.php:329
unserialize$curr[$k] = unserialize($curr[$k]);php_includes\stats.php:330
unserialize$script_names = unserialize($row[0]);php_includes\stats.php:410
unserialize$users = unserialize($row->user_ids);php_includes\visual.php:814
unserialize$pages = unserialize($row->page_views);php_includes\visual.php:825
unserialize$user_agents = unserialize($row->user_agents);php_includes\visual.php:834

SQL Query Safety

0% prepared39 total queries

Output Escaping

18% escaped99 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

6 flows3 with unsanitized paths
<dbmanagement> (php_includes\admin\dbmanagement.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

DM User Tracking Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 10
filtercron_scheduleslbak_user_tracking.php:75
actionwp_dashboard_setuplbak_user_tracking.php:81
actionwp_loadedlbak_user_tracking.php:82
actionadmin_menulbak_user_tracking.php:83
actionadmin_headlbak_user_tracking.php:84
filterthe_contentlbak_user_tracking.php:85
actionadmin_print_scripts-index.phplbak_user_tracking.php:86
actionlbakut_update_browscaplbak_user_tracking.php:99
actionlbakut_do_cache_and_statslbak_user_tracking.php:100
actionlbakut_database_management_cronlbak_user_tracking.php:101

Scheduled Events 3

lbakut_update_browscap
lbakut_do_cache_and_stats
lbakut_database_management_cron
Maintenance & Trust

DM User Tracking Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.3
Last updatedUnknown
PHP min version
Downloads6K

Community Trust

Rating40/100
Number of ratings3
Active installs10
Alternatives

DM User Tracking Alternatives

Last Login Tracker & Redirect URL

Last Login Tracker & Redirect URL

last-login-tracker-redirect-url

A
92

Tracks user last login and allows redirection of 404 pages to the homepage.

10 No CVEs
Lyon Site Activity

Lyon Site Activity

lyon-site-activity

A
85

A simple, lightweight plugin that gives site administrators an at-a-glance view of recent content edits.

10 No CVEs
User Activity Tracker

User Activity Tracker

user-activity-tracker

A
100

Track and monitor user activity effortlessly with User Activity Tracker. Stay informed about actions taken on your site.

10 No CVEs
LogAction – Activity Logs for Admin

LogAction – Activity Logs for Admin

logaction

A
100

Track and log WordPress activities to monitor and improve your site's security and administrative tasks.

0 No CVEs
User Who Last Viewed The Order

User Who Last Viewed The Order

order-user-last-viewed

A
100

Displays the user who last viewed a WooCommerce order in the admin panel, with timestamp.

0 No CVEs
Developer Profile

DM User Tracking Developer Profile

digmedia

1 plugin · 10 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect DM User Tracking

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/dm-user-tracking-plugin/js/dm_user_tracking.js/wp-content/plugins/dm-user-tracking-plugin/css/dm_user_tracking.css
Script Paths
js/dm_user_tracking.js
Version Parameters
dm-user-tracking-plugin/js/dm_user_tracking.js?ver=dm-user-tracking-plugin/css/dm_user_tracking.css?ver=

HTML / DOM Fingerprints

CSS Classes
dm-user-tracking-dashboard-widget
HTML Comments
<!-- DM User Tracking -->
JS Globals
dm_user_tracking_obj
Shortcode Output
[dm_user_tracking_visitors][dm_user_tracking_browsers][dm_user_tracking_platforms][dm_user_tracking_pages]
FAQ

Frequently Asked Questions about DM User Tracking