WP-Safety

WP Statistics – Simple, privacy-friendly Google Analytics alternative Security & Risk Analysis

wordpress.org/plugins/wp-statistics

Get website traffic insights with GDPR/CCPA compliant, privacy-friendly analytics. Includes visitor data, stunning graphs, and no data sharing.

600K active installs v14.16.3 PHP 7.4+ WP 6.6+ Updated Feb 23, 2026
analyticsgoogle-analyticsinsightssite-visitorsstats
81
B · Generally Safe
CVEs total35
Unpatched0
Last CVESep 26, 2025
Plugin page Download
Safety Verdict

Is WP Statistics – Simple, privacy-friendly Google Analytics alternative Safe to Use in 2026?

Mostly Safe

Score 81/100

WP Statistics – Simple, privacy-friendly Google Analytics alternative is generally safe to use. 35 past CVEs were resolved. Keep it updated.

35 known CVEsLast CVE: Sep 26, 2025Updated 1mo ago
Risk Assessment

The wp-statistics plugin v14.16.4 presents a mixed security posture. While it demonstrates good practices with a high percentage of prepared SQL statements and properly escaped output, several areas raise concerns. The presence of an unprotected AJAX handler significantly expands the attack surface, making it a potential entry point for unauthorized actions. The taint analysis, though limited in scope, did reveal a flow with unsanitized paths, indicating a potential for vulnerabilities if not handled carefully.

The plugin's vulnerability history is a significant red flag. With 35 known CVEs, including a substantial number of critical and high-severity issues like SQL injection, XSS, missing authorization, CSRF, and information exposure, there's a clear pattern of past security weaknesses. The fact that the last vulnerability was recently discovered in late 2025 suggests ongoing issues or a recent discovery of older flaws, reinforcing the need for vigilance. While there are currently no unpatched vulnerabilities, the historical trend suggests a higher likelihood of future discoveries.

In conclusion, while wp-statistics has strengths in its code hygiene for SQL and output, the unprotected AJAX endpoint and the extensive history of critical vulnerabilities point to a significant risk. Users should exercise extreme caution and ensure the plugin is updated promptly with any new releases that address security concerns. The plugin's overall security posture is weakened by its historical vulnerability patterns and the identified unprotected entry point.

Key Concerns

  • Unprotected AJAX handler
  • Flow with unsanitized paths
  • Numerous historical CVEs (35 total)
  • High number of critical/high historical CVEs
  • Recent vulnerability discovered
Vulnerabilities
35

WP Statistics – Simple, privacy-friendly Google Analytics alternative Security Vulnerabilities

CVEs by Year

1 CVE in 2012
2012
2 CVEs in 2014
2014
3 CVEs in 2015
2015
4 CVEs in 2017
2017
4 CVEs in 2019
2019
3 CVEs in 2021
2021
12 CVEs in 2022
2022
2 CVEs in 2023
2023
1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
5
High
15
Medium
15

35 total CVEs

CVE-2025-9816high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header

Sep 26, 2025 Patched in 14.15.5 (1d)
CVE-2025-55716medium · 4.3Missing Authorization

WP Statistics <= 14.15 - Missing Authorization

Aug 14, 2025 Patched in 14.15.2 (5d)
CVE-2025-3953medium · 6.5Missing Authorization

WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin <= 14.13.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update

Apr 29, 2025 Patched in 14.13.4 (2d)
CVE-2024-2194high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 14.5 - Unauthenticated Stored Cross-Site Scripting

Mar 11, 2024 Patched in 14.5.1 (3d)
CVE-2023-0955high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 13.2.16 - Authenticated (Admin+) SQL Injection

Mar 6, 2023 Patched in 14.0 (323d)
CVE-2022-38074high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 13.2.10 - Authenticated (Subscriber+) SQL Injection

Jan 31, 2023 Patched in 13.2.11 (357d)
CVE-2022-4230high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 13.2.8 - Authenticated (Admin+) SQL Injection

Dec 27, 2022 Patched in 13.2.9 (392d)
WF-42f54887-ce98-4360-8d07-37b1a48fc3fd-wp-statisticshigh · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 13.2.5 - Authenticated (Subscriber+) SQL Injection

Sep 8, 2022 Patched in 13.2.6 (502d)
WF-7a0c6425-866d-4b50-b464-87a8173c4abd-wp-statisticsmedium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

WP Statistics <= 13.2.5 - Information Disclosure

Sep 7, 2022 Patched in 13.2.6 (503d)
CVE-2022-27231medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 13.1.7 - Cross-Site Scripting

May 24, 2022 Patched in 13.2.0 (609d)
CVE-2022-1005medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 13.2.1 - Reflected Cross-Site Scripting

May 11, 2022 Patched in 13.2.2 (622d)
CVE-2022-25307high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting via platform

Feb 17, 2022 Patched in 13.1.6 (705d)
CVE-2022-0651critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 13.1.5 - Unauthenticated Blind SQL Injection via current_page_type

Feb 16, 2022 Patched in 13.1.6 (706d)
CVE-2022-25148critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 13.1.5 - Unauthenticated SQL Injection

Feb 16, 2022 Patched in 13.1.6 (706d)
CVE-2022-25305high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting via IP

Feb 16, 2022 Patched in 13.1.6 (706d)
CVE-2022-25149critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 13.1.5 - Unauthenticated Blind SQL Injection via IP

Feb 16, 2022 Patched in 13.1.6 (706d)
CVE-2022-25306high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting via browser

Feb 16, 2022 Patched in 13.1.6 (706d)
CVE-2022-0513critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 13.1.4 - Unauthenticated Blind SQL Injection

Feb 10, 2022 Patched in 13.1.5 (712d)
CVE-2021-4333medium · 6.5Cross-Site Request Forgery (CSRF)

WP Statistics <= 13.1.1 - Cross-Site Request Forgery to Arbitrary Plugin Activation and Deactivation

Sep 11, 2021 Patched in 13.1.2 (864d)
WF-ba88a1f5-9ebf-4899-81b3-e65587ae2fe2-wp-statisticsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 13.0.9 - Reflected Cross-Site Scripting

Aug 30, 2021 Patched in 13.1 (876d)
CVE-2021-24340high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 13.0.7 - Unauthenticated SQL Injection

May 19, 2021 Patched in 13.0.8 (979d)
WF-69f861bf-933f-4413-a5c0-fd39ee78e594-wp-statisticshigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 12.6.6.1 - Unauthenticated Stored Cross-Site Scripting via IP Manipulation

Jul 1, 2019 Patched in 12.6.7 (1942d)
CVE-2019-13275critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection

Jul 1, 2019 Patched in 12.6.7 (1667d)
CVE-2019-12566medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 12.6.5 - Stored Cross-Site Scripting

May 31, 2019 Patched in 12.6.6.1 (1698d)
CVE-2019-10864medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 12.6.3 - Referer Cross-Site Scripting

Apr 9, 2019 Patched in 12.6.4 (1750d)
CVE-2017-10991medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 12.0.9 - Authenticated Cross-Site Scripting

Jul 7, 2017 Patched in 12.0.10 (2391d)
WF-63f588c6-6bad-44d2-a9d9-832d3a7d33ea-wp-statisticsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 12.0.8.1 - Reflected Cross-Site Scripting

Jul 3, 2017 Patched in 12.0.9 (2395d)
CVE-2017-18515high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics <= 12.0.7 - Authenticated SQL Injection

Jun 30, 2017 Patched in 12.0.8 (2398d)
CVE-2017-2136medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 12.0.4 - Stored Cross-Site Scripting

Apr 13, 2017 Patched in 12.0.5 (2476d)
WF-70db1a8e-ebff-4505-9e43-1ce48e94f3c5-wp-statisticsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 9.5.1 - Cross-Site Scripting

Aug 10, 2015 Patched in 9.5.2 (3088d)
WF-364804a5-8699-46be-b25e-890a10134a25-wp-statisticshigh · 8.7Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Statistics < 9.4.1 - Authenticated Blind SQL Injection

Jul 9, 2015 Patched in 9.4.1 (3120d)
WF-f7cb3540-ffdb-4b4c-a518-4ca8232ab53f-wp-statisticsmedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics < 9.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 15, 2015 Patched in 9.1.3 (3205d)
WF-0b8af407-b49d-4d3f-a7a5-c3ad3d56fcba-wp-statisticshigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 8.4 - Stored Cross-Site Scripting

Dec 3, 2014 Patched in 8.5 (3338d)
WF-1d14779f-3ee5-4a55-b49d-e9162db2f4a2-wp-statisticshigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics < 8.3.1 - Multiple Cross-Site Scripting

Nov 20, 2014 Patched in 8.3.1 (3351d)
WF-f3a4aeb2-3929-4f6b-ac6e-bccc1c3bf0dd-wp-statisticsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Statistics <= 2.2.4 - Cross-Site Scripting

May 15, 2012 Patched in 2.2.5 (4270d)
Code Analysis
Analyzed Mar 16, 2026

WP Statistics – Simple, privacy-friendly Google Analytics alternative Code Analysis

Dangerous Functions
0
Raw SQL Queries
70
151 prepared
Unescaped Output
410
2502 escaped
Nonce Checks
24
Capability Checks
13
File Operations
24
External Requests
5
Bundled Libraries
2

Bundled Libraries

Select2TinyMCE

SQL Query Safety

68% prepared221 total queries

Output Escaping

86% escaped2912 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

6 flows1 with unsanitized paths
handleRedirect (src\Service\Database\Migrations\Queue\QueueManager.php:197)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

WP Statistics – Simple, privacy-friendly Google Analytics alternative Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_wp_statistics_update_post_type_dbincludes\class-wp-statistics-install.php:327

Shortcodes 1

[wpstatistics] includes\class-wp-statistics-shortcode.php:20
WordPress Hooks 137
actioninitincludes\admin\class-wp-statistics-admin-ajax.php:21
actionadmin_enqueue_scriptsincludes\admin\class-wp-statistics-admin-assets.php:55
actionadmin_enqueue_scriptsincludes\admin\class-wp-statistics-admin-assets.php:56
filterwp_statistics_enqueue_chartjsincludes\admin\class-wp-statistics-admin-assets.php:57
actionadmin_body_classincludes\admin\class-wp-statistics-admin-dashboard.php:13
actionadmin_initincludes\admin\class-wp-statistics-admin-export.php:15
actionnetwork_admin_menuincludes\admin\class-wp-statistics-admin-network.php:12
actionadmin_initincludes\admin\class-wp-statistics-admin-privacy.php:15
filterwp_privacy_personal_data_exportersincludes\admin\class-wp-statistics-admin-privacy.php:17
filterwp_privacy_personal_data_erasersincludes\admin\class-wp-statistics-admin-privacy.php:18
filtermanage_users_columnsincludes\admin\class-wp-statistics-admin-user.php:18
filtermanage_users_custom_columnincludes\admin\class-wp-statistics-admin-user.php:19
filtermanage_users_sortable_columnsincludes\admin\class-wp-statistics-admin-user.php:20
actionpre_user_queryincludes\admin\class-wp-statistics-admin-user.php:21
actiondelete_userincludes\admin\class-wp-statistics-admin-user.php:25
actionadmin_initincludes\admin\pages\class-wp-statistics-admin-page-settings.php:20
actionadmin_headincludes\admin\TinyMCE\class-wp-statistics-tinymce.php:18
actionadmin_footer-widgets.phpincludes\admin\TinyMCE\class-wp-statistics-tinymce.php:21
filtermce_external_pluginsincludes\admin\TinyMCE\class-wp-statistics-tinymce.php:95
filtermce_buttonsincludes\admin\TinyMCE\class-wp-statistics-tinymce.php:96
filtermce_external_languagesincludes\admin\TinyMCE\class-wp-statistics-tinymce.php:97
actionrest_api_initincludes\api\v2\class-wp-statistics-api-hit.php:31
actionrest_api_initincludes\api\v2\class-wp-statistics-api-meta-box.php:20
actionadmin_bar_menuincludes\class-wp-statistics-admin-bar.php:18
filterwidget_textincludes\class-wp-statistics-frontend.php:14
actionwp_enqueue_scriptsincludes\class-wp-statistics-frontend.php:17
actionwp_headincludes\class-wp-statistics-frontend.php:20
filterthe_contentincludes\class-wp-statistics-frontend.php:24
filterwp_statistics_current_pageincludes\class-wp-statistics-hits.php:44
filterwp_statistics_page_uriincludes\class-wp-statistics-hits.php:45
filterwp_statistics_user_idincludes\class-wp-statistics-hits.php:46
actioninitincludes\class-wp-statistics-hits.php:51
actionwpincludes\class-wp-statistics-hits.php:55
actionadmin_noticesincludes\class-wp-statistics-install.php:220
actionadmin_footerincludes\class-wp-statistics-install.php:233
filterwp_mail_content_typeincludes\class-wp-statistics-mail.php:420
actionadmin_menuincludes\class-wp-statistics-menus.php:222
filterqueryincludes\class-wp-statistics-pages.php:295
actionwp_statistics_truncate_tableincludes\class-wp-statistics-referred.php:20
filtercron_schedulesincludes\class-wp-statistics-schedule.php:28
actioninitincludes\class-wp-statistics-schedule.php:30
actionwp_statistics_dbmaint_hookincludes\class-wp-statistics-schedule.php:52
actionwp_statistics_geoip_hookincludes\class-wp-statistics-schedule.php:103
actionwp_statistics_report_hookincludes\class-wp-statistics-schedule.php:106
actionwp_statistics_licenses_hookincludes\class-wp-statistics-schedule.php:107
actionadmin_initincludes\class-wp-statistics-shortcode.php:17
filterqueryincludes\class-wp-statistics-visitor.php:53
actionwidgets_initincludes\class-wp-statistics-widget.php:377
actionplugins_loadedincludes\class-wp-statistics.php:75
actioninitincludes\class-wp-statistics.php:103
actioninitincludes\class-wp-statistics.php:115
filterscreen_options_show_screensrc\Abstracts\BasePage.php:29
actionrest_api_initsrc\Abstracts\BaseRestAPI.php:48
filterwp_statistics_current_pagesrc\CLI\CliCommands.php:213
filterwp_statistics_user_idsrc\CLI\CliCommands.php:240
actionwpmu_new_blogsrc\Core\Operations\Loader.php:39
filterwpmu_drop_tablessrc\Core\Operations\Loader.php:40
filterplugin_row_metasrc\Core\Operations\Loader.php:41
actioninitsrc\Core\Operations\Updater.php:36
actioninitsrc\Globals\AjaxManager.php:10
filteradmin_footer_textsrc\Service\Admin\AdminManager.php:19
filterupdate_footersrc\Service\Admin\AdminManager.php:20
actionadmin_noticessrc\Service\Admin\AdminManager.php:25
actionadmin_initsrc\Service\Admin\AdminManager.php:26
actionadmin_initsrc\Service\Admin\AdminManager.php:27
filtercron_schedulessrc\Service\Admin\AnonymizedUsageData\AnonymizedUsageDataManager.php:19
filterwp_statistics_admin_menu_listsrc\Service\Admin\AuthorAnalytics\AuthorAnalyticsManager.php:11
filterwp_statistics_admin_menu_listsrc\Service\Admin\CategoryAnalytics\CategoryAnalyticsManager.php:12
filterwp_statistics_admin_menu_listsrc\Service\Admin\ContentAnalytics\ContentAnalyticsManager.php:12
filterwp_statistics_admin_menu_listsrc\Service\Admin\Devices\DevicesManager.php:11
filterwp_statistics_admin_menu_listsrc\Service\Admin\Exclusions\ExclusionsManager.php:11
actioninitsrc\Service\Admin\ExportImport\ExportImportManager.php:11
actionrest_api_initsrc\Service\Admin\ExportImport\ExportImportManager.php:12
filterwp_statistics_visitors_report_export_datasrc\Service\Admin\ExportImport\Reports\ReportsExportHandler.php:17
filterwp_statistics_pages_report_export_datasrc\Service\Admin\ExportImport\Reports\ReportsExportHandler.php:18
filterwp_statistics_referrals_report_export_datasrc\Service\Admin\ExportImport\Reports\ReportsExportHandler.php:19
filterwp_statistics_category-analytics_report_export_datasrc\Service\Admin\ExportImport\Reports\ReportsExportHandler.php:20
filterwp_statistics_author-analytics_report_export_datasrc\Service\Admin\ExportImport\Reports\ReportsExportHandler.php:21
filterwp_statistics_geographic_report_export_datasrc\Service\Admin\ExportImport\Reports\ReportsExportHandler.php:22
filterwp_statistics_devices_report_export_datasrc\Service\Admin\ExportImport\Reports\ReportsExportHandler.php:23
filterwp_statistics_exclusions_report_export_datasrc\Service\Admin\ExportImport\Reports\ReportsExportHandler.php:24
filterwp_statistics_ajax_listsrc\Service\Admin\FilterHandler\FilterManager.php:31
filterwp_statistics_admin_menu_listsrc\Service\Admin\Geographic\GeographicManager.php:12
filterwp_statistics_admin_menu_listsrc\Service\Admin\HelpCenter\HelpCenterManager.php:12
actioninitsrc\Service\Admin\LicenseManagement\LicenseManagementManager.php:42
actionadmin_initsrc\Service\Admin\LicenseManagement\LicenseManagementManager.php:43
filterwp_statistics_enable_upgrade_to_bundlesrc\Service\Admin\LicenseManagement\LicenseManagementManager.php:44
filterwp_statistics_admin_menu_listsrc\Service\Admin\LicenseManagement\LicenseManagementManager.php:45
filterwp_statistics_ajax_listsrc\Service\Admin\LicenseManagement\LicenseManagementManager.php:67
filterplugins_apisrc\Service\Admin\LicenseManagement\Plugin\PluginUpdater.php:49
filterpre_set_site_transient_update_pluginssrc\Service\Admin\LicenseManagement\Plugin\PluginUpdater.php:50
actionupgrader_process_completesrc\Service\Admin\LicenseManagement\Plugin\PluginUpdater.php:51
actionadmin_initsrc\Service\Admin\Metabox\MetaboxManager.php:12
actionadmin_initsrc\Service\Admin\Metabox\MetaboxManager.php:13
actionadmin_initsrc\Service\Admin\Notification\NotificationManager.php:19
filterwp_statistics_admin_menu_listsrc\Service\Admin\Optimization\OptimizationManager.php:11
actionadmin_initsrc\Service\Admin\Optimization\OptimizationManager.php:12
filterwp_statistics_admin_menu_listsrc\Service\Admin\Overview\OverviewManager.php:10
filterwp_statistics_admin_menu_listsrc\Service\Admin\PageInsights\PageInsightsManager.php:10
actionsave_postsrc\Service\Admin\Posts\PostsManager.php:27
actiondelete_postsrc\Service\Admin\Posts\PostsManager.php:28
actionadmin_initsrc\Service\Admin\Posts\PostsManager.php:33
actiondeleted_postsrc\Service\Admin\Posts\PostsManager.php:37
actiondelete_termsrc\Service\Admin\Posts\PostsManager.php:40
filterposts_clausessrc\Service\Admin\Posts\PostsManager.php:94
filterterms_clausessrc\Service\Admin\Posts\PostsManager.php:111
filterwp_statistics_admin_menu_listsrc\Service\Admin\PrivacyAudit\PrivacyAuditManager.php:16
filterwp_statistics_ajax_listsrc\Service\Admin\PrivacyAudit\PrivacyAuditManager.php:17
filtersite_status_testssrc\Service\Admin\PrivacyAudit\PrivacyAuditManager.php:18
actionadmin_initsrc\Service\Admin\PrivacyAudit\PrivacyAuditManager.php:19
filterwp_statistics_admin_menu_listsrc\Service\Admin\Referrals\ReferralsManager.php:18
filterwp_statistics_visitor_data_before_updatesrc\Service\Admin\Referrals\ReferralsManager.php:19
filterdebug_informationsrc\Service\Admin\SiteHealthInfo.php:25
filterwp_statistics_admin_menu_listsrc\Service\Admin\TrackerDebugger\TrackerDebuggerManager.php:12
filterwp_statistics_admin_menu_listsrc\Service\Admin\VisitorInsights\VisitorInsightsManager.php:16
filterwp_statistics_ajax_listsrc\Service\Analytics\AnalyticsManager.php:12
actionadmin_initsrc\Service\CustomEvent\CustomEventManager.php:9
actionadmin_initsrc\Service\Database\Migrations\BackgroundProcess\BackgroundProcessManager.php:134
actionadmin_enqueue_scriptssrc\Service\Database\Migrations\BackgroundProcess\BackgroundProcessManager.php:135
filterwp_statistics_ajax_listsrc\Service\Database\Migrations\BackgroundProcess\BackgroundProcessManager.php:136
actionadmin_initsrc\Service\Database\Migrations\BackgroundProcess\Jobs\CalculatePostWordsCount.php:43
actionadmin_initsrc\Service\Database\Migrations\BackgroundProcess\Jobs\IncompleteGeoIpUpdater.php:38
actionadmin_initsrc\Service\Database\Migrations\BackgroundProcess\Jobs\SourceChannelUpdater.php:37
actionadmin_initsrc\Service\Database\Migrations\BackgroundProcess\Jobs\SummaryTotalsDataMigration.php:42
actionadmin_initsrc\Service\Database\Migrations\BackgroundProcess\Jobs\VisitorColumnsMigrator.php:41
actioncurrent_screensrc\Service\Database\Migrations\Queue\QueueManager.php:49
actioncurrent_screensrc\Service\Database\Migrations\Queue\QueueManager.php:50
actionadmin_initsrc\Service\HooksManager.php:14
filterkses_allowed_protocolssrc\Service\HooksManager.php:15
filterplugins_loadedsrc\Service\HooksManager.php:17
actioninitsrc\Service\Integrations\IntegrationsManager.php:14
actionupdate_option_active_pluginssrc\Service\Integrations\IntegrationsManager.php:15
actionwp_statistics_save_settingssrc\Service\Integrations\Plugins\RealCookieBanner.php:24
actionRCB/Templates/TechnicalHandlingIntegrationsrc\Service\Integrations\Plugins\RealCookieBanner.php:25
actioninitsrc\Service\Summary\SummaryManager.php:8
actionupdate_option_timezone_stringsrc\Service\Summary\SummaryManager.php:9
actionupdate_option_gmt_offsetsrc\Service\Summary\SummaryManager.php:10

Scheduled Events 5

wp_statistics_dbmaint_hook
wp_statistics_referrals_db_hook
wp_statistics_report_hook
wp_statistics_licenses_hook
wp_statistics_geoip_hook
Maintenance & Trust

WP Statistics – Simple, privacy-friendly Google Analytics alternative Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version7.4
Downloads34.8M

Community Trust

Rating82/100
Number of ratings750
Active installs600K
Alternatives

WP Statistics – Simple, privacy-friendly Google Analytics alternative Alternatives

WP Visitor Statistics (Real Time Traffic)

WP Visitor Statistics (Real Time Traffic)

wp-stats-manager

D
42

This plugin will help you to track your visitors & visits, browsers, operating systems, GEO locations and much more, easy to install and working fine.

20K 1 unpatched
Weblix – Online Users

Weblix – Online Users

weblix

A
92

Display online users and page views in the last 30 minutes, just like Google Analytics, but without slowing down your website.

80 No CVEs
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

google-analytics-dashboard-for-wp

A
90

Connects Google Analytics with your WordPress site. Displays stats to help you understand your users and site content on a whole new level!

300K 5 CVEs
Koko Analytics – Privacy Friendly Statistics for WordPress

Koko Analytics – Privacy Friendly Statistics for WordPress

koko-analytics

A
96

Koko Analytics is a privacy-friendly statistics plugin for WordPress that is an easy to use alternative to Google Analytics.

60K 2 CVEs
Fathom Analytics for WP

Fathom Analytics for WP

fathom-analytics

A
99

Fathom is a simple, GDPR compliant Google Analytics alternative.

10K 2 CVEs
Developer Profile

WP Statistics – Simple, privacy-friendly Google Analytics alternative Developer Profile

VeronaLabs

4 plugins · 689K total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
961 days
View full developer profile
Detection Fingerprints

How We Detect WP Statistics – Simple, privacy-friendly Google Analytics alternative

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-statistics/assets/css/admin.min.css/wp-content/plugins/wp-statistics/assets/css/rtl.min.css/wp-content/plugins/wp-statistics/assets/css/jqvmap/jqvmap.min.css/wp-content/plugins/wp-statistics/assets/css/select2/select2.min.css/wp-content/plugins/wp-statistics/assets/css/datepicker/daterangepicker.css/wp-content/plugins/wp-statistics/assets/css/datepicker/customize.css/wp-content/plugins/wp-statistics/assets/js/option-updater.js/wp-content/plugins/wp-statistics/assets/js/chartjs/chart.umd.min.js+27 more
Script Paths
/wp-content/plugins/wp-statistics/assets/js/option-updater.js/wp-content/plugins/wp-statistics/assets/js/chartjs/chart.umd.min.js/wp-content/plugins/wp-statistics/assets/js/mini-chart.js/wp-content/plugins/wp-statistics/assets/js/chartjs/chart-matrix.min.js/wp-content/plugins/wp-statistics/assets/js/jqvmap/jquery.vmap.min.js/wp-content/plugins/wp-statistics/assets/js/visitors.min.js+10 more
Version Parameters
wp-statistics/style.css?ver=wp-statistics-admin?ver=wp-statistics-admin-rtl?ver=wp-statistics-admin-jqvmap?ver=wp-statistics-admin-select2?ver=wp-statistics-admin-daterangepicker?ver=wp-statistics-admin-customize?ver=

HTML / DOM Fingerprints

CSS Classes
wp_statistics_dashboardwp-statisticswp_statistics_stats_table
HTML Comments
<!-- WP Statistics --><!-- WP Statistics Dashboard --><!-- Wp Statistics --><!-- WP Statistics Plugin -->
Data Attributes
data-wp-statisticsdata-chartjs
JS Globals
WP_StatisticsWPSettingsWP_Statistics_ChartjsWP_Statistics_DashboardWP_Statistics_DateRangePickerWP_Statistics_Visitors+9 more
REST Endpoints
/wp-json/wp-statistics/v1/settings/wp-json/wp-statistics/v1/visitors/wp-json/wp-statistics/v1/pages/wp-json/wp-statistics/v1/referrers/wp-json/wp-statistics/v1/search/wp-json/wp-statistics/v1/useragents/wp-json/wp-statistics/v1/countries/wp-json/wp-statistics/v1/browsers/wp-json/wp-statistics/v1/platforms/wp-json/wp-statistics/v1/update_settings/wp-json/wp-statistics/v1/update_visitor/wp-json/wp-statistics/v1/delete_visitor/wp-json/wp-statistics/v1/save_page/wp-json/wp-statistics/v1/delete_page/wp-json/wp-statistics/v1/save_referrer/wp-json/wp-statistics/v1/delete_referrer/wp-json/wp-statistics/v1/save_search/wp-json/wp-statistics/v1/delete_search/wp-json/wp-statistics/v1/save_useragent/wp-json/wp-statistics/v1/delete_useragent/wp-json/wp-statistics/v1/save_country/wp-json/wp-statistics/v1/delete_country/wp-json/wp-statistics/v1/save_browser/wp-json/wp-statistics/v1/delete_browser/wp-json/wp-statistics/v1/save_platform/wp-json/wp-statistics/v1/delete_platform
Shortcode Output
[wp_statistics][wp_statistics_chart][wp_statistics_top_pages][wp_statistics_top_referrers]
FAQ

Frequently Asked Questions about WP Statistics – Simple, privacy-friendly Google Analytics alternative