[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmx0uaafuXkPSplhLjy3gtN935EfJ9mTBitSCC2s40Rg":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":37,"analysis":38,"fingerprints":299},"livevisi","LiveVisi – Live Visitors Activity Tracker for WP Website","1.0.1","SinodTech","https:\u002F\u002Fprofiles.wordpress.org\u002Fsinodtech\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fsinodtech.com\u002Flivevisi\" rel=\"nofollow ugc\">LiveVisi\u003C\u002Fa> is a powerful real-time and live website visitor tracking plugin for WordPress that helps you understand how users interact with your site. In addition, you can track visitors’ IP, location, browser, device, OS, and referring site.\u003C\u002Fp>\n\u003Cp>You can monitor visitors in real-time, as well as screen recordings, what they are doing on your webpage. You can analyze page performance and track traffic sources through a clean, modern dashboard designed for clarity and speed.\u003C\u002Fp>\n\u003Cp>The most important feature is that you can show ads to your visitors. If someone visits your website once, you can show them ads on Meta’s social sites and Google.\u003C\u002Fp>\n\u003Cp>You can gain deeper insights through detailed visitor profiles, event tracking, and privacy-focused analytics.\u003C\u002Fp>\n\u003Cp>All data is stored securely on your own servers, giving you complete control and instantly improving engagement, optimizing content, and making smart decisions based on real user behavior.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Real-Time Visitor Tracking:\u003C\u002Fstrong> See who is on your site right now (Live).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Visitor Profiles:\u003C\u002Fstrong> Track unique visitors, their device, browser, OS, and location.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Show Ads to Visitors:\u003C\u002Fstrong> Run ads to people who visited your site. \u003Cstrong>(Pro)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Specific URL Track:\u003C\u002Fstrong> You can track URL’s visitors, their device, browser, OS, and location. \u003Cstrong>(Pro)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Session Replay:\u003C\u002Fstrong> Visitor activity on your webpage is recorded and viewable as a video. \u003Cstrong>(Pro)\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Page Analytics:\u003C\u002Fstrong> View top performing pages and time spent on page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Traffic Sources:\u003C\u002Fstrong> Understand where your traffic is coming from (Direct, Organic Search, Social Media, Referral).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Event Tracking:\u003C\u002Fstrong> Automatically track clicks on external links and buttons. Custom event tracking via JS API.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Beautiful Dashboard:\u003C\u002Fstrong> A clean and modern admin dashboard to view all your stats.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Privacy Focused:\u003C\u002Fstrong> Data is stored locally on your server.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin connects to the following third-party services:\u003C\u002Fp>\n\u003Cp>\u003Cstrong>IP-API.com (GeoIP Service)\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>This plugin connects to IP-API.com to obtain geographic location information (country, region, city) for website visitors. It’s needed to display visitor location data in the analytics dashboard.\u003C\u002Fp>\n\u003Cp>It sends the visitor’s IP address to IP-API.com when a new visitor is tracked. This data is cached locally for 24 hours to minimize API calls, so the IP address is sent only once per unique visitor or when the cache expires. The location information is then stored locally in your WordPress database.\u003C\u002Fp>\n\u003Cp>This API service is provided by “IP-API.com”:  \u003Ca href=\"http:\u002F\u002Fip-api.com\u002Fdocs\u002Flegal\" rel=\"nofollow ugc\">terms of use\u003C\u002Fa> \u003Ca href=\"http:\u002F\u002Fip-api.com\u002Fdocs\u002Flegal\" rel=\"nofollow ugc\">privacy policy\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>FlagCDN.com (Country Flag Images)\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>This plugin connects to FlagCDN.com to display country flag icons in the admin dashboard next to visitor location information. It’s needed to provide a visual representation of visitor countries in the analytics interface.\u003C\u002Fp>\n\u003Cp>It sends the two-letter country code (ISO 3166-1 alpha-2 format, e.g., “us”, “gb”, “de”) in the image URL request when the admin dashboard or visitor list pages are loaded. No personal information, IP addresses, or visitor data is sent to FlagCDN.com. The country code is derived from the visitor’s location data that was previously obtained from IP-API.com and stored locally in your database. Flag images are loaded only when an administrator views the LiveVisi dashboard or visitor list pages in the WordPress admin area. The images are not loaded on the public-facing website.\u003C\u002Fp>\n\u003Cp>This API service is provided by \u003Ca href=\"https:\u002F\u002Fflagcdn.com\" rel=\"nofollow ugc\">FlagCDN.com\u003C\u002Fa> . The \u003Ca href=\"https:\u002F\u002Fflagpedia.net\u002Fprivacy-policy\" rel=\"nofollow ugc\">Privacy & Policy\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fflagpedia.net\u002Fterms\" rel=\"nofollow ugc\">terms of use\u003C\u002Fa>\u003C\u002Fp>\n\u003Ch3>Privacy & Data Collection\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>What Data is Collected:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>This plugin collects the following information from website visitors:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>IP Address:\u003C\u002Fstrong> Used to identify unique visitors and determine geographic location (country, region, city) via IP-API.com service. IP addresses are stored in the database.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Browser Information:\u003C\u002Fstrong> Browser type and version, operating system, device type (desktop, mobile, tablet), and screen resolution.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Page Information:\u003C\u002Fstrong> URLs visited, page titles, referrer URLs, and time spent on pages.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Behavior:\u003C\u002Fstrong> Scroll depth, clicks, and session duration.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Traffic Source:\u003C\u002Fstrong> Referrer information, UTM parameters, and traffic source detection (search engines, social media, direct visits).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Local Storage:\u003C\u002Fstrong> A unique visitor ID is stored in the browser’s local Storage to identify returning visitors.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WordPress User Information (Logged-in Users Only):\u003C\u002Fstrong> For visitors who are logged into WordPress, the plugin may collect and store their WordPress user email address and display name. This information is only collected for logged-in WordPress users and is used to identify registered users in the analytics dashboard. This data is not collected for anonymous\u002Fguest visitors.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>How Data is Used:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>All collected data is stored locally on your server in WordPress database tables.\u003C\u002Fli>\n\u003Cli>Data is used to provide analytics and visitor insights through the plugin’s admin dashboard.\u003C\u002Fli>\n\u003Cli>Geographic location data (country, region, city) is obtained by sending IP addresses to IP-API.com service (documented in External Services section above).\u003C\u002Fli>\n\u003Cli>For logged-in WordPress users, their email address and display name are associated with their visit data to help identify registered users in analytics reports. This information is only collected when a user is actively logged into WordPress.\u003C\u002Fli>\n\u003Cli>Anonymous\u002Fguest visitors are tracked using IP addresses only – no email addresses or names are collected for non-logged-in visitors.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Data Storage:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>All tracking data is stored in your WordPress database tables: \u003Ccode>wp_livevisi_visitors\u003C\u002Fcode> and \u003Ccode>wp_livevisi_pageviews\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>Data remains on your server and is not shared with third parties.\u003C\u002Fli>\n\u003Cli>You can delete all tracking data by deactivating and deleting the plugin (see Uninstall section).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Opt-Out & Privacy Controls:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Website administrators can exclude specific IP addresses from tracking in the plugin settings.\u003C\u002Fli>\n\u003Cli>The plugin respects the browser’s “Do Not Track” (DNT) preference and will not track visitors who have DNT enabled.\u003C\u002Fli>\n\u003Cli>Visitors can opt-out by setting \u003Ccode>localStorage.setItem('livevisi_optout', 'true')\u003C\u002Fcode> in their browser console.\u003C\u002Fli>\n\u003Cli>The plugin does not use cookies for tracking (uses localStorage instead).\u003C\u002Fli>\n\u003Cli>Website owners can implement additional consent mechanisms (cookie banners, privacy notices) as required by their jurisdiction.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Compliance Notes:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>This plugin collects analytics data similar to other WordPress analytics plugins.\u003C\u002Fli>\n\u003Cli>Website owners are responsible for ensuring compliance with applicable privacy laws (GDPR, CCPA, etc.) in their jurisdiction.\u003C\u002Fli>\n\u003Cli>Website owners should disclose the use of this plugin in their privacy policy.\u003C\u002Fli>\n\u003Cli>For GDPR compliance, website owners may need to obtain visitor consent before tracking, depending on their jurisdiction and use case.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Data Retention:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Tracking data is stored indefinitely until manually deleted by the website administrator or when the plugin is uninstalled.\u003C\u002Fli>\n\u003Cli>Website administrators can manually delete visitor data through the WordPress database or by uninstalling the plugin.\u003C\u002Fli>\n\u003C\u002Ful>\n","LiveVisi is a real-time WordPress analytics plugin that tracks website visitors, page views, how much time they are spending on the site.",50,307,100,2,"2026-01-13T09:51:00.000Z","6.9.4","6.3","7.4",[20,21,22,23,24],"live-visitor-tracker","traffic-tracker-plugin","visitor-tracking-plugin","wordpress-visitor-tracker","wp-real-time-visitor","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Flivevisi","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flivevisi.1.0.1.zip",0,null,"2026-03-15T15:16:48.613Z",[],{"slug":32,"display_name":7,"profile_url":8,"plugin_count":33,"total_installs":11,"avg_security_score":13,"avg_patch_time_days":34,"trust_score":35,"computed_at":36},"sinodtech",1,30,94,"2026-04-04T21:12:24.254Z",[],{"attackSurface":39,"codeSignals":99,"taintFlows":240,"riskAssessment":289,"analyzedAt":298},{"hooks":40,"ajaxHandlers":70,"restRoutes":71,"shortcodes":96,"cronEvents":97,"entryPointCount":98,"unprotectedCount":14},[41,47,49,52,55,58,63,66],{"type":42,"name":43,"callback":44,"file":45,"line":46},"action","admin_enqueue_scripts","anonymous","includes\\class-core.php",32,{"type":42,"name":43,"callback":44,"file":45,"line":48},33,{"type":42,"name":50,"callback":44,"file":45,"line":51},"admin_menu",34,{"type":42,"name":53,"callback":44,"file":45,"line":54},"wp_enqueue_scripts",40,{"type":42,"name":56,"callback":44,"file":45,"line":57},"rest_api_init",44,{"type":59,"name":60,"callback":61,"file":62,"line":51},"filter","admin_body_class","closure","livevisi.php",{"type":59,"name":60,"callback":61,"file":64,"line":65},"templates\\admin-live-visitor.php",248,{"type":42,"name":67,"callback":61,"file":68,"line":69},"admin_notices","templates\\admin-settings.php",142,[],[72,81,86,91],{"namespace":73,"route":74,"methods":75,"callback":77,"permissionCallback":78,"file":79,"line":80},"livevisi\u002Fv1","\u002Ftrack",[76],"GET","track_visitor","__return_true","includes\\class-api.php",23,{"namespace":73,"route":82,"methods":83,"callback":84,"permissionCallback":78,"file":79,"line":85},"\u002Fheartbeat",[76],"update_heartbeat",43,{"namespace":73,"route":87,"methods":88,"callback":89,"permissionCallback":61,"file":79,"line":90},"\u002Fchart-data",[76],"get_chart_data",59,{"namespace":73,"route":92,"methods":93,"callback":94,"permissionCallback":61,"file":79,"line":95},"\u002Fsave-settings",[76],"save_settings",76,[],[],4,{"dangerousFunctions":100,"sqlUsage":101,"outputEscaping":130,"fileOperations":27,"externalRequests":33,"nonceChecks":98,"capabilityChecks":238,"bundledLibraries":239},[],{"prepared":102,"raw":103,"locations":104},36,11,[105,109,111,113,115,117,119,121,123,125,127],{"file":106,"line":107,"context":108},"templates\\admin-dashboard.php",198,"$wpdb->get_var() with variable interpolation",{"file":106,"line":110,"context":108},204,{"file":106,"line":112,"context":108},212,{"file":106,"line":114,"context":108},230,{"file":106,"line":116,"context":108},236,{"file":106,"line":118,"context":108},244,{"file":106,"line":12,"context":120},"$wpdb->get_results() with variable interpolation",{"file":106,"line":122,"context":120},320,{"file":106,"line":124,"context":120},364,{"file":106,"line":126,"context":120},628,{"file":128,"line":102,"context":129},"uninstall.php","$wpdb->query() with variable interpolation",{"escaped":131,"rawEcho":132,"locations":133},162,53,[134,137,139,141,143,145,147,149,151,153,155,157,159,161,163,165,167,169,171,173,175,177,179,181,183,185,187,189,191,193,195,197,199,201,203,205,207,209,211,213,215,217,219,221,223,225,227,228,230,232,234,235,237],{"file":106,"line":135,"context":136},686,"raw output",{"file":106,"line":138,"context":136},690,{"file":106,"line":140,"context":136},694,{"file":106,"line":142,"context":136},697,{"file":106,"line":144,"context":136},701,{"file":106,"line":146,"context":136},705,{"file":106,"line":148,"context":136},709,{"file":106,"line":150,"context":136},713,{"file":106,"line":152,"context":136},717,{"file":106,"line":154,"context":136},773,{"file":64,"line":156,"context":136},262,{"file":64,"line":158,"context":136},270,{"file":64,"line":160,"context":136},288,{"file":64,"line":162,"context":136},297,{"file":64,"line":164,"context":136},301,{"file":64,"line":166,"context":136},305,{"file":64,"line":168,"context":136},309,{"file":64,"line":170,"context":136},313,{"file":64,"line":172,"context":136},317,{"file":64,"line":174,"context":136},321,{"file":64,"line":176,"context":136},325,{"file":64,"line":178,"context":136},329,{"file":64,"line":180,"context":136},386,{"file":64,"line":182,"context":136},424,{"file":64,"line":184,"context":136},434,{"file":64,"line":186,"context":136},438,{"file":64,"line":188,"context":136},442,{"file":64,"line":190,"context":136},446,{"file":64,"line":192,"context":136},450,{"file":64,"line":194,"context":136},454,{"file":64,"line":196,"context":136},458,{"file":64,"line":198,"context":136},462,{"file":64,"line":200,"context":136},466,{"file":64,"line":202,"context":136},470,{"file":64,"line":204,"context":136},525,{"file":68,"line":206,"context":136},144,{"file":68,"line":208,"context":136},151,{"file":68,"line":210,"context":136},161,{"file":68,"line":212,"context":136},163,{"file":68,"line":214,"context":136},165,{"file":68,"line":216,"context":136},166,{"file":68,"line":218,"context":136},172,{"file":68,"line":220,"context":136},206,{"file":68,"line":222,"context":136},207,{"file":224,"line":51,"context":136},"templates\\admin-specific-url-track.php",{"file":224,"line":226,"context":136},35,{"file":224,"line":102,"context":136},{"file":224,"line":229,"context":136},37,{"file":224,"line":231,"context":136},38,{"file":224,"line":233,"context":136},39,{"file":224,"line":54,"context":136},{"file":224,"line":236,"context":136},41,{"file":224,"line":85,"context":136},7,[],[241,265,275],{"entryPoint":242,"graph":243,"unsanitizedCount":33,"severity":264},"track_visitor (includes\\class-api.php:202)",{"nodes":244,"edges":260},[245,250,254],{"id":246,"type":247,"label":248,"file":79,"line":249},"n0","source","$_SERVER",361,{"id":251,"type":252,"label":253,"file":79,"line":249},"n1","transform","→ get_geoip_data()",{"id":255,"type":256,"label":257,"file":79,"line":258,"wp_function":259},"n2","sink","wp_remote_get() [SSRF]",495,"wp_remote_get",[261,263],{"from":246,"to":251,"sanitized":262},false,{"from":251,"to":255,"sanitized":262},"medium",{"entryPoint":266,"graph":267,"unsanitizedCount":33,"severity":264},"\u003Cclass-api> (includes\\class-api.php:0)",{"nodes":268,"edges":272},[269,270,271],{"id":246,"type":247,"label":248,"file":79,"line":249},{"id":251,"type":252,"label":253,"file":79,"line":249},{"id":255,"type":256,"label":257,"file":79,"line":258,"wp_function":259},[273,274],{"from":246,"to":251,"sanitized":262},{"from":251,"to":255,"sanitized":262},{"entryPoint":276,"graph":277,"unsanitizedCount":33,"severity":288},"\u003Cadmin-live-visitor> (templates\\admin-live-visitor.php:0)",{"nodes":278,"edges":286},[279,282],{"id":246,"type":247,"label":280,"file":64,"line":281},"$_GET",84,{"id":251,"type":256,"label":283,"file":64,"line":284,"wp_function":285},"get_results() [SQLi]",106,"get_results",[287],{"from":246,"to":251,"sanitized":262},"high",{"summary":290,"deductions":291},"The \"livevisi\" v1.0.1 plugin exhibits a mixed security posture. While it shows good practices in avoiding dangerous functions, performing file operations, and a relatively high percentage of prepared statements and output escaping, several areas raise concerns. The presence of REST API routes without permission callbacks represents a significant attack surface that could lead to unauthorized access or actions if exploited. The taint analysis also indicates a potential issue with unsanitized paths, even though it's not classified as critical. The plugin's clean vulnerability history is a positive sign, suggesting a history of secure development or diligent patching by developers. However, the identified entry points without proper authentication checks are a direct risk that needs immediate attention. Overall, the plugin has strengths in its core development practices, but the lack of robust access control on certain REST API endpoints is a notable weakness that warrants caution.",[292,295],{"reason":293,"points":294},"REST API routes without permission callbacks",10,{"reason":296,"points":297},"Taint flow with unsanitized paths (High severity)",12,"2026-03-16T21:59:27.241Z",{"wat":300,"direct":311},{"assetPaths":301,"generatorPatterns":305,"scriptPaths":306,"versionParams":307},[302,303,304],"\u002Fwp-content\u002Fplugins\u002Flivevisi\u002Fassets\u002Fcss\u002Fadmin.css","\u002Fwp-content\u002Fplugins\u002Flivevisi\u002Fassets\u002Fjs\u002Fadmin.js","\u002Fwp-content\u002Fplugins\u002Flivevisi\u002Fassets\u002Fjs\u002Fchart.js",[],[303,304],[308,309,310],"livevisi\u002Fassets\u002Fcss\u002Fadmin.css?ver=","livevisi\u002Fassets\u002Fjs\u002Fadmin.js?ver=","livevisi\u002Fassets\u002Fjs\u002Fchart.js?ver=",{"cssClasses":312,"htmlComments":315,"htmlAttributes":316,"restEndpoints":319,"jsGlobals":321,"shortcodeOutput":324},[313,314],"livevisi-dark-mode","livevisi-pro-lock-icon",[],[317,318],"data-livevisi-url","data-livevisi-nonce",[320],"\u002Flivevisi\u002Fv1\u002F",[322,323],"livevisiApiSettings","livevisiChartData",[]]