Does TOPlist have any unpatched vulnerabilities?

No. All known vulnerabilities in TOPlist have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is TOPlist compatible with WordPress 6.4.8?

According to WordPress.org data, TOPlist 5.1.2 has been tested up to WordPress 6.4.8. Check the plugin's changelog for the latest compatibility information.

Is TOPlist compatible with PHP 5.2+?

TOPlist requires PHP 5.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is TOPlist updated?

TOPlist was last updated on Nov 14, 2023. Frequent updates are generally a positive security signal.

What is TOPlist's security score?

TOPlist has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

TOPlist Security & Risk Analysis

wordpress.org/plugins/toplist

TOPlist.cz is a popular web analytics service in Czech Republic. This plugin is for easy integration of your WordPress blog into this service.

300 active installs v5.1.2 PHP 5.2+ WP 4.6+ Updated Nov 14, 2023

analyticspagestoplisttoplist-czweb

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is TOPlist Safe to Use in 2026?

Generally Safe

Score 85/100

TOPlist has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago

Risk Assessment

The toplist plugin v5.1.2 exhibits a mixed security posture. On the positive side, it has no recorded vulnerabilities (CVEs) and no dangerous functions or file operations are present in its code. It also performs some SQL queries with prepared statements, and includes nonce and capability checks, indicating an awareness of basic WordPress security practices. However, there are significant concerns stemming from the static analysis. The plugin has a small attack surface consisting of two AJAX handlers, one of which lacks authentication checks. This unprotected entry point is a critical security risk, potentially allowing unauthorized actions. Furthermore, a very low percentage of output is properly escaped, suggesting a high likelihood of cross-site scripting (XSS) vulnerabilities. The lack of taint analysis results could be due to the analysis tool's limitations or a genuine absence of complex data flows, but it doesn't negate the immediate risks identified.

Key Concerns

AJAX handler without authentication
Low percentage of properly escaped output
Low percentage of prepared statements in SQL queries

Vulnerabilities

None known

TOPlist Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

TOPlist Code Analysis

Dangerous Functions

Raw SQL Queries

10 prepared

Unescaped Output

10 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

31% prepared32 total queries

Output Escaping

15% escaped65 total outputs

Attack Surface

1 unprotected

TOPlist Attack Surface

Entry Points2

Unprotected1

AJAX Handlers 2

authwp_ajax_toplist_cz_dashboard_contenttoplist.php:30

authwp_ajax_toplist_cz_save_passwordtoplist.php:31

WordPress Hooks 5

actionwp_enqueue_scriptstoplist.php:26

actionwp_dashboard_setuptoplist.php:27

actionadmin_inittoplist.php:28

actionadmin_enqueue_scriptstoplist.php:29

actionwidgets_inittoplist.php:824

Maintenance & Trust

TOPlist Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8

Last updatedNov 14, 2023

PHP min version5.2

Downloads4K

Community Trust

Rating0/100

Number of ratings0

Active installs300

Alternatives

TOPlist Alternatives

TopList.cz

toplistcz

TopList.cz is a popular web analytics service in Czech Republic. This plugin is for easy integration of your WordPress blog into this service.

400 No CVEs

Site Kit by Google – Analytics, Search Console, AdSense, Speed

google-site-kit

100

Site Kit is a one-stop solution for WordPress users to use everything Google has to offer to make them successful on the web.

5.0M 1 CVE

MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

google-analytics-for-wordpress

The best free Google Analytics plugin for WordPress. See how visitors find and use your website so you can grow your business with powerful analytics.

2.0M 10 CVEs

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

The simplest and fastest WP Cache system

1.0M 35 CVEs

Autoptimize

autoptimize

Autoptimize speeds up your website by optimizing JS, CSS, images (incl. lazy-load), HTML and Google Fonts, asyncing JS, removing emoji cruft and more.

900K 10 CVEs

Developer Profile

TOPlist Developer Profile

toplist

1 plugin · 300 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect TOPlist

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/toplist/toplist.js

Script Paths