Does Toplytics have any unpatched vulnerabilities?

No. All known vulnerabilities in Toplytics have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Toplytics compatible with WordPress 6.9.4?

According to WordPress.org data, Toplytics 4.1.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Toplytics updated?

Toplytics was last updated on Dec 10, 2025. Frequent updates are generally a positive security signal.

What is Toplytics's security score?

Toplytics has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Toplytics Security & Risk Analysis

wordpress.org/plugins/toplytics

Displays the most visited posts as a widget using data from Google Analytics. Designed to be used under high-traffic or low server resources.

100 active installs v4.1.2 PHP + WP 4.7.3+ Updated Dec 10, 2025

analyticsgoogle-analyticshigh-trafficmost-viewed-postspopular-posts

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Toplytics Safe to Use in 2026?

Generally Safe

Score 100/100

Toplytics has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago

Risk Assessment

The Toplytics plugin version 4.1.2 exhibits a mixed security posture. On the positive side, there are no recorded vulnerabilities (CVEs) in its history, which suggests a general commitment to security or a lack of targeted exploitation. The absence of dangerous functions and external HTTP requests is also reassuring. However, several concerning signals emerge from the static analysis. The presence of a REST API route without a permission callback represents a direct, unprotected entry point into the plugin's functionality. Furthermore, the plugin's handling of SQL queries is a significant weakness, with all queries being executed without prepared statements, opening the door to SQL injection vulnerabilities. The low percentage of properly escaped output is another critical concern, increasing the risk of cross-site scripting (XSS) attacks. While taint analysis did not reveal critical or high severity flows, the presence of unsanitized paths warrants attention, especially in conjunction with the output escaping issues. The plugin has a moderate attack surface with one unprotected entry point. The lack of historical vulnerabilities is positive, but the current static analysis reveals several common and potentially severe security flaws that need immediate remediation.

Key Concerns

REST API route without permission callback
SQL queries not using prepared statements
Low percentage of properly escaped output
Flows with unsanitized paths
Bundled library (Guzzle) without version info

Vulnerabilities

None known

Toplytics Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Toplytics Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

31 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Guzzle

SQL Query Safety

0% prepared1 total queries

Output Escaping

27% escaped113 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

9 flows3 with unsanitized paths

checkAuthorization (components\Backend.php:1708)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Toplytics Attack Surface

Entry Points2

Unprotected1

REST API Routes 1

GET/wp-json/toplytics/results/components\Frontend.php:285

Shortcodes 1

[toplytics] components\Shortcode.php:18

WordPress Hooks 6

actionupdate_option_toplytics_settingscomponents\Backend.php:126

actionwpcomponents\Backend.php:133

actiontoplytics_cron_eventcomponents\Backend.php:134

actionshutdowncomponents\Backend.php:996

actionupdate_option_widget_toplytics-widgetcomponents\Widget.php:226

actionadmin_noticescomponents\Window.php:184

Scheduled Events 1

toplytics_cron_event

Maintenance & Trust

Toplytics Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 10, 2025

PHP min version

Downloads10K

Community Trust

Rating100/100

Number of ratings9

Active installs100

Alternatives

Toplytics Alternatives

MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

google-analytics-for-wordpress

The best free Google Analytics plugin for WordPress. See how visitors find and use your website so you can grow your business with powerful analytics.

2.0M 10 CVEs

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

duracelltomi-google-tag-manager

Advanced tag management for WordPress with Google Tag Manager

700K 3 CVEs

WP Statistics – Simple, privacy-friendly Google Analytics alternative

wp-statistics

Get website traffic insights with GDPR/CCPA compliant, privacy-friendly analytics. Includes visitor data, stunning graphs, and no data sharing.

600K 35 CVEs

PixelYourSite – Your smart PIXEL (TAG) & API Manager

pixelyoursite

Add Meta Pixel with Conversion API, Google Analytics (GA4) + Consent Mode, Google Tag Manager, and Head & Footer scripts.

500K 11 CVEs

GA Google Analytics – Connect Google Analytics to WordPress

ga-google-analytics

100

Adds Google Analytics tracking code to your WordPress site. Supports many tracking features.

400K No CVEs

Developer Profile

Toplytics Developer Profile

Presslabs

5 plugins · 1K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

25 days

View full developer profile

Detection Fingerprints

How We Detect Toplytics

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/toplytics/admin/css/toplytics-admin.css/wp-content/plugins/toplytics/admin/js/toplytics-admin.js/wp-content/plugins/toplytics/assets/css/toplytics-frontend.css/wp-content/plugins/toplytics/assets/js/toplytics-frontend.js/wp-content/plugins/toplytics/assets/js/toplytics-vue.js

Script Paths

/wp-content/plugins/toplytics/admin/js/toplytics-admin.js/wp-content/plugins/toplytics/assets/js/toplytics-frontend.js/wp-content/plugins/toplytics/assets/js/toplytics-vue.js/wp-content/plugins/toplytics/vendor/google/apiclient/src/Google/Client.php/wp-content/plugins/toplytics/vendor/google/apiclient/src/Google/Service/Analytics.php

Version Parameters

toplytics/admin/css/toplytics-admin.css?ver=toplytics/admin/js/toplytics-admin.js?ver=toplytics/assets/css/toplytics-frontend.css?ver=toplytics/assets/js/toplytics-frontend.js?ver=toplytics/assets/js/toplytics-vue.js?ver=

HTML / DOM Fingerprints

CSS Classes

toplytics-widgettoplytics-widget-headertoplytics-widget-contenttoplytics-widget-poststoplytics-post-titletoplytics-post-viewstoplytics-post-linktoplytics-post-excerpt+4 more

HTML Comments

+4 more

Data Attributes

data-toplytics-post-iddata-toplytics-post-titledata-toplytics-post-urldata-toplytics-post-views

JS Globals

window.toplytics_settingswindow.toplytics_vue_appvar toplytics_settingsvar toplytics_vue_appToplyticsAdmin

REST Endpoints

/wp-json/toplytics/v1/settings/wp-json/toplytics/v1/authenticate/wp-json/toplytics/v1/clear_cache

Shortcode Output

[toplytics_popular_posts][toplytics_trending_posts][toplytics_most_commented_posts]

FAQ