Does API Stats have any unpatched vulnerabilities?

No. All known vulnerabilities in API Stats have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is API Stats compatible with WordPress 6.4.8?

According to WordPress.org data, API Stats 1.4 has been tested up to WordPress 6.4.8. Check the plugin's changelog for the latest compatibility information.

Is API Stats compatible with PHP 5.6+?

API Stats requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is API Stats updated?

API Stats was last updated on Unknown. Frequent updates are generally a positive security signal.

What is API Stats's security score?

API Stats has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

API Stats Security & Risk Analysis

wordpress.org/plugins/wp-api-stats

View and filter API calls to your website with details about Method, Path, Response time, and Count.

100 active installs v1.4 PHP 5.6+ WP 4.4+ Updated Unknown

api-rest-api-statistics-stats

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is API Stats Safe to Use in 2026?

Generally Safe

Score 100/100

API Stats has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs

Risk Assessment

The wp-api-stats plugin version 1.4 presents a generally good security posture, with no known critical or high-severity vulnerabilities in its history and a clean taint analysis. The plugin appears to adhere to good practices by avoiding dangerous functions and external HTTP requests. However, several areas warrant attention. The absence of nonce checks is a significant concern, especially given that the plugin has cron events, which can be triggered by unauthenticated users if not properly secured. Furthermore, while SQL queries are present, 50% are not using prepared statements, posing a risk of SQL injection. The output escaping is also suboptimal at 42%, indicating potential for cross-site scripting (XSS) vulnerabilities.

While the plugin has no recorded vulnerabilities, the lack of comprehensive security checks like nonces and prepared statements, coupled with the limited output escaping, leaves room for potential exploitation. The plugin's strengths lie in its limited attack surface and lack of dangerous functions. However, the identified weaknesses, particularly around input validation and privilege escalation vectors, prevent it from being considered fully secure. Recommendations would focus on implementing nonce checks for all entry points and ensuring all SQL queries utilize prepared statements, along with improving output escaping practices.

Key Concerns

No nonce checks found
50% of SQL queries not using prepared statements
Low percentage of properly escaped output (42%)
No capability checks found

Vulnerabilities

None known

API Stats Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

API Stats Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

5 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

50% prepared4 total queries

Output Escaping

42% escaped12 total outputs

Attack Surface

API Stats Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 7

actionsg_api_stats_cronadministration.php:16

actionadmin_menuclass-wp-api-stats.php:19

filterrest_pre_serve_requestclass-wp-api-stats.php:22

actionrest_api_initclass-wp-api-stats.php:23

actionadmin_print_scriptsclass-wp-api-stats.php:26

actionadmin_enqueue_scriptsclass-wp-api-stats.php:29

actionadmin_print_styles-tools_page_api-statsclass-wp-api-stats.php:32

Scheduled Events 1

sg_api_stats_cron

Maintenance & Trust

API Stats Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8

Last updatedUnknown

PHP min version5.6

Downloads3K

Community Trust

Rating100/100

Number of ratings3

Active installs100

Alternatives

API Stats Alternatives

No alternatives data available yet.

Developer Profile

API Stats Developer Profile

Salar Gholizadeh

3 plugins · 300 total installs

trust score

Avg Security Score

90/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect API Stats

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-api-stats/assets/chartjs/Chart.min.css/wp-content/plugins/wp-api-stats/assets/chartjs/Chart.min.js/wp-content/plugins/wp-api-stats/assets/draw.js

Script Paths

/wp-content/plugins/wp-api-stats/assets/draw.js

Version Parameters

wp-api-stats/assets/chartjs/Chart.min.css?ver=wp-api-stats/assets/chartjs/Chart.min.js?ver=wp-api-stats/assets/draw.js?ver=

HTML / DOM Fingerprints

JS Globals

window.api_stats

REST Endpoints

/wp-json/api-stats/

FAQ