WP-Safety

User Activity Tracking and Log Security & Risk Analysis

wordpress.org/plugins/user-activity-tracking-and-log

Track time and monitor user activity & history on your website, LMS online learning system, membership or WooCommerce site.

3K active installs v4.2.1 PHP 5.6+ WP 4.3+ Updated Jan 22, 2026
activity-loganalyticsstatisticsstatstime-tracking
99
A · Safe
CVEs total2
Unpatched0
Last CVEJan 29, 2024
Plugin page Download
Safety Verdict

Is User Activity Tracking and Log Safe to Use in 2026?

Generally Safe

Score 99/100

User Activity Tracking and Log has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 29, 2024Updated 2mo ago
Risk Assessment

The "user-activity-tracking-and-log" plugin v4.2.1 presents a mixed security posture. While the majority of SQL queries are prepared and output escaping is generally well-handled, there are significant concerns regarding the attack surface. A high number of AJAX handlers, specifically 8 out of 9, lack authentication checks, creating a large entry point for potential abuse by unauthenticated users. Furthermore, the taint analysis revealed 5 high-severity flows with unsanitized paths, indicating potential vulnerabilities where user-supplied input could lead to unintended consequences, such as arbitrary code execution or data manipulation. The plugin's vulnerability history, while currently showing no unpatched CVEs, includes 2 past medium-severity vulnerabilities, notably Authentication Bypass by Spoofing and Cross-Site Request Forgery (CSRF). This history, coupled with the identified unsanitized paths and unprotected AJAX endpoints, suggests a recurring pattern of weaknesses in input validation and authentication mechanisms. The presence of the `unserialize` function also raises concerns, as it can be a vector for remote code execution if not used with extreme caution on untrusted data. The use of an outdated bundled library (Select2 v3.4.8) adds another layer of potential risk. Overall, while some security best practices are followed, the substantial unprotected attack surface and critical taint flows require immediate attention.

Key Concerns

  • AJAX handlers without auth checks
  • High severity taint flows
  • Dangerous function: unserialize
  • Bundled outdated library: Select2 v3.4.8
  • Past medium CVEs (2 total)
Vulnerabilities
2

User Activity Tracking and Log Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-0970medium · 5.3Authentication Bypass by Spoofing

User Activity Tracking and Log <= 4.1.3 - IP Spoofing

Jan 29, 2024 Patched in 4.1.4 (9d)
CVE-2023-4150medium · 4.3Cross-Site Request Forgery (CSRF)

User Activity Tracking and Log <= 4.0.8 - Cross-Site Request Forgery

Aug 7, 2023 Patched in 4.0.9 (169d)
Code Analysis
Analyzed Mar 16, 2026

User Activity Tracking and Log Code Analysis

Dangerous Functions
2
Raw SQL Queries
14
34 prepared
Unescaped Output
44
384 escaped
Nonce Checks
12
Capability Checks
10
File Operations
0
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$ma_data = unserialize( $_ma_data_option ); // phpcs:ignoreclass-moove-activity-content.php:102
unserialize$ma_data = unserialize( $_ma_data_option ); // phpcs:ignoreclass-moove-activity-content.php:164

Bundled Libraries

Select23.4.8

SQL Query Safety

71% prepared48 total queries

Output Escaping

90% escaped428 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

10 flows6 with unsanitized paths
<class-moove-activity-shortcodes> (class-moove-activity-shortcodes.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

User Activity Tracking and Log Attack Surface

Entry Points10
Unprotected8

AJAX Handlers 9

authwp_ajax_moove_activity_track_pageviewclass-moove-activity-actions.php:40
noprivwp_ajax_moove_activity_track_pageviewclass-moove-activity-actions.php:41
authwp_ajax_moove_activity_track_unloadclass-moove-activity-actions.php:43
noprivwp_ajax_moove_activity_track_unloadclass-moove-activity-actions.php:44
authwp_ajax_uat_activity_get_dt_logsclass-moove-activity-actions.php:47
authwp_ajax_uat_activity_export_dt_logsclass-moove-activity-actions.php:48
authwp_ajax_uat_activity_delete_dt_logsclass-moove-activity-actions.php:49
authwp_ajax_uat_manage_table_settingsclass-moove-activity-actions.php:50
authwp_ajax_uat_dismiss_review_noticecontrollers\class-moove-uat-review.php:28

Shortcodes 1

[show_ip] class-moove-activity-shortcodes.php:34
WordPress Hooks 50
actionadmin_enqueue_scriptsclass-moove-activity-actions.php:52
actionmoove_activity_delete_optionsclass-moove-activity-actions.php:53
actionmoove_activity_tab_contentclass-moove-activity-actions.php:54
actionmoove-activity-tab-contentclass-moove-activity-actions.php:55
actionmoove_activity_filtersclass-moove-activity-actions.php:56
actionmoove_activity_check_extensionsclass-moove-activity-actions.php:57
actionmoove_activity_premium_section_adsclass-moove-activity-actions.php:58
actionmoove_uat_filter_plugin_settingsclass-moove-activity-actions.php:59
actionadd_meta_boxesclass-moove-activity-actions.php:61
actionsave_postclass-moove-activity-actions.php:62
actionmoove_activity_check_tab_contentclass-moove-activity-actions.php:63
actionuat_licence_action_buttonclass-moove-activity-actions.php:64
actionuat_get_alertboxclass-moove-activity-actions.php:65
actionuat_licence_input_fieldclass-moove-activity-actions.php:66
actionuat_premium_update_alertclass-moove-activity-actions.php:67
actionuat_activity_log_restriction_contentclass-moove-activity-actions.php:68
actionuat_log_settings_restriction_contentclass-moove-activity-actions.php:69
actionuat_activity_screen_options_extensionclass-moove-activity-actions.php:70
actionprofile_updateclass-moove-activity-actions.php:71
actionuat_tab_section_cnt_classclass-moove-activity-actions.php:72
actionuat_sidebar_menu_linksclass-moove-activity-actions.php:73
actionuat_delete_option_select_valuesclass-moove-activity-actions.php:74
actionuat_activity_settings_cptclass-moove-activity-actions.php:75
actionuat_activity_settings_archivesclass-moove-activity-actions.php:76
actionuat_sidebar_menu_cpt_linksclass-moove-activity-actions.php:77
actionuat_get_table_settingsclass-moove-activity-actions.php:78
actionuat_premium_update_alertclass-moove-activity-actions.php:82
actionadmin_menuclass-moove-activity-actions.php:103
actionuat_licence_key_visibilityclass-moove-activity-actions.php:119
actionadmin_menuclass-moove-activity-actions.php:129
actionsave_postclass-moove-activity-actions.php:130
actionadmin_enqueue_scriptsclass-moove-activity-actions.php:755
actionwp_enqueue_scriptsclass-moove-activity-actions.php:757
actionuat_log_settings_capabilityclass-moove-activity-options.php:32
actionuat_activity_log_capabilityclass-moove-activity-options.php:33
actionupdate_option_moove_post_actclass-moove-activity-options.php:34
actionplugins_loadedclass-moove-activity-options.php:35
actionuat_activity_submenu_extensionclass-moove-activity-options.php:36
filterupgrader_source_selectioncontrollers\class-moove-uat-license-manager.php:115
actionadmin_noticescontrollers\class-moove-uat-review.php:26
actionadmin_print_footer_scriptscontrollers\class-moove-uat-review.php:27
filteruat_check_review_banner_conditioncontrollers\class-moove-uat-review.php:29
actionuat_plugin_updater_noticecontrollers\class-moove-uat-updater.php:42
filterplugins_apicontrollers\class-moove-uat-updater.php:53
filterpre_set_site_transient_update_pluginscontrollers\class-moove-uat-updater.php:54
filterupgrader_source_selectioncontrollers\class-moove-uat-updater.php:55
filterplugin_row_metamoove-activity.php:115
actionplugins_loadedmoove-activity.php:120
filterscreen_options_show_screenmoove-functions.php:303
filterplugin_action_linksmoove-functions.php:307
Maintenance & Trust

User Activity Tracking and Log Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 22, 2026
PHP min version5.6
Downloads143K

Community Trust

Rating70/100
Number of ratings33
Active installs3K
Alternatives

User Activity Tracking and Log Alternatives

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

burst-statistics

A
96

Analytics you'll actually use. Privacy-friendly, zero config, and designed to be actionable. Get insights, not just raw data.

200K 3 CVEs
Statify

Statify

statify

A
100

Visitor statistics for WordPress with focus on data protection, transparency and clarity. Perfect as a widget in your WordPress Dashboard.

100K No CVEs
Koko Analytics – Privacy Friendly Statistics for WordPress

Koko Analytics – Privacy Friendly Statistics for WordPress

koko-analytics

A
96

Koko Analytics is a privacy-friendly statistics plugin for WordPress that is an easy to use alternative to Google Analytics.

60K 2 CVEs
Connect Matomo – Analytics Dashboard for WordPress

Connect Matomo – Analytics Dashboard for WordPress

wp-piwik

A
97

Adds Matomo (former Piwik) statistics to your WordPress dashboard and is also able to add the Matomo Tracking Code to your blog.

60K 5 CVEs
Visitor Traffic Real Time Statistics

Visitor Traffic Real Time Statistics

visitors-traffic-real-time-statistics

A
97

This plugin will help you to track your visitors, browsers, operating systems, visits and much more in one dashboard page.

40K 7 CVEs
Developer Profile

User Activity Tracking and Log Developer Profile

Moove Agency

6 plugins · 308K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
314 days
View full developer profile
Detection Fingerprints

How We Detect User Activity Tracking and Log

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/user-activity-tracking-and-log/assets/css/moove-activity-user-profile.css/wp-content/plugins/user-activity-tracking-and-log/assets/js/moove-activity-user-profile.js/wp-content/plugins/user-activity-tracking-and-log/assets/js/moove-activity-datatable.js/wp-content/plugins/user-activity-tracking-and-log/assets/js/moove-activity-options.js/wp-content/plugins/user-activity-tracking-and-log/assets/js/moove-activity-script.js/wp-content/plugins/user-activity-tracking-and-log/assets/js/moove-activity-user-login-log.js
Script Paths
/wp-content/plugins/user-activity-tracking-and-log/assets/js/moove-activity-user-profile.js/wp-content/plugins/user-activity-tracking-and-log/assets/js/moove-activity-datatable.js/wp-content/plugins/user-activity-tracking-and-log/assets/js/moove-activity-options.js/wp-content/plugins/user-activity-tracking-and-log/assets/js/moove-activity-script.js/wp-content/plugins/user-activity-tracking-and-log/assets/js/moove-activity-user-login-log.js
Version Parameters
user-activity-tracking-and-log/assets/css/moove-activity-user-profile.css?ver=user-activity-tracking-and-log/assets/js/moove-activity-user-profile.js?ver=user-activity-tracking-and-log/assets/js/moove-activity-datatable.js?ver=user-activity-tracking-and-log/assets/js/moove-activity-options.js?ver=user-activity-tracking-and-log/assets/js/moove-activity-script.js?ver=user-activity-tracking-and-log/assets/js/moove-activity-user-login-log.js?ver=

HTML / DOM Fingerprints

CSS Classes
moove-uat-star-ratingmoove-activity-settingsmoove-activity-user-login-log-tablemoove-activity-post-activity-table
HTML Comments
<!-- User Activity Tracking and Log --><!-- plugin: user-activity-tracking-and-log --><!-- This plugin gives you the ability to track user activity on your website. --><!-- Author: Moove Agency -->+3 more
Data Attributes
data-plugin-pathdata-plugin-uri
JS Globals
moove_activity_ajax_object
FAQ

Frequently Asked Questions about User Activity Tracking and Log