WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics Security & Risk Analysis

The "wp-google-analytics-events" plugin v2.8.2 presents a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and performing nonce checks on a reasonable number of entry points. However, a significant concern arises from the presence of one AJAX handler lacking authentication checks, creating a potential avenue for unauthorized actions.

The static analysis also reveals a weakness in output escaping, with only 25% of outputs being properly sanitized. This, combined with two flows with unsanitized paths identified during taint analysis, suggests a moderate risk of Cross-Site Scripting (XSS) vulnerabilities, particularly as Cross-Site Scripting is listed as a common vulnerability type in its history.

The plugin's vulnerability history is a major red flag. With two known CVEs, one of which is currently unpatched, and both being medium severity, it indicates a pattern of past security flaws. The common vulnerability types of Exposure of Sensitive Information and XSS further reinforce the concerns about input sanitization and output escaping. The fact that the last vulnerability was in late 2025 is also concerning, as it implies a lack of recent security attention or that the found vulnerabilities are future-dated. Overall, while the plugin has some good security implementations, the unpatched vulnerability, the unprotected AJAX endpoint, and the historically recurring XSS risk necessitate careful consideration and prompt patching.