WP-Safety

Connect Matomo – Analytics Dashboard for WordPress Security & Risk Analysis

wordpress.org/plugins/wp-piwik

Adds Matomo (former Piwik) statistics to your WordPress dashboard and is also able to add the Matomo Tracking Code to your blog.

60K active installs v1.1.1 PHP + WP 5.0+ Updated Mar 10, 2026
analyticsmatomostatisticsstatstracking
97
A · Safe
CVEs total5
Unpatched0
Last CVESep 21, 2023
Plugin page Download
Safety Verdict

Is Connect Matomo – Analytics Dashboard for WordPress Safe to Use in 2026?

Generally Safe

Score 97/100

Connect Matomo – Analytics Dashboard for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Sep 21, 2023Updated 24d ago
Risk Assessment

The 'wp-piwik' plugin v1.1.1 exhibits a mixed security posture. While it has a small attack surface with no direct entry points requiring authentication, there are significant concerns in its code quality and vulnerability history. The static analysis reveals a concerningly low rate of proper output escaping (7%) and a substantial portion of SQL queries not using prepared statements (78% unescaped). Furthermore, the taint analysis indicates two high-severity flows with unsanitized paths, which could lead to serious vulnerabilities if exploited. The plugin's history of 5 known CVEs, including 2 high-severity ones, reinforces these concerns. The prevalence of Cross-Site Request Forgery and Cross-site Scripting vulnerabilities in the past suggests a pattern of insecure input handling. While the absence of currently unpatched CVEs is positive, the recurring nature of past vulnerabilities and the identified code quality issues point to potential risks if not addressed by developers. Overall, the plugin has weaknesses in secure coding practices that, coupled with its historical vulnerability record, warrant careful consideration.

Key Concerns

  • High-severity taint flows found
  • Low output escaping rate
  • Significant percentage of raw SQL queries
  • History of high-severity CVEs
  • History of medium-severity CVEs
Vulnerabilities
5

Connect Matomo – Analytics Dashboard for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2016
2016
1 CVE in 2022
2022
2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

High
2
Medium
3

5 total CVEs

CVE-2023-4774medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-Matomo Integration (WP-Piwik) <= 1.0.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Sep 21, 2023 Patched in 1.0.29 (124d)
CVE-2023-33211medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-Piwik <= 1.0.27 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Display Name

May 22, 2023 Patched in 1.0.28 (246d)
WF-abb10680-6208-44c8-8cf0-8d2531465a04-wp-piwikhigh · 8.8Cross-Site Request Forgery (CSRF)

WP-Matomo Integration (WP-Piwik) <= 1.0.26 - Cross-Site Request Forgery

Feb 7, 2022 Patched in 1.0.27 (715d)
WF-39564fad-a8cb-4a95-a893-d61e8ff91a53-wp-piwikhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-Matomo Integration (WP-Piwik) < 1.0.11 - Unauthenticated Stored Cross-Site Scripting

Sep 2, 2016 Patched in 1.0.11 (2974d)
CVE-2015-9405medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-Matomo Integration (WP-Piwik) < 1.0.5 - Cross-Site Scripting

Oct 13, 2015 Patched in 1.0.5 (3024d)
Code Analysis
Analyzed Mar 16, 2026

Connect Matomo – Analytics Dashboard for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
14
4 prepared
Unescaped Output
114
9 escaped
Nonce Checks
4
Capability Checks
7
File Operations
9
External Requests
3
Bundled Libraries
0

SQL Query Safety

22% prepared18 total queries

Output Escaping

7% escaped123 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

11 flows7 with unsanitized paths
showSupport (classes\WP_Piwik\Admin\Settings.php:746)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Connect Matomo – Analytics Dashboard for WordPress Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[wp-piwik] classes\WP_Piwik.php:203
WordPress Hooks 28
actionlitespeed_initclasses\WP_Piwik\AIBotTracking.php:78
actionwp_footerclasses\WP_Piwik\AIBotTracking.php:79
actionadmin_menuclasses\WP_Piwik.php:69
actionadmin_post_save_wp-piwik_statsclasses\WP_Piwik.php:73
actionload-post.phpclasses\WP_Piwik.php:77
actionload-post-new.phpclasses\WP_Piwik.php:81
actionnetwork_admin_noticesclasses\WP_Piwik.php:86
actionnetwork_admin_menuclasses\WP_Piwik.php:90
actionupdate_site_option_blognameclasses\WP_Piwik.php:94
actionupdate_site_option_siteurlclasses\WP_Piwik.php:98
actionadmin_noticesclasses\WP_Piwik.php:103
actionupdate_option_blognameclasses\WP_Piwik.php:107
actionupdate_option_siteurlclasses\WP_Piwik.php:111
actionwp_dashboard_setupclasses\WP_Piwik.php:117
actionadmin_bar_menuclasses\WP_Piwik.php:127
actiontransition_post_statusclasses\WP_Piwik.php:151
filterplugin_row_metaclasses\WP_Piwik.php:164
filterscreen_layout_columnsclasses\WP_Piwik.php:168
filterthe_excerpt_rssclasses\WP_Piwik.php:174
filterthe_contentclasses\WP_Piwik.php:178
filterpost_linkclasses\WP_Piwik.php:184
filterwp_redirectclasses\WP_Piwik.php:190
actionadd_meta_boxesclasses\WP_Piwik.php:370
actionsave_postclasses\WP_Piwik.php:374
actionadd_meta_boxesclasses\WP_Piwik.php:380
actionplugins_loadedwp-piwik.php:71
actionadmin_noticeswp-piwik.php:74
actionsetup_themewp-piwik.php:83
Maintenance & Trust

Connect Matomo – Analytics Dashboard for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version
Downloads2.9M

Community Trust

Rating90/100
Number of ratings95
Active installs60K
Alternatives

Connect Matomo – Analytics Dashboard for WordPress Alternatives

User Activity Tracking and Log

User Activity Tracking and Log

user-activity-tracking-and-log

A
99

Track time and monitor user activity & history on your website, LMS online learning system, membership or WooCommerce site.

3K 2 CVEs
Trace My IP – Visitor IP Tracker, Stats Analytics & Page Views Counter with Email Alerts

Trace My IP – Visitor IP Tracker, Stats Analytics & Page Views Counter with Email Alerts

tracemyip-visitor-analytics-ip-tracking-control

A
100

Comprehensive visitor IP tracking and website analytics solution with real-time statistics, page view counting, and customizable email alerts.

1K No CVEs
Simple Matomo Tracking Code

Simple Matomo Tracking Code

simple-matomo-tracking-code

A
99

This unofficial plugin adds the Matomo Web Analytics javascript code into the footer of your website. It has several useful options.

900 1 CVE
Stetic

Stetic

stetic

A
91

Web Analytics from Stetic including many features. Displays a widget, a complete analytics dashboard page and adds the tracking code to your site.

100 1 CVE
Simple Webstats

Simple Webstats

simple-webstats

A
100

Privacy-focused cookie-free web analytics for WordPress.

90 No CVEs
Developer Profile

Connect Matomo – Analytics Dashboard for WordPress Developer Profile

matomoteam

2 plugins · 160K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
1037 days
View full developer profile
Detection Fingerprints

How We Detect Connect Matomo – Analytics Dashboard for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-piwik/js/wp-piwik.js/wp-content/plugins/wp-piwik/js/chartjs/chart.min.js
Script Paths
/wp-content/plugins/wp-piwik/js/wp-piwik.js/wp-content/plugins/wp-piwik/js/chartjs/chart.min.js
Version Parameters
wp-piwik.js?ver=chart.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-piwik-form
HTML Comments
Copyright (C) 2009-today Andre Braekling (email: webmaster@braekling.de)Thanks for using WP-Matomo!
Data Attributes
wp-piwik[revision]
FAQ

Frequently Asked Questions about Connect Matomo – Analytics Dashboard for WordPress