WP-Safety

Themeflection Numbers – Number Counter and Animated Numbers Security & Risk Analysis

wordpress.org/plugins/tf-numbers-number-counter-animaton

Very easy to use numbers counter. It will ultimately supply you with beautiful sections with counting numbers. You can use it to display statistics, o …

3K active installs v2.0.9 PHP 7.3+ WP 4.4.0+ Updated Nov 21, 2024
animated-numbersnumbersnumbers-counternumbers-showcasestatistics
91
A · Safe
CVEs total1
Unpatched0
Last CVEMar 27, 2023
Plugin page Download
Safety Verdict

Is Themeflection Numbers – Number Counter and Animated Numbers Safe to Use in 2026?

Generally Safe

Score 91/100

Themeflection Numbers – Number Counter and Animated Numbers has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 27, 2023Updated 1yr ago
Risk Assessment

The tf-numbers-number-counter-animation plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices with 100% of SQL queries using prepared statements and a high percentage (94%) of outputs being properly escaped. The presence of 10 nonce checks and 7 capability checks also indicates an awareness of WordPress security fundamentals. However, a significant concern arises from the presence of one AJAX handler without any authentication checks, creating a direct attack vector.

The static analysis reveals one unprotected entry point, which is a critical weakness. While no critical or high severity taint flows were identified, and dangerous functions are absent, the lack of authorization on an AJAX endpoint is a glaring omission. The plugin's vulnerability history shows one past high-severity vulnerability, specifically related to missing authorization. This pattern, combined with the current analysis finding an unprotected AJAX handler, strongly suggests a recurring issue with properly securing entry points.

In conclusion, while the plugin implements some good security measures, the unprotected AJAX handler is a serious flaw that attackers could exploit. The historical vulnerability data reinforces this concern, indicating a potential for authorization bypasses. Addressing this single unprotected entry point is paramount to improving the plugin's overall security. The plugin has strengths in its SQL handling and output escaping, but the authorization weaknesses detract from its security.

Key Concerns

  • AJAX handler without auth checks
  • Past high severity vulnerability
Vulnerabilities
1

Themeflection Numbers – Number Counter and Animated Numbers Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2023-0889high · 8.8Missing Authorization

Themeflection Numbers <= 1.8.1 - Authenticated(Subscriber+) Privilege Escalation via tf_numb_save_licenses

Mar 27, 2023 Patched in 2.0.1 (449d)
Code Analysis
Analyzed Mar 16, 2026

Themeflection Numbers – Number Counter and Animated Numbers Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
12
202 escaped
Nonce Checks
10
Capability Checks
7
File Operations
1
External Requests
4
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

94% escaped214 total outputs
Attack Surface
1 unprotected

Themeflection Numbers – Number Counter and Animated Numbers Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 2

authwp_ajax_tf_numb_save_licensesinc\license.php:205
authwp_ajax_tf_num_dissminc\notice.php:12

Shortcodes 1

[tf_numbers] inc\shortcode.php:14
WordPress Hooks 47
filterget_post_metadatacmb2\includes\CMB2_Ajax.php:119
filterupdate_post_metacmb2\includes\CMB2_Ajax.php:122
filtercmb2_show_oncmb2\includes\CMB2_hookup.php:67
actionadd_meta_boxescmb2\includes\CMB2_hookup.php:80
actionadd_attachmentcmb2\includes\CMB2_hookup.php:81
actionedit_attachmentcmb2\includes\CMB2_hookup.php:82
actionsave_postcmb2\includes\CMB2_hookup.php:84
actionshow_user_profilecmb2\includes\CMB2_hookup.php:110
actionedit_user_profilecmb2\includes\CMB2_hookup.php:111
actionuser_new_formcmb2\includes\CMB2_hookup.php:112
actionpersonal_options_updatecmb2\includes\CMB2_hookup.php:114
actionedit_user_profile_updatecmb2\includes\CMB2_hookup.php:115
actionuser_registercmb2\includes\CMB2_hookup.php:116
actioninitcmb2\init.php:71
actionadmin_menuinc\license.php:4
actionadmin_initinc\license.php:39
actionadmin_initinc\license.php:185
actionadmin_footerinc\license.php:235
actioninitinc\notice.php:10
actionadmin_footerinc\notice.php:11
actionadmin_menuinc\pages\init.php:17
actionactivated_plugininc\pages\init.php:18
actionactivated_plugininc\pages\init.php:21
actionwp_enqueue_scriptsinc\setup.php:11
actionadmin_enqueue_scriptsinc\setup.php:13
actioninitinc\setup.php:14
filtermanage_edit-tf_stats_columnsinc\setup.php:16
actionmanage_tf_stats_posts_custom_columninc\setup.php:17
actionadmin_headinc\setup.php:18
actionadmin_initinc\setup.php:20
actionadmin_initinc\setup.php:21
actioncmb2_initinc\setup.php:23
filtermce_buttonsinc\setup.php:24
filtermce_external_pluginsinc\setup.php:25
actionplugins_loadedinc\setup.php:26
actionadmin_footerinc\setup.php:27
actionadmin_menuinc\setup.php:28
actionpublish_tf_statsinc\shortcode.php:15
actionwp_footerinc\shortcode.php:16
actionpost_updatedinc\shortcode.php:17
actionadmin_initinc\update.php:38
actionadmin_initinc\update.php:39
filterpre_set_site_transient_update_pluginsinc\update.php:51
filterplugins_apiinc\update.php:52
filterpre_set_site_transient_update_pluginsinc\update.php:142
actionvc_before_initinc\vc-shortcode.php:40
filterplugin_row_metatf-random_numbers.php:46
Maintenance & Trust

Themeflection Numbers – Number Counter and Animated Numbers Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedNov 21, 2024
PHP min version7.3
Downloads103K

Community Trust

Rating84/100
Number of ratings34
Active installs3K
Alternatives

Themeflection Numbers – Number Counter and Animated Numbers Alternatives

Animated Number Counters

Animated Number Counters

animated-number-counters

A
98

Animated Number Counters is a lightweight, responsive, and mobile-friendly WordPress plugin that boasts extraordinary design.

2K 2 CVEs
Simple Blog Stats

Simple Blog Stats

simple-blog-stats

A
99

Displays a wealth of useful statistics about your site. Display total number of posts, pages, categories, tags, and much more.

4K 1 CVE
Counter Block

Counter Block

counter-block

A
85

Show off numbers or stats on your website using animated Counter block for Gutenberg.

1K No CVEs
Counter Up – Animated Number Counter & Milestone Showcase

Counter Up – Animated Number Counter & Milestone Showcase

wp-counter-up

A
91

Counter Up is a lightweight number counter that counts up to a targeted number when the number becomes visible. Easy to install and use.

1K 2 CVEs
GA Google Analytics – Connect Google Analytics to WordPress

GA Google Analytics – Connect Google Analytics to WordPress

ga-google-analytics

A
100

Adds Google Analytics tracking code to your WordPress site. Supports many tracking features.

400K No CVEs
Developer Profile

Themeflection Numbers – Number Counter and Animated Numbers Developer Profile

Metagauss

7 plugins · 79K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
250 days
View full developer profile
Detection Fingerprints

How We Detect Themeflection Numbers – Number Counter and Animated Numbers

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/tf-numbers-number-counter-animaton/assets/css/style.css/wp-content/plugins/tf-numbers-number-counter-animaton/assets/js/counter.js/wp-content/plugins/tf-numbers-number-counter-animaton/assets/js/custom.js/wp-content/plugins/tf-numbers-number-counter-animaton/assets/css/animate.css/wp-content/plugins/tf-numbers-number-counter-animaton/assets/css/jquery.fancybox.css/wp-content/plugins/tf-numbers-number-counter-animaton/assets/js/jquery.fancybox.js/wp-content/plugins/tf-numbers-number-counter-animaton/assets/js/jquery.waypoints.min.js/wp-content/plugins/tf-numbers-number-counter-animaton/assets/js/jquery.counterup.min.js
Script Paths
/wp-content/plugins/tf-numbers-number-counter-animaton/assets/js/counter.js/wp-content/plugins/tf-numbers-number-counter-animaton/assets/js/custom.js/wp-content/plugins/tf-numbers-number-counter-animaton/assets/js/jquery.fancybox.js/wp-content/plugins/tf-numbers-number-counter-animaton/assets/js/jquery.waypoints.min.js/wp-content/plugins/tf-numbers-number-counter-animaton/assets/js/jquery.counterup.min.js
Version Parameters
tf-numbers-number-counter-animaton/assets/css/style.css?ver=tf-numbers-number-counter-animaton/assets/js/counter.js?ver=tf-numbers-number-counter-animaton/assets/js/custom.js?ver=tf-numbers-number-counter-animaton/assets/css/animate.css?ver=tf-numbers-number-counter-animaton/assets/css/jquery.fancybox.css?ver=tf-numbers-number-counter-animaton/assets/js/jquery.fancybox.js?ver=tf-numbers-number-counter-animaton/assets/js/jquery.waypoints.min.js?ver=tf-numbers-number-counter-animaton/assets/js/jquery.counterup.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
tf-counter-sectiontf-counter-wraptf-counter-singletf-counter-icontf-counter-contenttf-counter-titletf-counter-numbertf-counter-description+2 more
HTML Comments
<!-- Themeflection Numbers Counter Animation Plugin --><!-- Start Themeflection Numbers Counter -->
Data Attributes
data-counttodata-speeddata-refresh-interval
JS Globals
tf_numbers_ajax_object
Shortcode Output
[tf-number-counter[tf-number-counter-wrap
FAQ

Frequently Asked Questions about Themeflection Numbers – Number Counter and Animated Numbers