WP-Safety

Just Writing Statistics Security & Risk Analysis

wordpress.org/plugins/just-writing-statistics

Calculate your writing statistics on your WordPress site.

1K active installs v5.4 PHP + WP 4.6+ Updated Feb 26, 2025
authorsreading-timeword-countwordswriting
90
A · Safe
CVEs total3
Unpatched0
Last CVEMar 27, 2025
Plugin page Download
Safety Verdict

Is Just Writing Statistics Safe to Use in 2026?

Generally Safe

Score 90/100

Just Writing Statistics has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Mar 27, 2025Updated 1yr ago
Risk Assessment

The "just-writing-statistics" plugin v5.4 exhibits a mixed security posture. While it shows positive signs like a high percentage of SQL queries using prepared statements and the absence of dangerous functions or file operations, significant concerns remain. The presence of one AJAX handler without any authentication checks is a critical oversight, creating a direct entry point for potential attackers. Furthermore, the plugin has a history of three medium-severity vulnerabilities, including SQL injection and cross-site scripting, indicating a recurring pattern of input validation and authorization issues. Although these past vulnerabilities are currently patched, the historical data combined with the unauthenticated AJAX endpoint suggests a need for ongoing vigilance and improvement in the plugin's security practices.

Key Concerns

  • AJAX handler without authentication check
  • Historical medium severity vulnerabilities (x3)
  • Output escaping concerns (only 38% properly escaped)
Vulnerabilities
3 published

Just Writing Statistics Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-30803medium · 4.3Missing Authorization

Just Writing Statistics <= 5.3 - Missing Authorization

Mar 27, 2025 Patched in 5.4 (7d)
CVE-2024-56250medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Just Writing Statistics <= 4.7 - Authenticated (Administrator+) SQL Injection

Dec 30, 2024 Patched in 4.8 (10d)
CVE-2024-35641medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Just Writing Statistics <= 4.5 - Authenticated (Admin+) Stored Cross-Site Scripting

May 30, 2024 Patched in 4.6 (7d)
Version History

Just Writing Statistics Release Timeline

v5.4Current
v5.31 CVE
CVE-2025-30803
v5.21 CVE
CVE-2025-30803
v5.11 CVE
CVE-2025-30803
v5.01 CVE
CVE-2025-30803
v4.81 CVE
CVE-2025-30803
v4.72 CVEs
CVE-2024-56250 CVE-2025-30803
v4.62 CVEs
CVE-2024-56250 CVE-2025-30803
v4.53 CVEs
CVE-2024-56250 CVE-2025-30803 CVE-2024-35641
v4.43 CVEs
CVE-2024-56250 CVE-2025-30803 CVE-2024-35641
v4.33 CVEs
CVE-2024-56250 CVE-2025-30803 CVE-2024-35641
v4.23 CVEs
CVE-2024-56250 CVE-2025-30803 CVE-2024-35641
v4.13 CVEs
CVE-2024-56250 CVE-2025-30803 CVE-2024-35641
v4.03 CVEs
CVE-2024-56250 CVE-2025-30803 CVE-2024-35641
Code Analysis
Analyzed Mar 16, 2026

Just Writing Statistics Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
19 prepared
Unescaped Output
147
92 escaped
Nonce Checks
1
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

90% prepared21 total queries

Output Escaping

38% escaped239 total outputs
Attack Surface
1 unprotected

Just Writing Statistics Attack Surface

Entry Points5
Unprotected1

AJAX Handlers 1

authwp_ajax_jws_calculateincludes\class-jws.php:142

Shortcodes 4

[justwritingstatistics] public\class-jws-public.php:71
[just-writing-statistics] public\class-jws-public.php:72
[justwritingstatistics-reading-time] public\class-jws-public.php:109
[just-writing-statistics-reading-time] public\class-jws-public.php:110
WordPress Hooks 11
actionplugins_loadedincludes\class-jws.php:125
actionadmin_initincludes\class-jws.php:139
actionplugins_loadedincludes\class-jws.php:140
actionadmin_enqueue_scriptsincludes\class-jws.php:144
actionadmin_enqueue_scriptsincludes\class-jws.php:145
actionadmin_menuincludes\class-jws.php:148
actionsave_postincludes\class-jws.php:151
filterpost_row_actionsincludes\class-jws.php:179
filterpage_row_actionsincludes\class-jws.php:180
actioninitincludes\class-jws.php:194
filterthe_contentincludes\class-jws.php:195
Maintenance & Trust

Just Writing Statistics Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedFeb 26, 2025
PHP min version
Downloads11K

Community Trust

Rating100/100
Number of ratings4
Active installs1K
Alternatives

Just Writing Statistics Alternatives

Word Counter

Word Counter

wordcounter

A
85

Show the reading time and number of words in your post.

10 No CVEs
SJ Reading Time

SJ Reading Time

sj-reading-time

A
100

SJ Reading Time helps you to quickly estimate your content read time and insert using a shortcode.

0 No CVEs
Reading Time WP

Reading Time WP

reading-time-wp

A
92

Reading Time WP creates an estimated reading time of your posts that is inserted above the content or by using a shortcode.

30K No CVEs
Surfer – WordPress Plugin

Surfer – WordPress Plugin

surferseo

A
97

Connect Surfer's Content Editor to WordPress. Write and optimize your articles for SEO, find new keyword ideas and publish straight to WordPress.

6K 3 CVEs
Novelist

Novelist

novelist

A
98

Easily organize and display your portfolio of books.

1K 3 CVEs
Developer Profile

Just Writing Statistics Developer Profile

Greg Ross

35 plugins · 8K total installs

79
trust score
Avg Security Score
87/100
Avg Patch Time
39 days
View full developer profile
Detection Fingerprints

How We Detect Just Writing Statistics

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Just Writing Statistics