Does User Stats have any unpatched vulnerabilities?

No. All known vulnerabilities in User Stats have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is User Stats compatible with WordPress 3.7.41?

According to WordPress.org data, User Stats 1.0.7 has been tested up to WordPress 3.7.41. Check the plugin's changelog for the latest compatibility information.

How often is User Stats updated?

User Stats was last updated on Jan 9, 2014. Frequent updates are generally a positive security signal.

What is User Stats's security score?

User Stats has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

User Stats Security & Risk Analysis

wordpress.org/plugins/user-stats

User Stats provides an easy way to see at a glance stats about your users, including: post count, post views, article costs, costs per 1000 views and …

100 active installs v1.0.7 PHP + WP 3.6+ Updated Jan 9, 2014

authorpost-countstatisticsstatsuser

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is User Stats Safe to Use in 2026?

Generally Safe

Score 85/100

User Stats has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago

Risk Assessment

The "user-stats" plugin version 1.0.7 presents a significant security risk due to its large attack surface with unprotected entry points. The static analysis reveals four AJAX handlers, all of which lack proper authentication checks. This means any unauthenticated user could potentially interact with these handlers, leading to unauthorized actions or information disclosure. While the plugin shows positive signs like a high percentage of SQL queries using prepared statements and the presence of some nonce and capability checks, these are overshadowed by the critical flaw of unprotected AJAX endpoints. The taint analysis indicates one flow with unsanitized paths, which, although not classified as critical or high severity in this specific analysis, points to potential weaknesses that could be exploited in conjunction with the unprotected entry points. The absence of any recorded vulnerabilities in its history is a positive indicator of past security diligence, but it does not mitigate the immediate risks identified in the current code. The plugin needs immediate attention to secure its AJAX handlers to prevent potential exploitation.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths
Low percentage of properly escaped output
Limited nonce checks
Limited capability checks

Vulnerabilities

None known

User Stats Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

User Stats Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

155

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

80% prepared5 total queries

Output Escaping

1% escaped156 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

asz_reset_count (user-stats.php:592)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

User Stats Attack Surface

Entry Points4

Unprotected4

AJAX Handlers 4

authwp_ajax_asz_ind_show_postsuser-stats.php:427

authwp_ajax_asz_reset_countuser-stats.php:591

authwp_ajax_user_stats_dismissuser-stats.php:621

authwp_ajax_user_stats_n_ajaxuser-stats.php:680

WordPress Hooks 7

actionadmin_menuuser-stats.php:77

actioninituser-stats.php:79

filterplugin_action_linksuser-stats.php:82

actioninituser-stats.php:85

actioninituser-stats.php:87

actionwp_headuser-stats.php:423

filterposts_whereuser-stats.php:559

Maintenance & Trust

User Stats Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41

Last updatedJan 9, 2014

PHP min version

Downloads11K

Community Trust

Rating74/100

Number of ratings7

Active installs100

Alternatives

User Stats Alternatives

User stats WP

user-stats-wp

Stores and displays user generated events, like logins and post edits.

0 No CVEs

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

burst-statistics

Analytics you'll actually use. Privacy-friendly, zero config, and designed to be actionable. Get insights, not just raw data.

200K 3 CVEs

Edit Author Slug

edit-author-slug

100

Allows an admin (or capable user) to edit the author slug of a user, and change the author base.

100K No CVEs

Statify

statify

100

Visitor statistics for WordPress with focus on data protection, transparency and clarity. Perfect as a widget in your WordPress Dashboard.

100K No CVEs

StatCounter – Free Real Time Visitor Stats

official-statcounter-plugin-for-wordpress

StatCounter.com powered real-time detailed stats about the visitors to your blog.

70K 2 CVEs

Developer Profile

User Stats Developer Profile

ApinaPress

1 plugin · 100 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect User Stats

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/user-stats/js/user-stats-admin.js/wp-content/plugins/user-stats/css/user-stats-admin.css/wp-content/plugins/user-stats/css/datepicker-smoothness.css

Script Paths

/wp-content/plugins/user-stats/js/user-stats-admin.js

Version Parameters

user-stats/js/user-stats-admin.js?ver=user-stats/css/user-stats-admin.css?ver=

HTML / DOM Fingerprints

JS Globals

user_stats_nag

FAQ