WP-Safety

Stay Alive Security & Risk Analysis

wordpress.org/plugins/stay-alive

Stay Alive wordpress plugin to check online user's in your website in just minutes with widget or shortcode using Pusher 3rd party socket service …

0 active installs v2.4.8 PHP 5.2.4+ WP 2.4.8+ Updated Jul 10, 2018
activeliveonlinepusherusers
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Stay Alive Safe to Use in 2026?

Generally Safe

Score 85/100

Stay Alive has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The 'stay-alive' v2.4.8 plugin exhibits a mixed security posture. While it demonstrates good practices in its use of prepared statements for SQL queries and a lack of file operations or external HTTP requests, several significant concerns are present. The presence of an unprotected AJAX handler is a primary risk, creating an easily accessible entry point for potential attackers. Furthermore, the use of the `create_function` dangerous function, although not directly linked to a taint flow in this analysis, is a code smell that can lead to security vulnerabilities if not handled with extreme care. The output escaping is also only moderately effective, with 45% of outputs not being properly escaped, potentially exposing the site to cross-site scripting (XSS) vulnerabilities.

The plugin has no recorded vulnerability history, which is a positive indicator. However, this could also simply mean that it hasn't been a target or that past vulnerabilities were not publicly disclosed or significant enough to be tracked. The taint analysis shows flows with unsanitized paths, which, while not classified as critical or high in this instance, still highlight potential weaknesses in how data is handled within the plugin. The absence of nonce checks and capability checks on its entry points further exacerbates the risk associated with the unprotected AJAX handler.

In conclusion, 'stay-alive' v2.4.8 has strengths in its database query handling and avoidance of risky network operations. However, its security is significantly undermined by an unprotected AJAX endpoint, insufficient output escaping, and the use of a dangerous function. The lack of historical vulnerabilities should not lead to complacency, as the identified code issues present tangible risks that require immediate attention.

Key Concerns

  • Unprotected AJAX handler
  • Dangerous function: create_function
  • Unescaped output (45%)
  • Flows with unsanitized paths
  • Missing nonce checks
  • Missing capability checks
Vulnerabilities
None known

Stay Alive Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Stay Alive Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
9
11 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

create_functionadd_action('widgets_init', create_function('', 'return register_widget("StayAliveWidget");'));stay-alive-widget.php:65

Output Escaping

55% escaped20 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
stay_alive_auth (stay-alive.php:54)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Stay Alive Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_stay_alive_authstay-alive.php:41

Shortcodes 1

[sa_online_users] stay-alive.php:42
WordPress Hooks 8
actionwidgets_initstay-alive-widget.php:65
actionadmin_menustay-alive.php:34
actionadmin_initstay-alive.php:35
actionadmin_headstay-alive.php:36
actionadmin_footerstay-alive.php:37
actionwp_footerstay-alive.php:38
actionwp_logoutstay-alive.php:39
actionwp_loginstay-alive.php:40
Maintenance & Trust

Stay Alive Maintenance & Trust

Maintenance Signals

WordPress version tested2.4.8
Last updatedJul 10, 2018
PHP min version5.2.4
Downloads1K

Community Trust

Rating100/100
Number of ratings1
Active installs0
Alternatives

Stay Alive Alternatives

WP Online Active Users

WP Online Active Users

online-active-users

A
100

WP Online Active Users is a lightweight, powerful plugin to monitor and display how many users are currently online active on your WordPress website.

2K No CVEs
Display Live Visitors & Counter

Display Live Visitors & Counter

display-live-visitors-counter

A
85

Show How Many Users Are Online On Your Wordpress Site.

100 No CVEs
Fullworks Active Users Monitor

Fullworks Active Users Monitor

fullworks-active-users-monitor

A
100

Real-time monitoring of logged-in WordPress users with visual indicators, filtering, and comprehensive admin tools.

30 No CVEs
WP User Chat

WP User Chat

wp-user-chat

A
92

These plugins gives you many to many interaction through chat like social media`s. Additionaly, you can share your feelings with every logged-in users …

10 No CVEs
Active Users List

Active Users List

active-users-list

A
100

List all the current active users

0 No CVEs
Developer Profile

Stay Alive Developer Profile

rajulmondal5

1 plugin · 0 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Stay Alive

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/stay-alive/assets/css/stay-alive.css
Script Paths
/wp-content/plugins/stay-alive/assets/js/stay-alive.js
Version Parameters
stay-alive.css?ver=stay-alive.js?ver=

HTML / DOM Fingerprints

CSS Classes
stay_alivestay_alive_users
Data Attributes
name="stay_alive_credentials[pusher_app_id]"name="stay_alive_credentials[pusher_key]"name="stay_alive_credentials[pusher_secret]"name="stay_alive_credentials[pusher_cluster]"
JS Globals
config
REST Endpoints
/wp-json/stay_alive_auth
Shortcode Output
<div class="stay_alive"> <ul class="stay_alive_users"></ul> </div>
FAQ

Frequently Asked Questions about Stay Alive