[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUlWvD2IhVdg102zKlhOf6g76JrEx5Q2NyI--L9ghnzA":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":23,"download_link":24,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":34,"analysis":129,"fingerprints":276},"traffic-counter-widget","Plugin Name: Traffic Counter Widget Plugin","2.1.2","aviaxis","https:\u002F\u002Fprofiles.wordpress.org\u002Faviaxis\u002F","\u003Cp>TCW shows the number of visitors \u002F hits \u002F unique IPs in the past 24 hours, 7 days and 30 days. It also shows the number of users currently online.\u003C\u002Fp>\n\u003Cp>It provides a robots filter, but the automatic traffic could also be considered.\u003C\u002Fp>\n\u003Cp>Traffic Counter Widget offers language support and automatic log deletion.\u003C\u002Fp>\n\u003Cp>For help or reporting bugs please refer to: http:\u002F\u002Fwww.pixme.org\u002Ftehnologie-internet\u002Fwordpress-traffic-counter-widget\u002F4228\u003C\u002Fp>\n\u003Ch3>Other\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>You may use the code any way you wish, with respect to the WordPress general licensing rules. However I do not guaratee anythig, of course 🙂 \u003C\u002Fli>\n\u003Cli>Please do not remove the link to the plugin’s page unless you donate. Help me keep it free.\u003C\u002Fli>\n\u003Cli>If you enjoy it, and find it useful please donete 2 Euro here: http:\u002F\u002Fwww.pixme.org\u002Fwp-content\u002Fuploads\u002Fwidget-traffic-counter\u002F\u003C\u002Fli>\n\u003C\u002Ful>\n","TCW lets your users know how much traffic you have on your blog. It counts pages visited, hits and unique IPs on your blog and shows it in a widget.",700,75359,0,"2017-11-28T21:17:00.000Z","3.2.1","2.8.0","",[19,20,21,22],"traffic-counter","traffic-widget","user-traffic","visitors-counter","http:\u002F\u002Fwww.pixme.org\u002Fwp-content\u002Fuploads\u002Fwidget-traffic-counter\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftraffic-counter-widget.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":30,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":31,"trust_score":32,"computed_at":33},1,30,84,"2026-04-05T03:20:58.054Z",[35,51,72,93,110],{"slug":36,"name":37,"version":38,"author":39,"author_profile":40,"description":41,"short_description":42,"active_installs":11,"downloaded":43,"rating":44,"num_ratings":45,"last_updated":46,"tested_up_to":47,"requires_at_least":16,"requires_php":17,"tags":48,"homepage":17,"download_link":50,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"traffic-stats-widget","Plugin Name: Traffic Stats Widget Plugin","1.0.2","helenthomaswp","https:\u002F\u002Fprofiles.wordpress.org\u002Fhelenthomaswp\u002F","\u003Cp>TSW shows the number of visitors \u002F hits \u002F unique IPs in the past 24 hours, 7 days and 30 days. It also shows the number of users currently online.\u003C\u002Fp>\n\u003Cp>It provides a robots filter, but the automatic traffic could also be considered.\u003C\u002Fp>\n\u003Cp>Traffic Stats Widget offers language support and automatic log deletion.\u003C\u002Fp>\n","TSW lets your users know how much traffic you have on your blog. It counts pages visited, hits and unique IPs on your blog and shows it in a widget.",50303,88,7,"2017-11-28T20:05:00.000Z","4.0.38",[49,19,20,21,22],"hit-counter","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftraffic-stats-widget.1.0.2.zip",{"slug":52,"name":53,"version":54,"author":55,"author_profile":56,"description":57,"short_description":58,"active_installs":59,"downloaded":60,"rating":61,"num_ratings":62,"last_updated":63,"tested_up_to":64,"requires_at_least":65,"requires_php":17,"tags":66,"homepage":70,"download_link":71,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"pulsemaps","PulseMaps Visitor World Map","1.7.2","aitosoftware","https:\u002F\u002Fprofiles.wordpress.org\u002Faitosoftware\u002F","\u003Cp>The PulseMaps plugin visualizes your site visitors’ locations on the world map.  The plugin includes a map widget which you place on the pages you want to track.  The areas where you get the most visitors are shown with a lighter color.  The most recent visitors are show as flashing dots on the map.  The total number of visits is also shown.\u003C\u002Fp>\n\u003Cp>For a live demo, visit the \u003Ca href=\"http:\u002F\u002Fpulsemaps.com\u002F\" rel=\"nofollow ugc\">PulseMaps website\u003C\u002Fa> and the \u003Ca href=\"http:\u002F\u002Fpulsemaps.com\u002Fmaps\u002F526958181\u002F\" rel=\"nofollow ugc\">detail page for PulseMap website visitors\u003C\u002Fa>.\u003C\u002Fp>\n\u003Cp>Simply drop the widget on your blog’s sidebar. The map widget will work as a form of “social proof” : your visitors see that your blog is being read by people all over the world. This makes your blog instantly more trustworthy–who would trust a blog nobody reads? With this widget, you show readers that your site DOES get visitors. As an added bonus, the map just looks pretty dang cool!\u003C\u002Fp>\n\u003Cp>Click on the widget to get to a detail page sporting a huge map which can be freely zoomed and panned, along with other interesting details and statistics.\u003C\u002Fp>\n\u003Cp>The widget size and colors are fully customizable; you can choose any colors and size you wish on the admin panel.\u003C\u002Fp>\n\u003Cp>Features\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Map widget shows visitors in real time\u003C\u002Fli>\n\u003Cli>Customizable map widget size and colors\u003C\u002Fli>\n\u003Cli>Click on map to open a large map with more details and statistics\u003C\u002Fli>\n\u003Cli>Works on all popular browsers\u003C\u002Fli>\n\u003Cli>Lightweight plugin (does not need a lot of disk space)\u003C\u002Fli>\n\u003C\u002Ful>\n","Show off your website visitors on the world map. When people around the world visit your blog, the corresponding areas on the heat map widget light up &hellip;",90,42047,56,4,"2015-02-02T17:05:00.000Z","3.5.2","3.0",[67,19,20,68,69],"heat-map","visitor-map","world-map","http:\u002F\u002Fpulsemaps.com\u002Fwordpress\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpulsemaps.1.7.2.zip",{"slug":73,"name":74,"version":75,"author":76,"author_profile":77,"description":17,"short_description":78,"active_installs":79,"downloaded":80,"rating":81,"num_ratings":82,"last_updated":83,"tested_up_to":84,"requires_at_least":85,"requires_php":17,"tags":86,"homepage":91,"download_link":92,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"mechanic-visitor-counter","Mechanic Visitor Counter","3.3.3","Aditya Subawa","https:\u002F\u002Fprofiles.wordpress.org\u002Fadityasubawa\u002F","Mechanic Visitor Counter is a widgets which will display the Visitor counter and traffic statistics on WordPress. Some of the features offered include &hellip;",8000,222754,72,15,"2021-01-02T07:20:00.000Z","5.5.18","4.5.3",[87,19,88,89,90],"blog-stats","traffic-statistics","visitor-counter","visitor-traffic","https:\u002F\u002Fwww.adityasubawa.com\u002Fmechanic-visitor-counter\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmechanic-visitor-counter.zip",{"slug":94,"name":95,"version":96,"author":97,"author_profile":98,"description":99,"short_description":100,"active_installs":101,"downloaded":102,"rating":32,"num_ratings":103,"last_updated":104,"tested_up_to":105,"requires_at_least":106,"requires_php":17,"tags":107,"homepage":108,"download_link":109,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"xt-visitor-counter","XT Visitor Counter","1.4.3","xtrsyz","https:\u002F\u002Fprofiles.wordpress.org\u002Fxtrsyz\u002F","\u003Cp>XT Visitor Counter is a widgets which will display the Visitor counter and traffic statistics on WordPress.Some of the features offered include Today Visitor, Today Hits, Total Hits, Total Visit, Who’s Online and IP Address Visitors.\u003C\u002Fp>\n\u003Cp>Upload and Install XT Visitor Counter Plugins, Activate and Drag the Widgets in to your WordPress Sidebar. And this plugins will useless for a thousands of websites. If you were here, download and install it, you’ll like it.\u003C\u002Fp>\n\u003Ch3>Arbitrary section\u003C\u002Fh3>\n\u003Cp>Refer Installation and FAQ section for all required information\u003C\u002Fp>\n\u003Ch3>A brief Markdown Example\u003C\u002Fh3>\n\u003Cp>Ordered list:\u003C\u002Fp>\n\u003Col>\n\u003Cli>Most simple plugin available so far\u003C\u002Fli>\n\u003Cli>Do not remove developer plugins link\u003C\u002Fli>\n\u003C\u002Fol>\n","XT Visitor Counter is a widgets which will display the Visitor counter and traffic statistics on WordPress. Some of the features offered include Today &hellip;",7000,106479,5,"2023-01-31T15:01:00.000Z","6.1.10","3.0.1",[87,19,88,89,90],"http:\u002F\u002Fxtrsyz.org\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxt-visitor-counter.zip",{"slug":111,"name":112,"version":113,"author":114,"author_profile":115,"description":116,"short_description":117,"active_installs":118,"downloaded":119,"rating":13,"num_ratings":13,"last_updated":120,"tested_up_to":121,"requires_at_least":122,"requires_php":123,"tags":124,"homepage":127,"download_link":128,"security_score":118,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"mc-visitor-tally","MC Visitor Tally","2.8.3","Mike Hickcox","https:\u002F\u002Fprofiles.wordpress.org\u002Fmike-hickcox\u002F","\u003Cp>Easy-to-use visitor counter designed for the website admin. With a clean look appropriate for a professional website. Features:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Unique site visitor counts in these time frames: Today, Yesterday, Past 7 Days, Current Month, Current Year.\u003C\u002Fli>\n\u003Cli>Counts are shown in an admin dashboard widget which appears when the plugin is activated.\u003C\u002Fli>\n\u003Cli>The admin dashboard widget has an optional table of monthly totals for comparisons.\u003C\u002Fli>\n\u003Cli>The dashboard widget tells when the plugin was installed so you know when the counts on your website began.\u003C\u002Fli>\n\u003Cli>Use the front-end WIDGET (MC Visitor Tally) to place the tallies on website pages, sidebars, and\u002For footer.\u003C\u002Fli>\n\u003Cli>Use the SHORTCODE [mcvt-visitor-tally] to place the tallies in sidebars, pages, and other locations on the website.\u003C\u002Fli>\n\u003Cli>Use any of several styles of visitor tables on your website with the shortcode and widget.\u003C\u002Fli>\n\u003Cli>The year-to-date count on the shortcode and widget can be turned off if you don’t want to show the YTD numbers at this time.\u003C\u002Fli>\n\u003Cli>Visitor data more than one year old are automatically deleted from the plugin’s database table, removing unneeded records.\u003C\u002Fli>\n\u003Cli>Counts are real people, as most bots and crawlers will not be counted.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Settings and Use\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>SETTINGS LINK: Find “MC Visitor Tally” under “Settings” in the left menu. Also found under the plugin name in the list of installed plugins.\u003C\u002Fli>\n\u003Cli>MONTHLY COMPARISONS: Decide if you want month-to-month totals shown in the admin dashboard widget for comparisons. Also shows the total for the past 12 months.\u003C\u002Fli>\n\u003Cli>ONLINE TABLE STYLES: Choose a style for online tables. Experiment with this – themes and page builders display these tables very differently.\u003C\u002Fli>\n\u003Cli>YEAR-TO-DATE TOTALS: On the settings page, you can turn off the year-to-date counts on your website pages.\u003C\u002Fli>\n\u003Cli>WIDGET: Use the widget (MC Visitor Tally) to add the counter to sidebars or other widget-enabled areas of the website.\u003C\u002Fli>\n\u003Cli>SHORTCODE: Use the shortcode [mcvt-visitor-tally] to add the counter to any page, sidebar, or the footer.\u003C\u002Fli>\n\u003Cli>ON PLUGIN REMOVAL: On the settings page, you can decide not to delete the database table when removing the plugin – if you intend to re-install it later.\u003C\u002Fli>\n\u003C\u002Ful>\n","Displays unique daily visits. Web page tables. Dashboard widget with monthly comparisons.",100,4869,"2025-11-25T21:41:00.000Z","6.6.5","4.7","7.0",[49,19,125,89,126],"traffic-stats","visitor-stats","https:\u002F\u002Fmid-coast.com\u002Fmc-visitor-tally","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmc-visitor-tally.2.8.3.zip",{"attackSurface":130,"codeSignals":159,"taintFlows":217,"riskAssessment":260,"analyzedAt":275},{"hooks":131,"ajaxHandlers":146,"restRoutes":155,"shortcodes":156,"cronEvents":157,"entryPointCount":158,"unprotectedCount":158},[132,138,142],{"type":133,"name":134,"callback":135,"file":136,"line":137},"action","plugins_loaded","traffic_counter_init","wp-traffic-counter-widget.php",321,{"type":133,"name":139,"callback":140,"file":136,"line":141},"wp_print_styles","add_wtc_stylesheet",322,{"type":133,"name":143,"callback":144,"file":136,"line":145},"init","add_wtc_ajax",323,[147,152],{"action":148,"nopriv":149,"callback":150,"hasNonce":149,"hasCapCheck":149,"file":136,"line":151},"wtcstats",false,"wtc_ajax_response",325,{"action":148,"nopriv":153,"callback":150,"hasNonce":149,"hasCapCheck":149,"file":136,"line":154},true,326,[],[],[],2,{"dangerousFunctions":160,"sqlUsage":161,"outputEscaping":181,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":216},[],{"prepared":162,"raw":45,"locations":163},3,[164,167,170,172,174,177,179],{"file":136,"line":165,"context":166},148,"$wpdb->query() with variable interpolation",{"file":136,"line":168,"context":169},158,"$wpdb->get_var() with variable interpolation",{"file":136,"line":171,"context":169},229,{"file":136,"line":173,"context":169},238,{"file":136,"line":175,"context":176},239,"$wpdb->get_results() with variable interpolation",{"file":136,"line":178,"context":176},240,{"file":136,"line":180,"context":166},295,{"escaped":13,"rawEcho":182,"locations":183},18,[184,187,189,190,191,192,193,194,196,198,200,202,204,206,208,210,212,214],{"file":136,"line":185,"context":186},178,"raw output",{"file":136,"line":188,"context":186},180,{"file":136,"line":188,"context":186},{"file":136,"line":188,"context":186},{"file":136,"line":188,"context":186},{"file":136,"line":188,"context":186},{"file":136,"line":188,"context":186},{"file":136,"line":195,"context":186},185,{"file":136,"line":197,"context":186},186,{"file":136,"line":199,"context":186},187,{"file":136,"line":201,"context":186},188,{"file":136,"line":203,"context":186},202,{"file":136,"line":205,"context":186},203,{"file":136,"line":207,"context":186},204,{"file":136,"line":209,"context":186},206,{"file":136,"line":211,"context":186},313,{"file":136,"line":213,"context":186},315,{"file":136,"line":215,"context":186},317,[],[218,246],{"entryPoint":219,"graph":220,"unsanitizedCount":158,"severity":245},"view (wp-traffic-counter-widget.php:141)",{"nodes":221,"edges":241},[222,227,232,235,239],{"id":223,"type":224,"label":225,"file":136,"line":226},"n0","source","$_SERVER",156,{"id":228,"type":229,"label":230,"file":136,"line":168,"wp_function":231},"n1","sink","get_var() [SQLi]","get_var",{"id":233,"type":224,"label":225,"file":136,"line":234},"n2",165,{"id":236,"type":237,"label":238,"file":136,"line":234},"n3","transform","→ is_hit()",{"id":240,"type":229,"label":230,"file":136,"line":171,"wp_function":231},"n4",[242,243,244],{"from":223,"to":228,"sanitized":149},{"from":233,"to":236,"sanitized":149},{"from":236,"to":240,"sanitized":149},"high",{"entryPoint":247,"graph":248,"unsanitizedCount":162,"severity":245},"\u003Cwp-traffic-counter-widget> (wp-traffic-counter-widget.php:0)",{"nodes":249,"edges":256},[250,252,253,254,255],{"id":223,"type":224,"label":251,"file":136,"line":226},"$_SERVER (x2)",{"id":228,"type":229,"label":230,"file":136,"line":168,"wp_function":231},{"id":233,"type":224,"label":225,"file":136,"line":234},{"id":236,"type":237,"label":238,"file":136,"line":234},{"id":240,"type":229,"label":230,"file":136,"line":171,"wp_function":231},[257,258,259],{"from":223,"to":228,"sanitized":149},{"from":233,"to":236,"sanitized":149},{"from":236,"to":240,"sanitized":149},{"summary":261,"deductions":262},"The \"traffic-counter-widget\" plugin v2.1.2 exhibits a concerning security posture, primarily due to its unprotected entry points and lack of proper output escaping.  While the plugin has no recorded vulnerability history and avoids dangerous functions or file operations, the static analysis reveals significant weaknesses.  The presence of two AJAX handlers without any authentication checks creates a direct attack vector. Furthermore, all identified output operations are unescaped, meaning any data displayed to users could potentially be manipulated, leading to cross-site scripting (XSS) vulnerabilities. The taint analysis confirms these concerns, highlighting two flows with unsanitized paths classified as high severity. This suggests that user-supplied data is not being properly validated or escaped before being processed or outputted.\n\nIn conclusion, despite the absence of known CVEs, the plugin's current implementation presents a substantial risk. The unprotected AJAX endpoints and the complete lack of output escaping are critical flaws that attackers could exploit. While the plugin's small attack surface and lack of complex features might seem like strengths, they do not mitigate the severe risks posed by these vulnerabilities. Recommendations for improvement should focus on implementing robust authentication and authorization for all AJAX handlers and ensuring all output is properly escaped to prevent XSS attacks.",[263,266,268,270,272],{"reason":264,"points":265},"Unprotected AJAX handlers",10,{"reason":267,"points":265},"All outputs unescaped",{"reason":269,"points":265},"High severity taint flows",{"reason":271,"points":103},"No nonce checks on AJAX",{"reason":273,"points":274},"SQL queries lack prepared statements",6,"2026-03-16T19:24:09.673Z",{"wat":277,"direct":286},{"assetPaths":278,"generatorPatterns":281,"scriptPaths":282,"versionParams":283},[279,280],"\u002Fwp-content\u002Fplugins\u002Ftraffic-counter-widget\u002Ftraffic-counter-widget.css","\u002Fwp-content\u002Fplugins\u002Ftraffic-counter-widget\u002Ftraffic-counter-widget.js",[],[280],[284,285],"traffic-counter-widget\u002Ftraffic-counter-widget.css?ver=","traffic-counter-widget\u002Ftraffic-counter-widget.js?ver=",{"cssClasses":287,"htmlComments":288,"htmlAttributes":289,"restEndpoints":314,"jsGlobals":315,"shortcodeOutput":318},[],[],[290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313],"id=\"wp_wtc_WidgetTitle\"","name=\"wp_wtc_WidgetTitle\"","id=\"wp_wtc_WidgetText_Visitors\"","name=\"wp_wtc_WidgetText_Visitors\"","id=\"wp_wtc_WidgetText_Hits\"","name=\"wp_wtc_WidgetText_Hits\"","id=\"wp_wtc_WidgetText_Unique\"","name=\"wp_wtc_WidgetText_Unique\"","id=\"wp_wtc_WidgetText_LastDay\"","name=\"wp_wtc_WidgetText_LastDay\"","id=\"wp_wtc_WidgetText_LastWeek\"","name=\"wp_wtc_WidgetText_LastWeek\"","id=\"wp_wtc_WidgetText_LastMonth\"","name=\"wp_wtc_WidgetText_LastMonth\"","id=\"wp_wtc_WidgetText_Online\"","name=\"wp_wtc_WidgetText_Online\"","id=\"wp_wtc_WidgetText_Default_Tab\"","name=\"wp_wtc_WidgetText_Default_Tab\"","id=\"wp_wtc_WidgetText_bots_filter\"","name=\"wp_wtc_WidgetText_bots_filter\"","id=\"wp_wtc_WidgetText_log_opt\"","name=\"wp_wtc_WidgetText_log_opt\"","id=\"wp_wtc_Submit\"","name=\"wp_wtc_Submit\"",[],[316,317],"window.ip","window.users_online",[]]