WP-Safety

Microsoft Clarity Security & Risk Analysis

wordpress.org/plugins/microsoft-clarity

How do you make your website great? Clarity can help you quickly see what's working on your site and where people get stuck. And it's free.

100K active installs v0.10.22 PHP + WP 4.0+ Updated Mar 19, 2026
behavioral-analyticsclaritymicrosoft
99
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 16, 2024
Plugin page Download
Safety Verdict

Is Microsoft Clarity Safe to Use in 2026?

Generally Safe

Score 99/100

Microsoft Clarity has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Feb 16, 2024Updated 2mo ago
Risk Assessment

The 'microsoft-clarity' plugin version 0.10.21 exhibits a generally good security posture, with a strong emphasis on prepared SQL statements and a significant portion of outputs being properly escaped. The static analysis reveals a limited attack surface, with all identified entry points (AJAX handlers) protected by authentication checks. There are no shortcodes, cron events, or REST API routes to consider, further reducing potential exposure. However, the presence of 5 flows with unsanitized paths, even without critical or high severity taint issues, warrants attention as these could potentially be exploited under specific conditions. Furthermore, the plugin has a history of two medium severity vulnerabilities, specifically Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), with the most recent being in February 2024. While currently unpatched CVEs are zero, this history indicates a pattern of past security weaknesses that, if not addressed proactively, could resurface. The file operations and external HTTP requests, while not inherently insecure, should be monitored for any unexpected behavior or data mishandling.

Key Concerns

  • Flows with unsanitized paths
  • History of medium severity vulnerabilities
Vulnerabilities
2 published

Microsoft Clarity Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-0590medium · 6.1Cross-Site Request Forgery (CSRF)

Microsoft Clarity <= 0.9.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Feb 16, 2024 Patched in 0.9.4 (165d)
CVE-2021-33850medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Microsoft Clarity <= 0.3 - Authenticated Stored Cross-Site Scripting

Oct 18, 2021 Patched in 0.4 (827d)
Version History

Microsoft Clarity Release Timeline

v0.10.22Current7 files changed
v0.10.2115 files changed
v0.10.205 files changed
v0.10.194 files changed
v0.10.182 files changed
v0.10.175 files changed
v0.10.166 files changed
v0.10.152 files changed
v0.10.143 files changed
v0.10.132 files changed
v0.10.123 files changed
v0.10.114 files changed
v0.10.103 files changed
v0.10.93 files changed
v0.10.82 files changed
v0.10.72 files changed
v0.10.62 files changed
v0.10.52 files changed
v0.10.43 files changed
v0.10.3
Code Analysis
Analyzed Mar 16, 2026

Microsoft Clarity Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
20 prepared
Unescaped Output
12
30 escaped
Nonce Checks
5
Capability Checks
8
File Operations
2
External Requests
11
Bundled Libraries
0

SQL Query Safety

87% prepared23 total queries

Output Escaping

71% escaped42 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

8 flows5 with unsanitized paths
brandagent_handle_remove_from_waitlist_success_callback (clarity-page.php:9)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Microsoft Clarity Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_edit_clarity_project_idclarity-page.php:483
authwp_ajax_edit_agent_enabled_statusclarity-page.php:523
WordPress Hooks 38
filtercron_schedulesclarity-collect-batch.php:30
filterclrt_integrate_with_clarityclarity-hooks.php:10
actioninitclarity-page.php:8
actioninitclarity-page.php:93
actioninitclarity-page.php:181
actionadmin_menuclarity-page.php:348
actionadmin_initclarity-page.php:370
actionadmin_noticesclarity-page.php:399
actionadmin_enqueue_scriptsclarity-page.php:445
actionadmin_noticesclarity-page.php:562
actionadmin_action_trigger_plugin_updateclarity-page.php:604
actionadmin_noticesclarity-page.php:648
actionshutdownclarity-server-analytics.php:42
actionadmin_initclarity.php:26
actionwp_headclarity.php:190
actionwp_headclarity.php:215
actionadmin_initclarity.php:290
actioninitclarity.php:366
filterquery_varsclarity.php:376
actiontemplate_redirectclarity.php:387
actionrest_api_initclarity.php:396
actioninitclarity.php:403
filterwoocommerce_valid_webhook_resourcesincludes\brandagent-custom-webhooks.php:27
filterwoocommerce_valid_webhook_eventsincludes\brandagent-custom-webhooks.php:47
filterwoocommerce_webhook_topicsincludes\brandagent-custom-webhooks.php:60
filterwoocommerce_webhook_topic_hooksincludes\brandagent-custom-webhooks.php:88
filterwoocommerce_webhook_payloadincludes\brandagent-custom-webhooks.php:213
actionwoocommerce_add_to_cartincludes\brandagent-custom-webhooks.php:361
actionwoocommerce_cart_item_removedincludes\brandagent-custom-webhooks.php:362
actionwoocommerce_cart_item_restoredincludes\brandagent-custom-webhooks.php:363
actionwoocommerce_after_cart_item_quantity_updateincludes\brandagent-custom-webhooks.php:364
actionwoocommerce_loadedincludes\brandagent-custom-webhooks.php:548
filterwoocommerce_webhook_payloadincludes\brandagent-custom-webhooks.php:628
actionwoocommerce_checkout_order_createdincludes\brandagent-custom-webhooks.php:649
filterwoocommerce_webhook_payloadincludes\brandagent-custom-webhooks.php:806
actiontemplate_redirectincludes\brandagent-custom-webhooks.php:833
actionwoocommerce_loadedincludes\brandagent-custom-webhooks.php:875
filterwoocommerce_webhook_http_argsincludes\brandagent-webhooks.php:50
Maintenance & Trust

Microsoft Clarity Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 19, 2026
PHP min version
Downloads1.8M

Community Trust

Rating96/100
Number of ratings13
Active installs100K
Alternatives

Microsoft Clarity Alternatives

Lazy Load Clarity

Lazy Load Clarity

lazy-load-clarity

A
85

Place your Microsoft Clarity script without affecting your website page speed.

300 No CVEs
Finsbury Media Cookie Consent

Finsbury Media Cookie Consent

finsbury-media-cookie-consent

A
100

Lightweight cookie banner with Google, Meta, Bing, and Clarity consent support and optional customization.

0 No CVEs
eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams

eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams

eroom-zoom-meetings-webinar

A
92

eRoom is the best WordPress Zoom Meeting and Webinar Plugin. eRoom Zoom WordPress plugin enables integration with Zoom, Google Meet, Microsoft Teams.

10K 7 CVEs
WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)

WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)

wpo365-login

A
90

WordPress + Microsoft Entra | Ext. ID | B2C | M365 Integration for your Digital Workplace. For SSO, Mail, Roles, Access, Profiles, SharePoint, PowerBI &hellip;

10K 4 CVEs
WPO365 | MICROSOFT 365 GRAPH MAILER

WPO365 | MICROSOFT 365 GRAPH MAILER

wpo365-msgraphmailer

A
99

Send WordPress emails from a M365 / Exchange Online Mailbox using Microsoft Graph, leveraging OAuth for authentication which is more secure than SMTP

10K 1 CVE
Developer Profile

Microsoft Clarity Developer Profile

Microsoft

3 plugins · 105K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
519 days
View full developer profile
Detection Fingerprints

How We Detect Microsoft Clarity

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/microsoft-clarity/clarity-page.php/wp-content/plugins/microsoft-clarity/clarity-hooks.php/wp-content/plugins/microsoft-clarity/clarity-server-analytics.php/wp-content/plugins/microsoft-clarity/includes/brandagent-config.php/wp-content/plugins/microsoft-clarity/includes/brandagent-webhooks.php/wp-content/plugins/microsoft-clarity/includes/brandagent-custom-webhooks.php/wp-content/plugins/microsoft-clarity/includes/brandagent-rest-api.php
Script Paths
https://www.clarity.ms/tag/https://adsagentclientafd-b7hqhjdrf3fpeqh2.b01.azurefd.net/frontendInjection.js

HTML / DOM Fingerprints

JS Globals
claritybrandagent_register_routesclrt_update_clarity_optionsclarity_activation_redirectclarity_on_activationclarity_on_deactivation+14 more
REST Endpoints
/wp-json/brandagent/v1/register-routes
FAQ

Frequently Asked Questions about Microsoft Clarity