Does Web-Stat have any unpatched vulnerabilities?

No. All known vulnerabilities in Web-Stat have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Web-Stat compatible with WordPress 6.8.5?

According to WordPress.org data, Web-Stat 2.6 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Web-Stat compatible with PHP 5.2.4+?

Web-Stat requires PHP 5.2.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Web-Stat updated?

Web-Stat was last updated on Apr 19, 2025. Frequent updates are generally a positive security signal.

What is Web-Stat's security score?

Web-Stat has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Web-Stat Security & Risk Analysis

wordpress.org/plugins/web-stat

Free, real-time stats for your web site with full visitors details. Add Web-Stat in just one click and check out your site's activity, live!

6K active installs v2.6 PHP 5.2.4+ WP 4.9.5+ Updated Apr 19, 2025

web-analyticsweb-statsweb-statwebstat

A · Safe

CVEs total1

Unpatched0

Last CVEFeb 23, 2021

Plugin page Download

Safety Verdict

Is Web-Stat Safe to Use in 2026?

Generally Safe

Score 99/100

Web-Stat has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 23, 2021Updated 11mo ago

Risk Assessment

The "web-stat" plugin version 2.6 demonstrates a generally strong security posture based on the provided static analysis. It utilizes prepared statements for all SQL queries, properly escapes all output, and implements nonce and capability checks on its single AJAX entry point. The absence of critical or high severity taint flows and dangerous function usage further reinforces this positive outlook. The plugin also avoids bundled libraries and only makes a single external HTTP request, reducing potential attack vectors.

However, the plugin's vulnerability history presents a significant concern. It has a known CVE, specifically related to Exposure of Sensitive Information to an Unauthorized Actor, and while it's currently patched, the existence of past vulnerabilities, particularly a high-severity one, suggests a potential for recurring security flaws. The single AJAX entry point, while protected by nonce and capability checks, still represents a potential target if future vulnerabilities are introduced.

In conclusion, while "web-stat" v2.6 implements several key security best practices, the past occurrence of a high-severity vulnerability indicates that ongoing vigilance and thorough auditing are necessary. The plugin's strengths lie in its secure coding practices for current analysis, but its historical track record necessitates a cautious approach.

Key Concerns

Past high severity vulnerability
Known CVE history

Vulnerabilities

Web-Stat Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2021-24167high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Web-Stat <= 1.4.0 - API Key Disclosure

Feb 23, 2021 Patched in 1.4.1 (1064d)

Code Analysis

Analyzed Mar 16, 2026

Web-Stat Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

3 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped3 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

handle_ajax_data (Web-Stat.php:137)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Web-Stat Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_handle_ajax_dataWeb-Stat.php:41

WordPress Hooks 10

actioninitWeb-Stat.php:36

actionplugins_loadedWeb-Stat.php:38

actionwp_enqueue_scriptsWeb-Stat.php:39

actionadmin_enqueue_scriptsWeb-Stat.php:40

actionadmin_menuWeb-Stat.php:42

actionwp_dashboard_setupWeb-Stat.php:43

actionwp_dashboard_setupWeb-Stat.php:44

filterplugin_row_metaWeb-Stat.php:45

filterplugin_action_linksWeb-Stat.php:46

actionadmin_head-plugins.phpWeb-Stat.php:47

Maintenance & Trust

Web-Stat Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedApr 19, 2025

PHP min version5.2.4

Downloads104K

Community Trust

Rating88/100

Number of ratings19

Active installs6K

Alternatives

Web-Stat Alternatives

Matomo Tracker

matomo-analytics

100

The easiest way to track visitors in Matomo. No nonsense, just stats!

100 No CVEs

Plausible Analytics

plausible-analytics

Plausible Analytics is a privacy-friendly web analytics plugin for WordPress that is an easy-to-use, lightweight and more accurate alternative to Goo …

10K 3 CVEs

Audience Analytics – by Quantcast

audience-analytics-by-quantcast

Provides statistics about visitors to every page of your site: traffic, age, gender, shopping patterns, general interests and much more.

1K No CVEs

Usermaven

usermaven

Usermaven's web analytics product is a Google Analytics alternative that provides a real-time view of your website traffic metrics.

1K 1 CVE

Zoho Marketing Automation

zoho-marketinghub

Zoho Marketing Automation is an all-in-one marketing automation software that helps you successfully manage your marketing activities across multiple …

1K 1 CVE

Developer Profile

Web-Stat Developer Profile

Web-Stat

1 plugin · 6K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

1064 days

View full developer profile

Detection Fingerprints

How We Detect Web-Stat

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/web-stat/js/wts_script.js

Script Paths

https://app.ardalio.com/ajax.pl

Version Parameters

web-stat/js/wts_script.js?ver=

HTML / DOM Fingerprints

JS Globals

wts_data

FAQ