Does UserTracker have any unpatched vulnerabilities?

No. All known vulnerabilities in UserTracker have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is UserTracker compatible with WordPress 2.5?

According to WordPress.org data, UserTracker 1.2 has been tested up to WordPress 2.5. Check the plugin's changelog for the latest compatibility information.

How often is UserTracker updated?

UserTracker was last updated on Jun 18, 2008. Frequent updates are generally a positive security signal.

What is UserTracker's security score?

UserTracker has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

UserTracker Security & Risk Analysis

wordpress.org/plugins/usertracker

This plugin will let you track which pages your users who are logged in are viewing. It logs the username, ip, datetime, referer and url viewed.

40 active installs v1.2 PHP + WP 2.1.2+ Updated Jun 18, 2008

pageposttrackuserview

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is UserTracker Safe to Use in 2026?

Generally Safe

Score 85/100

UserTracker has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 17yr ago

Risk Assessment

The "usertracker" v1.2 plugin exhibits a concerning security posture despite a clean vulnerability history. While the attack surface appears minimal with zero identified entry points requiring authentication, the static analysis reveals significant code-level weaknesses. Notably, 100% of output operations are not properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the taint analysis highlights three flows with unsanitized paths, all flagged as high severity. This suggests potential vulnerabilities where user-supplied data is not adequately validated or sanitized before being processed or displayed.

The complete absence of known CVEs and a lack of historical vulnerabilities is a positive indicator, suggesting the developers may have a generally good approach to security in the past. However, this historical data does not mitigate the immediate risks identified in the current code analysis. The lack of capability checks and nonce checks on potential (though not explicitly identified) entry points further compounds these concerns. The plugin's strength lies in its apparent lack of direct external interaction and raw SQL queries, but this is overshadowed by critical unescaped outputs and unsanitized data flows.

Key Concerns

High severity unsanitized taint flows
100% of output not properly escaped
No nonce checks
No capability checks

Vulnerabilities

None known

UserTracker Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

UserTracker Code Analysis

Dangerous Functions

Raw SQL Queries

7 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

88% prepared8 total queries

Output Escaping

0% escaped6 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

UT_trackUser (userTracker.php:38)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

UserTracker Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 3

filterwp_headuserTracker.php:23

actionadmin_menuuserTracker.php:25

actionwp_loginuserTracker.php:26

Maintenance & Trust

UserTracker Maintenance & Trust

Maintenance Signals

WordPress version tested2.5

Last updatedJun 18, 2008

PHP min version

Downloads6K

Community Trust

Rating0/100

Number of ratings0

Active installs40

Alternatives

UserTracker Alternatives

Post Views Counter

post-views-counter

Post Views Counter allows you to collect and display how many times a post, page, or other content has been viewed in a simple, fast and reliable way.

200K 2 CVEs