WP-Safety

Word Stats Security & Risk Analysis

wordpress.org/plugins/word-stats

A suite of word counters, keyword counters and readability analysis for your blog.

200 active installs v4.5.1 PHP + WP 4.1.0+ Updated Dec 21, 2014
analyticskeywordsseostatisticswords
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Word Stats Safe to Use in 2026?

Generally Safe

Score 85/100

Word Stats has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago
Risk Assessment

The "word-stats" v4.5.1 plugin exhibits a generally good security posture with no recorded vulnerabilities and a strong emphasis on prepared statements for SQL queries. The static analysis reveals a minimal attack surface, with all identified entry points being protected. However, there are significant concerns regarding the use of dangerous functions like `create_function` and `unserialize`, which can be exploited if they process untrusted input. Furthermore, a low percentage of output escaping (37%) is a notable weakness, potentially leading to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not properly sanitized before being displayed. The absence of nonce checks and capability checks on the single shortcode is also a concern, as it could allow unauthorized users to trigger its functionality. While the plugin has a clean vulnerability history, the identified code signals suggest a latent risk that could be exploited in the absence of proper input validation and output sanitization.

Key Concerns

  • Use of dangerous function: create_function
  • Use of dangerous function: unserialize
  • Low output escaping percentage
  • Missing nonce check on shortcode
  • Missing capability check on shortcode
Vulnerabilities
None known

Word Stats Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Word Stats Code Analysis

Dangerous Functions
2
Raw SQL Queries
1
8 prepared
Unescaped Output
116
69 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

create_functionadd_action( 'widgets_init', create_function( '', 'return register_widget( "widget_ws_word_counts" );word-stats.php:96
unserialize$keywords = unserialize( get_post_meta( $post->ID, 'word_stats_keywords', true ) );word-stats.php:567

Bundled Libraries

jQuery

SQL Query Safety

89% prepared9 total queries

Output Escaping

37% escaped185 total outputs
Attack Surface

Word Stats Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[wordcounts] word-stats.php:105
WordPress Hooks 14
actionadmin_footerword-stats.php:68
actionsave_postword-stats.php:73
actionright_now_content_table_endword-stats.php:80
actiondashboard_glance_itemsword-stats.php:82
filtermanage_posts_columnsword-stats.php:88
actionmanage_posts_custom_columnword-stats.php:89
actionadmin_initword-stats.php:90
actionwidgets_initword-stats.php:96
actionword_stats_workerword-stats.php:123
actionadmin_initword-stats.php:773
actionadmin_initword-stats.php:780
actionadmin_menuword-stats.php:781
actionadmin_noticesword-stats.php:797
actionadmin_noticesword-stats.php:799

Scheduled Events 1

word_stats_worker
Maintenance & Trust

Word Stats Maintenance & Trust

Maintenance Signals

WordPress version tested4.1.0
Last updatedDec 21, 2014
PHP min version
Downloads34K

Community Trust

Rating88/100
Number of ratings10
Active installs200
Alternatives

Word Stats Alternatives

Mirolabs AI SEO

Mirolabs AI SEO

mirolabs-ai-seo

A
100

Powerful AI-first SEO suite with Google Search Console integration, keyword research, content optimization, and more.

0 No CVEs
Search by GOGO GET

Search by GOGO GET

search-by-gogo-get

A
100

GOGO GET analyzes your site with AI, then dynamically creates an integrated Search bar without coding. Dashboard views show live Search analytics etc.

0 No CVEs
CallRail Phone Call Tracking

CallRail Phone Call Tracking

callrail-phone-call-tracking

A
99

Dynamically swap CallRail tracking phone numbers based on the visitor's referring source.

10K 2 CVEs
Simple SEO

Simple SEO

cds-simple-seo

A
91

Allows the modification of META titles, descriptions and keywords for all pages and posts. Also allows for default setting for of META title, descript …

10K 6 CVEs
Surfer – WordPress Plugin

Surfer – WordPress Plugin

surferseo

A
97

Connect Surfer's Content Editor to WordPress. Write and optimize your articles for SEO, find new keyword ideas and publish straight to WordPress.

6K 3 CVEs
Developer Profile

Word Stats Developer Profile

Fran Ontanaya

2 plugins · 210 total installs

89
trust score
Avg Security Score
93/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Word Stats

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/word-stats/css/style.css/wp-content/plugins/word-stats/js/word-stats.js
Script Paths
/wp-content/plugins/word-stats/js/word-stats.js
Version Parameters
word-stats/css/style.css?ver=word-stats/js/word-stats.js?ver=

HTML / DOM Fingerprints

CSS Classes
word-stats-counts
Shortcode Output
<ul class="word-stats-counts">
FAQ

Frequently Asked Questions about Word Stats