WP-Safety

Wincher Rank Tracker Security & Risk Analysis

wordpress.org/plugins/wincher-rank-tracker

Wincher is a Google search engine rank tracking plugin which enables you to keep an eye on your keywords.

3K active installs v3.0.7 PHP + WP 5.0.0+ Updated Mar 25, 2024
rank-trackerseoseo-rankingseo-toolserp-tracker
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Wincher Rank Tracker Safe to Use in 2026?

Generally Safe

Score 85/100

Wincher Rank Tracker has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago
Risk Assessment

The wincher-rank-tracker plugin version 3.0.7 exhibits a mixed security posture. While it demonstrates good practices by using prepared statements for all SQL queries and has no recorded vulnerabilities, several concerning areas were identified in the static analysis. The plugin has a small but unprotected attack surface, with one AJAX handler lacking authentication checks. Additionally, a dangerous function, `unserialize`, is present, and critically, none of the identified output points are properly escaped. This combination of an unprotected entry point, a potentially vulnerable function, and unescaped output creates a significant risk of Cross-Site Scripting (XSS) and potentially Remote Code Execution (RCE) if an attacker can control the data being unserialized or outputted. The absence of known vulnerabilities is a positive sign, but the identified code signals suggest a latent risk that has not yet been exploited or publicly disclosed.

Key Concerns

  • AJAX handler without auth checks
  • Dangerous function unserialize present
  • 0% output escaping
  • 0 Nonce checks
  • Bundled library Guzzle
Vulnerabilities
None known

Wincher Rank Tracker Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Wincher Rank Tracker Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
2
0 escaped
Nonce Checks
0
Capability Checks
1
File Operations
2
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserializereturn unserialize(preg_replace('/^O:\d+:"[^"]++"/', 'O:' . strlen($class) . ':"' . $class . '"', seincludes\WincherOAuthClient.php:451

Bundled Libraries

Guzzle

Output Escaping

0% escaped2 total outputs
Attack Surface
1 unprotected

Wincher Rank Tracker Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_wincher_close_noticeincludes\Plugin.php:40
WordPress Hooks 4
actionadmin_menuincludes\Plugin.php:37
actionadmin_enqueue_scriptsincludes\Plugin.php:38
actionrest_api_initincludes\Plugin.php:39
actionpre_current_active_pluginsincludes\Plugin.php:45
Maintenance & Trust

Wincher Rank Tracker Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedMar 25, 2024
PHP min version
Downloads90K

Community Trust

Rating80/100
Number of ratings56
Active installs3K
Alternatives

Wincher Rank Tracker Alternatives

RankMetric – SERP Rank Tracker

RankMetric – SERP Rank Tracker

rankmetric-serp-rank-tracker

A
100

A powerful and easy-to-use rank tracker and checker that uses the SerpApi to monitor your keyword rankings on Google.

20 No CVEs
Hub5050 Ranking and Competitor Tracking

Hub5050 Ranking and Competitor Tracking

ranking-and-competitor-tracking

A
92

Website ranking and competitor rank tracking

30 No CVEs
Opace Essential SEO Toolkit

Opace Essential SEO Toolkit

opace-essential-seo-toolkit

A
85

The Opace Essential SEO Toolkit is an invaluable WordPress plugin to aid all SEO professionals, developers and businesses in auditing their website.

80 No CVEs
Best Local SEO Tools, WordPress SEO Plugin

Best Local SEO Tools, WordPress SEO Plugin

best-local-seo-tools

A
85

Want to rank well for every city you serve and double your local search traffic? BestLocalSEOTools.com has examples & the stronger free version.

40 No CVEs
KAF WordPress Connector

KAF WordPress Connector

kaf-wp-connector

A
100

KAF WordPress Connector automates SEO mistakes with AI-driven updates such as titles, meta descriptions, headings, sitemap, and robots.txt.

20 No CVEs
Developer Profile

Wincher Rank Tracker Developer Profile

wincher.com

1 plugin · 3K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Wincher Rank Tracker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wincher-rank-tracker/assets/css/global.css/wp-content/plugins/wincher-rank-tracker/assets/js/global.js
Script Paths
/wp-content/plugins/wincher-rank-tracker/vendor/wincher/oauth-client/src/WincherOAuthClient.php/wp-content/plugins/wincher-rank-tracker/includes/DashboardPage.php/wp-content/plugins/wincher-rank-tracker/includes/Plugin.php
Version Parameters
wincher-rank-tracker/assets/css/global.css?ver=wincher-rank-tracker/assets/js/global.js?ver=

HTML / DOM Fingerprints

CSS Classes
wincher-upgrade-linkwincher-activatewincher-close-activate
Data Attributes
id="wincher-dashboard-root"
JS Globals
wincherConfig
REST Endpoints
/wp-json/wincher/v1/
FAQ

Frequently Asked Questions about Wincher Rank Tracker