WP-Safety

Usermaven Security & Risk Analysis

wordpress.org/plugins/usermaven

Usermaven's web analytics product is a Google Analytics alternative that provides a real-time view of your website traffic metrics.

1K active installs v1.2.7 PHP 5.6+ WP 3.0.1+ Updated Jan 14, 2026
analyticsgoogle-analytics-alternativeprivacystatsweb-analytics
99
A · Safe
CVEs total1
Unpatched0
Last CVEMar 28, 2025
Plugin page Download
Safety Verdict

Is Usermaven Safe to Use in 2026?

Generally Safe

Score 99/100

Usermaven has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 28, 2025Updated 2mo ago
Risk Assessment

The Usermaven v1.2.7 plugin exhibits a generally positive security posture with strong adherence to several best practices. The static analysis reveals a very limited attack surface with no unprotected AJAX handlers, REST API routes, or shortcodes. The plugin also demonstrates excellent SQL query handling, with 100% of queries using prepared statements, and a high rate of output escaping (97%). The absence of dangerous functions, file operations, and critical/high severity taint flows further indicates a commitment to secure coding. However, there are areas for improvement. The presence of 2 external HTTP requests warrants careful scrutiny to ensure they are not exploitable. More significantly, the plugin has a history of known vulnerabilities, including one CVE recorded. While currently unpatched CVEs are zero, the fact that a medium severity vulnerability has been recorded in the past, particularly of the Cross-Site Request Forgery (CSRF) type, suggests that past security oversights have occurred. This history, combined with a complete absence of capability checks, leaves room for concern regarding privilege escalation or unauthorized actions if other security mechanisms were to fail.

Key Concerns

  • Medium severity vulnerability in history
  • 2 external HTTP requests
  • 0 capability checks found
Vulnerabilities
1

Usermaven Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-31079medium · 4.3Cross-Site Request Forgery (CSRF)

Usermaven <= 1.2.1 - Cross-Site Request Forgery

Mar 28, 2025 Patched in 1.2.2 (6d)
Code Analysis
Analyzed Mar 16, 2026

Usermaven Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
38 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

97% escaped39 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
usermaven_activation_form (includes\usermaven-settings-form.php:6)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Usermaven Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 41
actionwoocommerce_initincludes\class-usermaven-woocommerce.php:23
actionshutdownincludes\class-usermaven-woocommerce.php:26
actionwoocommerce_login_credentialsincludes\class-usermaven-woocommerce.php:34
actiontemplate_redirectincludes\class-usermaven-woocommerce.php:37
actionwoocommerce_add_to_cartincludes\class-usermaven-woocommerce.php:40
actionwoocommerce_cart_item_removedincludes\class-usermaven-woocommerce.php:41
actionwoocommerce_after_cart_item_quantity_updateincludes\class-usermaven-woocommerce.php:42
actionwpincludes\class-usermaven-woocommerce.php:46
actionwoocommerce_new_orderincludes\class-usermaven-woocommerce.php:48
actionwoocommerce_order_status_changedincludes\class-usermaven-woocommerce.php:52
actionwoocommerce_order_status_completedincludes\class-usermaven-woocommerce.php:53
actionwoocommerce_order_status_failedincludes\class-usermaven-woocommerce.php:54
actionwoocommerce_order_status_processingincludes\class-usermaven-woocommerce.php:55
actionwoocommerce_order_status_on-holdincludes\class-usermaven-woocommerce.php:56
actionwoocommerce_order_status_pendingincludes\class-usermaven-woocommerce.php:57
actionwoocommerce_order_status_cancelledincludes\class-usermaven-woocommerce.php:58
actionwoocommerce_order_status_refundedincludes\class-usermaven-woocommerce.php:59
actionwoocommerce_order_status_draftincludes\class-usermaven-woocommerce.php:60
actionwoocommerce_created_customerincludes\class-usermaven-woocommerce.php:63
actionwoocommerce_cart_updatedincludes\class-usermaven-woocommerce.php:66
actionwoocommerce_cart_emptiedincludes\class-usermaven-woocommerce.php:67
actionwoocommerce_after_cart_item_quantity_updateincludes\class-usermaven-woocommerce.php:68
actionwoocommerce_order_status_completedincludes\class-usermaven-woocommerce.php:71
actionwoocommerce_order_status_failedincludes\class-usermaven-woocommerce.php:72
actionwoocommerce_thankyouincludes\class-usermaven-woocommerce.php:75
actionwoocommerce_initincludes\class-usermaven-woocommerce.php:78
actionwoocommerce_checkout_order_processedincludes\class-usermaven-woocommerce.php:83
actionyith_wcwl_added_to_wishlistincludes\class-usermaven-woocommerce.php:93
actionyith_wcwl_removed_from_wishlistincludes\class-usermaven-woocommerce.php:94
actionyith_wcwl_moved_to_another_wishlistincludes\class-usermaven-woocommerce.php:95
actionwoocommerce_before_checkout_formincludes\class-usermaven-woocommerce.php:1750
actionwoocommerce_add_to_cartincludes\class-usermaven-woocommerce.php:1758
actionwoocommerce_cart_item_removedincludes\class-usermaven-woocommerce.php:1759
actionwoocommerce_after_cart_item_quantity_updateincludes\class-usermaven-woocommerce.php:1760
actionwp_footerincludes\class-usermaven.php:92
actionplugins_loadedincludes\class-usermaven.php:153
actionadmin_enqueue_scriptsincludes\class-usermaven.php:168
actionadmin_enqueue_scriptsincludes\class-usermaven.php:169
actionwp_enqueue_scriptsincludes\class-usermaven.php:184
actionwp_enqueue_scriptsincludes\class-usermaven.php:185
actionadmin_menuusermaven.php:71

Scheduled Events 1

usermaven_check_cart_abandonment
Maintenance & Trust

Usermaven Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJan 14, 2026
PHP min version5.6
Downloads13K

Community Trust

Rating100/100
Number of ratings3
Active installs1K
Alternatives

Usermaven Alternatives

Plausible Analytics

Plausible Analytics

plausible-analytics

A
99

Plausible Analytics is a privacy-friendly web analytics plugin for WordPress that is an easy-to-use, lightweight and more accurate alternative to Goo &hellip;

10K 3 CVEs
Trackboxx Analytics

Trackboxx Analytics

trackboxx-analytics

A
100

A simple, GDPR compliant Google Analytics alternative.

70 No CVEs
Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

burst-statistics

A
96

Analytics you'll actually use. Privacy-friendly, zero config, and designed to be actionable. Get insights, not just raw data.

200K 3 CVEs
Statify

Statify

statify

A
100

Visitor statistics for WordPress with focus on data protection, transparency and clarity. Perfect as a widget in your WordPress Dashboard.

100K No CVEs
Koko Analytics – Privacy Friendly Statistics for WordPress

Koko Analytics – Privacy Friendly Statistics for WordPress

koko-analytics

A
96

Koko Analytics is a privacy-friendly statistics plugin for WordPress that is an easy to use alternative to Google Analytics.

60K 2 CVEs
Developer Profile

Usermaven Developer Profile

usermaven

1 plugin · 1K total installs

99
trust score
Avg Security Score
99/100
Avg Patch Time
6 days
View full developer profile
Detection Fingerprints

How We Detect Usermaven

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/usermaven/admin/css/usermaven-admin.css/wp-content/plugins/usermaven/admin/js/usermaven-admin.js
Script Paths
/wp-content/plugins/usermaven/public/js/usermaven-public.js
Version Parameters
usermaven-admin.css?ver=usermaven-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
usermaven-notice-warning
Data Attributes
data-um-event
JS Globals
usermaven_public
FAQ

Frequently Asked Questions about Usermaven