Does UserHeat Plugin have any unpatched vulnerabilities?

No. All known vulnerabilities in UserHeat Plugin have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is UserHeat Plugin compatible with WordPress 5.6.17?

According to WordPress.org data, UserHeat Plugin 1.1.11 has been tested up to WordPress 5.6.17. Check the plugin's changelog for the latest compatibility information.

Is UserHeat Plugin compatible with PHP 5.4+?

UserHeat Plugin requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is UserHeat Plugin updated?

UserHeat Plugin was last updated on Apr 1, 2024. Frequent updates are generally a positive security signal.

What is UserHeat Plugin's security score?

UserHeat Plugin has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

UserHeat Plugin Security & Risk Analysis

wordpress.org/plugins/userheat

Free heatmaps plugin for web analytics, on both PC and smartphone.

6K active installs v1.1.11 PHP 5.4+ WP 4.2+ Updated Apr 1, 2024

analyticsanalyzeclickheatmapjapanese

A · Safe

CVEs total1

Unpatched0

Last CVENov 7, 2023

Plugin page Download

Safety Verdict

Is UserHeat Plugin Safe to Use in 2026?

Generally Safe

Score 85/100

UserHeat Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 7, 2023Updated 2yr ago

Risk Assessment

The "userheat" plugin v1.1.11 presents a mixed security posture. On the positive side, it demonstrates good practices in handling SQL queries, exclusively using prepared statements, and the static analysis shows no dangerous functions, file operations, external HTTP requests, or bundled libraries. Furthermore, there are no critical or high-severity taint flows identified, and all known CVEs appear to be patched. However, significant concerns arise from the complete lack of output escaping, meaning all 18 identified output points are vulnerable to Cross-Site Scripting (XSS) attacks. The absence of nonce checks and capability checks on all entry points, combined with a complete lack of output escaping, creates a substantial risk of Cross-Site Request Forgery (CSRF) and XSS vulnerabilities, especially if any of the entry points were to handle user-supplied data. The plugin's vulnerability history, while currently clear of unpatched issues, previously had a medium-severity vulnerability related to CSRF, which aligns with the potential risks identified in the code analysis due to missing CSRF protection mechanisms. This plugin has strengths in database interaction but exhibits critical weaknesses in output sanitization and input validation.

Key Concerns

Unescaped output on all 18 outputs
Missing nonce checks on all entry points
Missing capability checks on all entry points
1 medium vulnerability in history (CSRF)

Vulnerabilities

UserHeat Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2023-47553medium · 4.3Cross-Site Request Forgery (CSRF)

UserHeat Plugin <= 1.1.10 - Cross-Site Request Forgery

Nov 7, 2023 Patched in 1.1.11 (438d)

Code Analysis

Analyzed Mar 16, 2026

UserHeat Plugin Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped18 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

settingPage (userheat.php:87)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

UserHeat Plugin Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 4

actionadmin_inituserheat.php:35

actionadmin_menuuserheat.php:36

actionwp_footeruserheat.php:37

actioninituserheat.php:39

Maintenance & Trust

UserHeat Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested5.6.17

Last updatedApr 1, 2024

PHP min version5.4

Downloads35K

Community Trust

Rating100/100

Number of ratings1

Active installs6K

Alternatives

UserHeat Plugin Alternatives

Aurora Heatmap

aurora-heatmap

100

Beautiful like an aurora! A simple WordPress heatmap that can be completed with just a plugin.

20K No CVEs

User Insight WordPress Plugin

user-insight

ヒートマップ対応アクセス解析ツールUser InsightのWordPressプラグインです。簡単な設定ですぐにUser Insightでデータを計測できるようになります。

200 No CVEs

ミエルカヒートマップタグマネージャー

mieruca-heatmap-tag-manager

100

無料で使えるヒートマップツール、ミエルカヒートマップのタグ設置が簡単にできるプラグインです。 This is the plugin to introduce the tag of the free heatmap service "Mieruca Heatmap" easily.

800 No CVEs

Heatmap Plugin

heatmap

This plugin will help you to analyze where people click on your site. As the result you will discover where better to place banners, how to organize n …

30 No CVEs

WP Super Heatmap

wp-super-heatmap

This plugin tracks user clicks and creates a heatmap for your website. All data is stored locally and no third-party service is used. Completely free!

10 No CVEs

Developer Profile

UserHeat Plugin Developer Profile

hayata

1 plugin · 6K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

438 days

View full developer profile

Detection Fingerprints

How We Detect UserHeat Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/userheat/css/bootstrap.min.css/wp-content/plugins/userheat/css/site.css/wp-content/plugins/userheat/css/admin.css/wp-content/plugins/userheat/js/site.min.js

Script Paths

//uh.nakanohito.jp/uhj2/uh.js

HTML / DOM Fingerprints

CSS Classes

uh-css-bootstrapuh-css-siteuh-css-admin

HTML Comments

JS Globals

UserHeatTag_uhtracker

FAQ