WP-Safety

Hitsteps Web Analytics Security & Risk Analysis

wordpress.org/plugins/hitsteps-visitor-manager

Hitsteps Analytics is a real time website visitor tracker and SEO analytics, it allow you to view and interact with your visitors in real time.

900 active installs v5.91 PHP 5.0+ WP 2.7+ Updated May 9, 2025
analyticschatlivestatisticsstats
99
A · Safe
CVEs total2
Unpatched0
Last CVEOct 6, 2023
Plugin page Download
Safety Verdict

Is Hitsteps Web Analytics Safe to Use in 2026?

Generally Safe

Score 99/100

Hitsteps Web Analytics has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Oct 6, 2023Updated 11mo ago
Risk Assessment

The hitsteps-visitor-manager plugin version 5.91 presents a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and incorporating a reasonable number of capability checks (11) and nonce checks (3), there are significant areas of concern. The presence of two 'dangerous functions' (create_function) is a red flag, as this function is deprecated and known to be a source of vulnerabilities if not handled with extreme care. Furthermore, the static analysis reveals that a substantial percentage of output is not properly escaped (82%), indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. Taint analysis shows four flows with unsanitized paths, which, although not classified as critical or high, still represent potential avenues for malicious input to be processed without adequate sanitization.

The vulnerability history of this plugin is also a notable concern. With two known CVEs, both of medium severity, and previously involving Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS), it suggests a pattern of susceptibility to common web application attacks. The fact that these vulnerabilities have existed in the past, even if currently patched, indicates a historical tendency for insecure coding practices. While there are no currently unpatched CVEs, the combination of historical vulnerabilities and high rates of unescaped output and unsanitized taint flows warrants caution.

In conclusion, the plugin has some strengths in SQL handling and authorization checks. However, the identified dangerous functions, the significant proportion of unescaped output, and the history of XSS and CSRF vulnerabilities point to a plugin that requires careful monitoring and potential remediation. The risk is moderate, primarily due to the potential for XSS and the historical context of past security flaws.

Key Concerns

  • High percentage of unescaped output
  • Taint analysis shows unsanitized paths
  • Use of deprecated dangerous functions
  • History of known CVEs (medium severity)
Vulnerabilities
2

Hitsteps Web Analytics Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-45268medium · 4.3Cross-Site Request Forgery (CSRF)

Hitsteps Web Analytics <= 5.86 - Cross-Site Request Forgery via hst_optionpage

Oct 6, 2023 Patched in 5.87 (109d)
CVE-2023-45057medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hitsteps Web Analytics <= 5.86 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 3, 2023 Patched in 5.87 (112d)
Code Analysis
Analyzed Mar 16, 2026

Hitsteps Web Analytics Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
0 prepared
Unescaped Output
293
66 escaped
Nonce Checks
3
Capability Checks
11
File Operations
0
External Requests
7
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action('widgets_init', create_function('', 'return register_widget("hst_SUPPORT");'));hitsteps.php:1927
create_functionadd_action('widgets_init', create_function('', 'return register_widget("hst_STATS");'));hitsteps.php:2251

Output Escaping

18% escaped359 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

5 flows4 with unsanitized paths
add_hitsteps_analytics_to_woo_email (init.woocommerce.php:57)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Hitsteps Web Analytics Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 59
actionadmin_menuhitsteps.php:11
actionwp_footerhitsteps.php:12
actionwp_headhitsteps.php:13
actionplugins_loadedhitsteps.php:24
actionadmin_bar_menuhitsteps.php:447
actionadmin_bar_menuhitsteps.php:453
actionadmin_noticeshitsteps.php:561
actionwp_dashboard_setuphitsteps.php:1709
actionwidgets_inithitsteps.php:1925
actionwidgets_inithitsteps.php:1927
actionwidgets_inithitsteps.php:2249
actionwidgets_inithitsteps.php:2251
filterplugin_action_linkshitsteps.php:2259
filtermanage_posts_columnshitsteps.php:2310
filtermanage_pages_columnshitsteps.php:2311
actionmanage_posts_custom_columnhitsteps.php:2312
actionmanage_pages_custom_columnhitsteps.php:2313
actionadmin_headhitsteps.php:2325
actionplugins_loadedinit.cf7.php:4
actionadmin_initinit.cf7.php:82
filterwpcf7_mail_componentsinit.cf7.php:188
filtergform_add_field_buttonsinit.gravityform.php:19
filtergform_field_type_titleinit.gravityform.php:20
actiongform_editor_jsinit.gravityform.php:21
actiongform_field_standard_settingsinit.gravityform.php:22
actiongform_field_standard_settingsinit.gravityform.php:23
actiongform_field_standard_settingsinit.gravityform.php:24
actiongform_field_standard_settingsinit.gravityform.php:25
actiongform_field_standard_settingsinit.gravityform.php:26
filtergform_tooltipsinit.gravityform.php:27
filtergform_tooltipsinit.gravityform.php:28
filtergform_tooltipsinit.gravityform.php:29
filtergform_tooltipsinit.gravityform.php:30
actiongform_enqueue_scriptsinit.gravityform.php:32
actiongform_field_inputinit.gravityform.php:33
filtergform_pre_send_emailinit.gravityform.php:321
actiongform_pre_submissioninit.gravityform.php:322
filtergform_add_field_buttonsinit.gravityform.php:346
filtergform_field_type_titleinit.gravityform.php:347
actiongform_editor_jsinit.gravityform.php:348
actiongform_enqueue_scriptsinit.gravityform.php:349
actiongform_field_inputinit.gravityform.php:350
actiongform_pre_submissioninit.gravityform.php:457
actiongform_editor_js_set_default_valuesinit.gravityform.php:678
filtergform_add_field_buttonsinit.gravityform.php:715
filtergform_field_type_titleinit.gravityform.php:716
actiongform_editor_jsinit.gravityform.php:717
actiongform_enqueue_scriptsinit.gravityform.php:718
actiongform_field_inputinit.gravityform.php:719
actiongform_pre_submissioninit.gravityform.php:826
filtergrunion_contact_form_field_htmlinit.jetpack.php:5
filtercontact_form_messageinit.jetpack.php:6
actionadmin_initinit.ninjaform.php:22
actioninitinit.ninjaform.php:23
actioninitinit.ninjaform.php:24
actionninja_forms_pre_processinit.ninjaform.php:30
actionwoocommerce_email_after_order_tableinit.woocommerce.php:3
filterwoocommerce_after_order_notesinit.woocommerce.php:4
filterwoocommerce_pay_order_after_submitinit.woocommerce.php:5
Maintenance & Trust

Hitsteps Web Analytics Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMay 9, 2025
PHP min version5.0
Downloads133K

Community Trust

Rating78/100
Number of ratings7
Active installs900
Alternatives

Hitsteps Web Analytics Alternatives

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

burst-statistics

A
96

Analytics you'll actually use. Privacy-friendly, zero config, and designed to be actionable. Get insights, not just raw data.

200K 3 CVEs
HubSpot All-In-One Marketing – Forms, Popups, Live Chat

HubSpot All-In-One Marketing – Forms, Popups, Live Chat

leadin

A
98

The CRM, Sales, and Marketing WordPress plugin to grow your business better. Capture and engage web visitors with free live chat, forms, CRM, email ma &hellip;

200K 2 CVEs
Statify

Statify

statify

A
100

Visitor statistics for WordPress with focus on data protection, transparency and clarity. Perfect as a widget in your WordPress Dashboard.

100K No CVEs
Koko Analytics – Privacy Friendly Statistics for WordPress

Koko Analytics – Privacy Friendly Statistics for WordPress

koko-analytics

A
96

Koko Analytics is a privacy-friendly statistics plugin for WordPress that is an easy to use alternative to Google Analytics.

60K 2 CVEs
Connect Matomo – Analytics Dashboard for WordPress

Connect Matomo – Analytics Dashboard for WordPress

wp-piwik

A
97

Adds Matomo (former Piwik) statistics to your WordPress dashboard and is also able to add the Matomo Tracking Code to your blog.

60K 5 CVEs
Developer Profile

Hitsteps Web Analytics Developer Profile

Hitsteps

1 plugin · 900 total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
111 days
View full developer profile
Detection Fingerprints

How We Detect Hitsteps Web Analytics

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/hitsteps-visitor-manager/hitsteps.js/wp-content/plugins/hitsteps-visitor-manager/hitsteps.css
Script Paths
https://edgecdnplus.com/code
Version Parameters
hitsteps-visitor-manager/hitsteps.css?ver=hitsteps-visitor-manager/hitsteps.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- SNIPPET CODE<!-- TRACKING CODE<!-- Hitsteps tracking code not shown because you're an administrator and you've configured Hitsteps plugin to ignore administrators visits.
Data Attributes
hstc.srchstc.asynchstc.deferhtssc.parentNode.insertBefore
JS Globals
MySearch_hs_uniqueidipnameipnamesipemailsnochat+1 more
FAQ

Frequently Asked Questions about Hitsteps Web Analytics