Does NewStatPress have any unpatched vulnerabilities?

No. All known vulnerabilities in NewStatPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is NewStatPress compatible with WordPress 6.9.4?

According to WordPress.org data, NewStatPress 1.4.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is NewStatPress updated?

NewStatPress was last updated on Jan 6, 2026. Frequent updates are generally a positive security signal.

What is NewStatPress's security score?

NewStatPress has a WP-Safety security score of 76/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

NewStatPress Security & Risk Analysis

wordpress.org/plugins/newstatpress

NewStatPress (Statpress plugin fork) is a real-time plugin to manage the visits' statistics about your blog (without external web analytics).

9K active installs v1.4.4 PHP + WP 3.5+ Updated Jan 6, 2026

analyticsdashboardstatisticstrackingvisits

B · Generally Safe

CVEs total10

Unpatched0

Last CVEDec 11, 2025

Plugin page Download

Safety Verdict

Is NewStatPress Safe to Use in 2026?

Mostly Safe

Score 76/100

NewStatPress is generally safe to use. 10 past CVEs were resolved. Keep it updated.

10 known CVEsLast CVE: Dec 11, 2025Updated 2mo ago

Risk Assessment

The security posture of the 'newstatpress' plugin v1.4.4 presents a mixed bag. On the positive side, the plugin demonstrates good practices by heavily utilizing prepared statements for its SQL queries (98%) and performing proper output escaping for a majority of its outputs (90%). It also incorporates a decent number of nonce and capability checks, indicating an awareness of common WordPress security mechanisms. However, significant concerns arise from the presence of four unprotected AJAX handlers, forming a substantial portion of its attack surface that is directly accessible to unauthenticated users. This is further amplified by a high severity taint flow indicating potential injection vulnerabilities that have not been adequately sanitized.

Key Concerns

Unprotected AJAX handlers on attack surface
High severity taint flow found
10 known CVEs, history of critical/high vulns

Vulnerabilities

NewStatPress Security Vulnerabilities

CVEs by Year

7 CVEs in 2015

2015

1 CVE in 2017

2017

1 CVE in 2022

2022

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

10 total CVEs

CVE-2025-13747medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NewStatPress <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 11, 2025 Patched in 1.4.4 (28d)

CVE-2022-0206medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NewStatPress <= 1.3.5 - Reflected Cross-Site Scripting

Jan 13, 2022 Patched in 1.3.6 (740d)

CVE-2017-18575high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NewStatPress < 1.2.5 - Unauthenticated Stored Cross-Site Scripting

Mar 1, 2017 Patched in 1.2.5 (2519d)

CVE-2015-9313critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NewStatPress < 1.0.6 - SQL Injection

Jul 7, 2015 Patched in 1.0.6 (3122d)

CVE-2015-9312medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NewStatPress < 1.0.6 - Reflected Cross-Site Scripting

Jul 7, 2015 Patched in 1.0.6 (3122d)

CVE-2015-9314high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NewStatPress <= 1.0.3 - Stored Cross-Site Scripting

Jun 30, 2015 Patched in 1.0.4 (3129d)

CVE-2015-9311medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NewStatPress <= 1.0.6 - Reflected Cross-Site Scripting

Jun 25, 2015 Patched in 1.0.7 (3134d)

CVE-2015-9315critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NewStatPress <= 1.0.0 - SQL Injection

Jun 8, 2015 Patched in 1.0.1 (3151d)

CVE-2015-4062high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

NewStatPress <= 0.9.8 - Authenticated SQL Injection

May 25, 2015 Patched in 0.9.9 (3165d)

CVE-2015-4063medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NewStatPress <= 0.9.8 - Authenticated Cross-Site Scripting

May 25, 2015 Patched in 0.9.9 (3165d)

Code Analysis

Analyzed Mar 17, 2026

NewStatPress Code Analysis

Dangerous Functions

Raw SQL Queries

299 prepared

Unescaped Output

631 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

98% prepared304 total queries

Output Escaping

90% escaped703 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

13 flows2 with unsanitized paths

newstatpress_external_api_ajax (includes\api\external.php:37)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

NewStatPress Attack Surface

Entry Points5

Unprotected4

AJAX Handlers 4

authwp_ajax_newstatpress_variablesnewstatpress.php:414

noprivwp_ajax_newstatpress_variablesnewstatpress.php:415

authwp_ajax_newstatpress_externalnewstatpress.php:418

noprivwp_ajax_newstatpress_externalnewstatpress.php:419

Shortcodes 1

[NewStatPress] includes\nsp-core.php:1058

WordPress Hooks 17

filtercron_schedulesincludes\nsp-functions-extra.php:91

actionadmin_noticesincludes\nsp-functions-extra.php:325

actionadmin_noticesincludes\nsp-functions-extra.php:375

actionadmin_initincludes\nsp-functions-extra.php:400

actionadmin_noticesnewstatpress.php:258

actionadmin_noticesnewstatpress.php:289

actionadmin_initnewstatpress.php:296

actioninitnewstatpress.php:320

actionadmin_enqueue_scriptsnewstatpress.php:393

actionplugins_loadednewstatpress.php:401

actionwp_dashboard_setupnewstatpress.php:407

actionadmin_menunewstatpress.php:483

filterwp_mail_content_typenewstatpress.php:684

actionnsp_mail_notificationnewstatpress.php:752

filterplugin_action_linksnewstatpress.php:776

actionsend_headersnewstatpress.php:1470

actionplugins_loadednewstatpress.php:1919

Scheduled Events 4

nsp_mail_notification

Maintenance & Trust

NewStatPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 6, 2026

PHP min version

Downloads939K

Community Trust

Rating94/100

Number of ratings84

Active installs9K

Alternatives

NewStatPress Alternatives

Kin Visitantes

kin-visitantes

Track visitors to your website easily and effectively.

10 No CVEs

GA Google Analytics – Connect Google Analytics to WordPress

ga-google-analytics

100

Adds Google Analytics tracking code to your WordPress site. Supports many tracking features.

400K No CVEs

Independent Analytics – Google Analytics Alternative for WordPress

independent-analytics

100

A simple WordPress analytics plugin that is privacy-friendly, fast, and an alternative to Google Analytics.

100K No CVEs

SlimStat Analytics

wp-slimstat

The leading web analytics plugin for WordPress

80K 23 CVEs

Connect Matomo – Analytics Dashboard for WordPress

wp-piwik

Adds Matomo (former Piwik) statistics to your WordPress dashboard and is also able to add the Matomo Tracking Code to your blog.

60K 5 CVEs

Developer Profile

NewStatPress Developer Profile

ice00

1 plugin · 9K total installs

trust score

Avg Security Score

76/100

Avg Patch Time

2528 days

View full developer profile

Detection Fingerprints

How We Detect NewStatPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/newstatpress/css/newstatpress-admin.css/wp-content/plugins/newstatpress/css/newstatpress-frontend.css/wp-content/plugins/newstatpress/js/newstatpress-admin.js/wp-content/plugins/newstatpress/js/newstatpress-frontend.js

Script Paths

/wp-content/plugins/newstatpress/js/newstatpress-admin.js/wp-content/plugins/newstatpress/js/newstatpress-frontend.js

Version Parameters

newstatpress/css/newstatpress-admin.css?ver=newstatpress/css/newstatpress-frontend.css?ver=newstatpress/js/newstatpress-admin.js?ver=newstatpress/js/newstatpress-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

newstatpressnsp_wrappernsp_contentnsp_sectiontitlensp_datansp_data_rownsp_data_labelnsp_data_value+40 more

HTML Comments

+5 more

Data Attributes

data-nsp-graph-labelsdata-nsp-graph-datadata-nsp-chart-typedata-nsp-chart-colorsdata-nsp-chart-legend

JS Globals

newstatpress_datansp_admin_varsnsp_frontend_vars

REST Endpoints

/wp-json/newstatpress/v1/stats

Shortcode Output

[newstatpress_overview][newstatpress_top_days][newstatpress_os][newstatpress_browser]

FAQ