WP-Safety

ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more) Security & Risk Analysis

wordpress.org/plugins/extrawatch-pro

Optimize website and increase sales. Watch your visitors in real time, Click Heatmap, Conversion Tracking, Download monitor, Anti-spam, Email Reports

30 active installs v2.3.2697 PRO PHP + WP + Updated Unknown
analyticsslimstatstatisticsstatswp-slimstat
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more) Safe to Use in 2026?

Generally Safe

Score 100/100

ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more) has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The Extrawatch-Pro plugin, version 2.3.2697 PRO, exhibits a mixed security posture. While it has no recorded historical vulnerabilities (CVEs) and its SQL queries are exclusively prepared, there are significant concerns stemming from the static analysis. A considerable number of dangerous functions, specifically `unserialize`, are present, posing a risk if user-supplied data is not rigorously validated before being unserialized. Furthermore, the plugin demonstrates a complete lack of output escaping across all analyzed outputs, making it highly susceptible to Cross-Site Scripting (XSS) vulnerabilities. The absence of nonce checks and the limited presence of capability checks on its entry points (shortcodes) also suggest potential authorization and CSRF vulnerabilities.

Key Concerns

  • Unescaped output across all analyzed outputs
  • Presence of dangerous function: unserialize
  • No nonce checks found
  • Limited capability checks found
  • Bundled outdated library: jQuery v1.11.0
Vulnerabilities
None known

ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more) Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more) Code Analysis

Dangerous Functions
14
Raw SQL Queries
0
44 prepared
Unescaped Output
564
1 escaped
Nonce Checks
0
Capability Checks
2
File Operations
58
External Requests
4
Bundled Libraries
1

Dangerous Functions Found

unserialize$keysArray = @unserialize(EXTRAWATCH_STATS_ITEMS);components\com_extrawatch\js\extrawatch.js.php:151
unserialize$allowedFields = unserialize(EXTRAWATCH_GOALS_ALLOWED_FIELDS);components\com_extrawatch\src\class.extrawatch.goal.php:124
unserializeforeach (unserialize(EXTRAWATCH_TABLES_TO_TRUNCATE) as $table) {components\com_extrawatch\src\class.extrawatch.helper.php:50
unserialize$this->config->saveConfigValues(unserialize(EXTRAWATCH_CHECKBOX_NAMES_ARRAY), $post);components\com_extrawatch\src\class.extrawatch.helper.php:91
unserialize$fileWhitelistArray = unserialize(EXTRAWATCH_INCLUDE_FILE_WHITELIST);components\com_extrawatch\src\class.extrawatch.helper.php:506
unserializeif ($getParam && !array_search($getParam, unserialize(_EW_ALLOWED_PARAMS_TO_EXTRACT))) {components\com_extrawatch\src\class.extrawatch.input.php:113
unserialize$socialmedia=unserialize(EXTRAWATCH_SOCIAL_MEDIA_REGEX);components\com_extrawatch\src\class.extrawatch.referers.php:69
unserializeforeach (unserialize(EXTRAWATCH_TABLES_TO_TRUNCATE) as $table) {components\com_extrawatch\src\class.extrawatch.setup.php:210
unserializeforeach (unserialize(EXTRAWATCH_TABLES_TO_OPTIMIZE) as $table) {components\com_extrawatch\src\class.extrawatch.stat.php:394
unserializeforeach (@unserialize(EXTRAWATCH_TABLES_TO_TRUNCATE) as $table) {components\com_extrawatch\src\env\wordpress\class.extrawatch.setup.wordpress.php:114
unserialize$keysArray = unserialize(EXTRAWATCH_STATS_ITEMS);components\com_extrawatch\src\html\class.extrawatch.stat.html.php:478
unserialize$keysArray = unserialize(EXTRAWATCH_GRAPH_STATS_ITEMS);components\com_extrawatch\src\html\class.extrawatch.trend.html.php:240
unserializeforeach (unserialize(EXTRAWATCH_STATS_ITEMS) as $key) {components\com_extrawatch\view\stats-today.php:24
unserializeforeach (unserialize(EXTRAWATCH_STATS_ITEMS) as $key) {components\com_extrawatch\view\stats-total.php:21

Bundled Libraries

jQuery1.11.0

SQL Query Safety

100% prepared44 total queries

Output Escaping

0% escaped565 total outputs
Data Flows
8 unsanitized

Data Flow Analysis

8 flows8 with unsanitized paths
saveImportAntiSpamIp (components\com_extrawatch\src\class.extrawatch.block.php:354)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more) Attack Surface

Entry Points6
Unprotected0

Shortcodes 6

[extraWatchAgent] components\com_extrawatch\src\env\wordpress\extrawatch.php:183
[extraWatchUsers] components\com_extrawatch\src\env\wordpress\extrawatch.php:184
[extraWatchVisitors] components\com_extrawatch\src\env\wordpress\extrawatch.php:185
[extraWatchAgent] extrawatch.php:183
[extraWatchUsers] extrawatch.php:184
[extraWatchVisitors] extrawatch.php:185
WordPress Hooks 11
actionplugins_loadedcomponents\com_extrawatch\src\env\wordpress\extrawatch.php:52
actionwp_headcomponents\com_extrawatch\src\env\wordpress\extrawatch.php:158
actioninitcomponents\com_extrawatch\src\env\wordpress\extrawatch.php:180
filterplugin_row_metacomponents\com_extrawatch\src\env\wordpress\extrawatch.php:224
actionwidgets_initcomponents\com_extrawatch\src\env\wordpress\widget\class.extrawatch.agent.widget.php:52
actionwidgets_initcomponents\com_extrawatch\src\env\wordpress\widget\class.extrawatch.users.widget.php:52
actionwidgets_initcomponents\com_extrawatch\src\env\wordpress\widget\class.extrawatch.visitors.widget.php:52
actionplugins_loadedextrawatch.php:52
actionwp_headextrawatch.php:158
actioninitextrawatch.php:180
filterplugin_row_metaextrawatch.php:224
Maintenance & Trust

ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more) Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19
Last updatedUnknown
PHP min version
Downloads40K

Community Trust

Rating80/100
Number of ratings12
Active installs30
Alternatives

ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more) Alternatives

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

burst-statistics

A
96

Analytics you'll actually use. Privacy-friendly, zero config, and designed to be actionable. Get insights, not just raw data.

200K 3 CVEs
Statify

Statify

statify

A
100

Visitor statistics for WordPress with focus on data protection, transparency and clarity. Perfect as a widget in your WordPress Dashboard.

100K No CVEs
Koko Analytics – Privacy Friendly Statistics for WordPress

Koko Analytics – Privacy Friendly Statistics for WordPress

koko-analytics

A
96

Koko Analytics is a privacy-friendly statistics plugin for WordPress that is an easy to use alternative to Google Analytics.

60K 2 CVEs
Connect Matomo – Analytics Dashboard for WordPress

Connect Matomo – Analytics Dashboard for WordPress

wp-piwik

A
97

Adds Matomo (former Piwik) statistics to your WordPress dashboard and is also able to add the Matomo Tracking Code to your blog.

60K 5 CVEs
Visitor Traffic Real Time Statistics

Visitor Traffic Real Time Statistics

visitors-traffic-real-time-statistics

A
97

This plugin will help you to track your visitors, browsers, operating systems, visits and much more in one dashboard page.

40K 7 CVEs
Developer Profile

ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more) Developer Profile

matto3c

3 plugins · 140 total installs

87
trust score
Avg Security Score
90/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/extrawatch-pro/components/com_extrawatch/css/dashboard.css.php/wp-content/plugins/extrawatch-pro/administrator/components/com_extrawatch/css/admin.extrawatch.css

HTML / DOM Fingerprints

CSS Classes
extrawatch-main-contentew-admin-widget-contentextrawatch-dashboard-widget
HTML Comments
<!-- ExtraWatch PRO --><!-- ExtraWatch PRO Live Stats --><!-- ExtraWatch PRO - Main Controller -->
Data Attributes
data-ew-project-iddata-ew-ajax-urldata-ew-nonce
JS Globals
ExtraWatchConfigExtraWatchAJAX
REST Endpoints
/wp-json/extrawatch/v1/data/wp-json/extrawatch/v1/settings
Shortcode Output
[extrawatch_live_stats][extrawatch_heatmap][extrawatch_clicks]
FAQ

Frequently Asked Questions about ExtraWatch PRO (Live Stats, Heatmap, Click tracking, Download Monitor and more)