Does Traffic Monitor have any unpatched vulnerabilities?

No. All known vulnerabilities in Traffic Monitor have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Traffic Monitor compatible with WordPress 6.8.5?

According to WordPress.org data, Traffic Monitor 3.2.7 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Traffic Monitor compatible with PHP 7.4+?

Traffic Monitor requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Traffic Monitor updated?

Traffic Monitor was last updated on Oct 21, 2025. Frequent updates are generally a positive security signal.

What is Traffic Monitor's security score?

Traffic Monitor has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Traffic Monitor Security & Risk Analysis

wordpress.org/plugins/traffic-monitor

Lightweight traffic logger for WordPress analytics. View, filter, and export page request data; monitor caching; detect bots; and spot click fraud.

1K active installs v3.2.7 PHP 7.4+ WP 6.2+ Updated Oct 21, 2025

analyticsbotfraudloggingtraffic

A · Safe

CVEs total1

Unpatched0

Last CVEJun 12, 2025

Plugin page Download

Safety Verdict

Is Traffic Monitor Safe to Use in 2026?

Generally Safe

Score 99/100

Traffic Monitor has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jun 12, 2025Updated 5mo ago

Risk Assessment

The "traffic-monitor" plugin v3.2.7 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and properly escaping the vast majority of its output. Furthermore, there are no detected dangerous functions, file operations, or external HTTP requests, and the plugin does not bundle any libraries, which reduces the attack surface related to known library vulnerabilities.

However, significant concerns arise from the plugin's attack surface. It exposes six AJAX handlers, of which a substantial four lack proper authentication checks. This presents a clear opportunity for unauthorized users to interact with sensitive functionalities. The presence of a past medium-severity vulnerability, specifically related to missing authorization, further amplifies this concern, suggesting a recurring pattern of authorization issues.

In conclusion, while the plugin has strengths in its database interaction and output handling, the unprotected AJAX endpoints are a critical weakness. The history of a missing authorization vulnerability reinforces this as a potential area of exploitation. The plugin is currently patched against known CVEs, which is a positive sign, but the inherent design flaws in the AJAX handler security require immediate attention.

Key Concerns

Unprotected AJAX handlers
Past medium severity vulnerability (missing authorization)

Vulnerabilities

Traffic Monitor Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-5815medium · 5.3Missing Authorization

Traffic Monitor <= 3.2.2 - Missing Authorization to Unauthenticated Settings Update

Jun 12, 2025 Patched in 3.2.3 (1d)

Code Analysis

Analyzed Mar 16, 2026

Traffic Monitor Code Analysis

Dangerous Functions

Raw SQL Queries

97 prepared

Unescaped Output

75 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared97 total queries

Output Escaping

95% escaped79 total outputs

Attack Surface

4 unprotected

Traffic Monitor Attack Surface

Entry Points6

Unprotected4

AJAX Handlers 6

authwp_ajax_tfcm_dismiss_export_noticeclasses\controller\class-tfcm-lifecycle.php:22

noprivwp_ajax_tfcm_get_ipclasses\controller\class-tfcm-request-controller.php:18

authwp_ajax_tfcm_get_ipclasses\controller\class-tfcm-request-controller.php:20

noprivwp_ajax_tfcm_log_ajax_requestclasses\controller\class-tfcm-request-controller.php:22

authwp_ajax_tfcm_log_ajax_requestclasses\controller\class-tfcm-request-controller.php:24

authwp_ajax_tfcm_handle_bulk_actionclasses\controller\class-tfcm-request-controller.php:26

WordPress Hooks 14

actionadmin_menuclasses\controller\class-tfcm-admin-controller.php:18

filterdefault_hidden_columnsclasses\controller\class-tfcm-admin-controller.php:19

actionset-screen-optionclasses\controller\class-tfcm-admin-controller.php:20

filterhidden_columnsclasses\controller\class-tfcm-admin-controller.php:21

actionadmin_enqueue_scriptsclasses\controller\class-tfcm-assets.php:16

actionwp_enqueue_scriptsclasses\controller\class-tfcm-assets.php:17

actionplugins_loadedclasses\controller\class-tfcm-lifecycle.php:20

actionadmin_noticesclasses\controller\class-tfcm-lifecycle.php:21

filterplugin_row_metaclasses\controller\class-tfcm-plugin-links-controller.php:18

actionadmin_headclasses\controller\class-tfcm-plugin-links-controller.php:19

actionadmin_headclasses\view\class-tfcm-help-tabs.php:19

actionin_admin_headerclasses\view\class-tfcm-view.php:16

actioninittraffic-monitor.php:70

actioninittraffic-monitor.php:121

Maintenance & Trust

Traffic Monitor Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 21, 2025

PHP min version7.4

Downloads5K

Community Trust

Rating100/100

Number of ratings3

Active installs1K

Alternatives

Traffic Monitor Alternatives

Profound Agent Analytics

profound-agent-analytics

100

Profound Agent Analytics sends lightweight HTTP request logs to Profound's analytics platform for advanced bot detection and traffic analysis.

100 No CVEs

AlmaWeb AI Visitor Analytics

almaweb-ai-visitor-analytics

100

Monitor AI bots visiting your site AND track real visitors coming FROM AI platforms like ChatGPT, Claude, and Perplexity.

30 No CVEs

Campaign AI

campaign-ai

100

Campaign AI integration plugin that protects websites and ad campaigns from bots and invalid traffic using real-time click fraud detection.

0 No CVEs

Visitor Traffic Real Time Statistics

visitors-traffic-real-time-statistics

This plugin will help you to track your visitors, browsers, operating systems, visits and much more in one dashboard page.

40K 8 CVEs

ClickCease Click Fraud Protection

clickcease-click-fraud-protection

Protect your website and ad campaigns from bots, competitors, and click fraud with ClickCease's advanced fraud prevention and real-time monitoring.

10K 2 CVEs

Developer Profile

Traffic Monitor Developer Profile

Dmitri Martin

1 plugin · 1K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Traffic Monitor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/traffic-monitor/assets/js/tfcm-admin-script.js/wp-content/plugins/traffic-monitor/assets/css/tfcm-admin-style.css/wp-content/plugins/traffic-monitor/assets/js/tfcm-client-script.js

Script Paths

assets/js/tfcm-admin-script.jsassets/js/tfcm-client-script.js

Version Parameters

traffic-monitor/assets/js/tfcm-admin-script.js?ver=traffic-monitor/assets/css/tfcm-admin-style.css?ver=traffic-monitor/assets/js/tfcm-client-script.js?ver=

HTML / DOM Fingerprints

JS Globals

tfcmAdmintfcmClientAjax

FAQ