Does GA Universal have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is GA Universal compatible with WordPress 3.5.2?

According to WordPress.org data, GA Universal 1.0.1 has been tested up to WordPress 3.5.2. Check the plugin's changelog for the latest compatibility information.

How often is GA Universal updated?

GA Universal was last updated on Apr 9, 2013. Frequent updates are generally a positive security signal.

What is GA Universal's security score?

GA Universal has a WP-Safety security score of 84/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

GA Universal Security & Risk Analysis

wordpress.org/plugins/ga-universal

GA Universal is the first plugin for WordPress to implement Google Analytic's Analytics.js tracking.

10 active installs v1.0.1 PHP + WP 3.0.1+ Updated Apr 9, 2013

analyticsanalytics-jsgoogle-analyticsgoogle-analytics-universaltracking

B · Generally Safe

CVEs total1

Unpatched0

Last CVEApr 10, 2013

Plugin page Download

Safety Verdict

Is GA Universal Safe to Use in 2026?

Mostly Safe

Score 84/100

GA Universal is generally safe to use though it hasn't been updated recently. 1 past CVE were resolved.

1 known CVELast CVE: Apr 10, 2013Updated 13yr ago

Risk Assessment

The 'ga-universal' v1.0.1 plugin exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and including nonce and capability checks, significant concerns arise from its output escaping and historical vulnerability. The static analysis reveals that 0% of the 23 identified output operations are properly escaped. This is a critical oversight, as it opens the door to potential Cross-Site Scripting (XSS) vulnerabilities, allowing malicious actors to inject harmful scripts into the user's browser. Additionally, the plugin has a history of known vulnerabilities, specifically a high-severity Cross-Site Request Forgery (CSRF) in the past, indicating a need for continuous vigilance. Although there are no currently unpatched CVEs, the historical trend and the lack of proper output escaping suggest a potential for new vulnerabilities to emerge if not addressed.

Key Concerns

0% output escaping
High severity CVE in history
Use of unserialize()

Vulnerabilities

1 published

GA Universal Security Vulnerabilities

CVEs by Year

1 CVE in 2013

2013

Patched Has unpatched

Severity Breakdown

High

1 total CVE

WF-6e953bc0-a934-43fc-8147-4555dde069cc-ga-universalhigh · 8.8Cross-Site Request Forgery (CSRF)

GA Universal < 1.0.1 - Cross-Site Request Forgery

Apr 10, 2013 Patched in 1.0.1 (3940d)

Version History

GA Universal Release Timeline

v1.0.1Current

v1.01 CVE

WF-6e953bc0-a934-43fc-8147-4555dde069cc-ga-universal

Code Analysis

Analyzed Apr 16, 2026

GA Universal Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$rarr = unserialize($role);index.php:37

SQL Query Safety

100% prepared1 total queries

Output Escaping

0% escaped23 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

1 flows

<settings> (inc/screens/settings.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

GA Universal Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 4

actionwp_footerindex.php:27

actionwp_headindex.php:29

actionadmin_menuindex.php:102

actionadmin_enqueue_scriptsindex.php:108

Maintenance & Trust

GA Universal Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2

Last updatedApr 9, 2013

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

GA Universal Alternatives

GA Google Analytics – Connect Google Analytics to WordPress

ga-google-analytics

100

Adds Google Analytics tracking code to your WordPress site. Supports many tracking features.

400K No CVEs

Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing

woocommerce-google-adwords-conversion-tracking-tag

Conversion tracking for WooCommerce. Google Ads, GA4, Meta/Facebook Pixel, TikTok & more. Recover 30% more conversions with server-side tracking!

50K 4 CVEs

Conversios: Google Analytics (GA4), Google Ads, Conversion and Analytics Tracking for Multi-Channels

enhanced-e-commerce-for-woocommerce-store

Track GA4 Analytics, Google Ads, Microsoft Ads, and Conversion with server-side tracking (CAPI), dynamic remarketing, & product feeds for WooCommerce.

10K 10 CVEs

Simple Universal Google Analytics

simple-universal-google-analytics

Enable Universal Google Analytics tracking option on your WordPress site. Add tracking code to every page with WordPress Google Analytics plugin.

4K No CVEs

Better Google Analytics

better-analytics

Track everything with Google Analytics (clicked links, emails opened, YouTube videos being watched, etc.). Includes real time Analytics dashboard.

2K No CVEs

Developer Profile

GA Universal Developer Profile

ethoseo

2 plugins · 80 total installs

trust score

Avg Security Score

74/100

Avg Patch Time

3940 days

View full developer profile

Detection Fingerprints

How We Detect GA Universal

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ga-universal/js/admin.js/wp-content/plugins/ga-universal/css/admin.css/wp-content/plugins/ga-universal/js/thanks.js

Version Parameters

ga-universal/css/admin.css?ver=ga-universal/js/admin.js?ver=ga-universal/js/thanks.js?ver=

HTML / DOM Fingerprints

HTML Comments

/* BEFORE GA() *//* CREATE(S) *//* PAGE VIEW *//* AFTER GA() */

JS Globals

ethoseo_gau_versionETHOSEO_GAU_PATHETHOSEO_GAU_FILE

FAQ