Does WP Visitor Statistics (Real Time Traffic) have any unpatched vulnerabilities?

Yes — WP Visitor Statistics (Real Time Traffic) currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP Visitor Statistics (Real Time Traffic) compatible with WordPress 6.9.4?

According to WordPress.org data, WP Visitor Statistics (Real Time Traffic) 8.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is WP Visitor Statistics (Real Time Traffic) updated?

WP Visitor Statistics (Real Time Traffic) was last updated on Dec 6, 2025. Frequent updates are generally a positive security signal.

What is WP Visitor Statistics (Real Time Traffic)'s security score?

WP Visitor Statistics (Real Time Traffic) has a WP-Safety security score of 42/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Visitor Statistics (Real Time Traffic) Security & Risk Analysis

wordpress.org/plugins/wp-stats-manager

This plugin will help you to track your visitors & visits, browsers, operating systems, GEO locations and much more, easy to install and working fine.

20K active installs v8.4 PHP + WP 5.0+ Updated Dec 6, 2025

analyticsgoogle-analyticsinsightsstatsvisitors

D · High Risk

CVEs total13

Unpatched1

Last CVEDec 15, 2025

Plugin page Download

Safety Verdict

Is WP Visitor Statistics (Real Time Traffic) Safe to Use in 2026?

High Risk

Score 42/100

WP Visitor Statistics (Real Time Traffic) carries significant security risk with 13 known CVEs, 1 still unpatched. Consider switching to a maintained alternative.

13 known CVEs 1 unpatched Last CVE: Dec 15, 2025Updated 3mo ago

Risk Assessment

The wp-stats-manager v8.4 plugin presents a significant security risk due to a large number of unprotected AJAX handlers and a history of numerous vulnerabilities. The static analysis reveals 11 AJAX handlers, all of which lack authentication checks, creating a broad attack surface accessible to any unauthenticated user. Furthermore, the taint analysis indicates 5 high-severity flows with unsanitized paths, suggesting potential for malicious input to be processed in unintended ways, which aligns with the plugin's history of Cross-Site Scripting and SQL Injection vulnerabilities. The presence of the `unserialize` function also poses a risk if user-supplied data is ever passed to it without proper sanitization.

While the plugin demonstrates some good security practices, such as a high percentage of SQL queries using prepared statements and a considerable number of capability checks, these are overshadowed by the critical weaknesses. The vulnerability history is concerning, with 13 known CVEs, including 2 critical and 2 high-severity ones, and importantly, one currently unpatched vulnerability. This pattern of repeated vulnerabilities, particularly those related to authorization, XSS, information exposure, and SQL Injection, suggests recurring security flaws in the development or maintenance of this plugin. The last vulnerability being so recent further emphasizes the ongoing security challenges.

In conclusion, wp-stats-manager v8.4 exhibits a poor overall security posture. The unprotected AJAX endpoints and high-severity unsanitized taint flows represent immediate threats, exacerbated by a concerning track record of exploitable vulnerabilities, including an unpatched critical flaw. While some positive security measures are in place, they are insufficient to mitigate the substantial risks identified.

Key Concerns

Unprotected AJAX handlers
High severity unsanitized taint flows
Unpatched CVE
Critical severity CVEs
Dangerous function (unserialize)
Common vulnerability types: Missing Authorization
Common vulnerability types: SQL Injection
Common vulnerability types: Cross-site Scripting

Vulnerabilities

WP Visitor Statistics (Real Time Traffic) Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

3 CVEs in 2022

2022

2 CVEs in 2023

2023

1 CVE in 2024

2024

6 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

13 total CVEs

CVE-2025-67983medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visitor Statistics (Real Time Traffic) <= 8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 15, 2025 Patched in 8.4 (5d)

CVE-2025-49400medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Visitor Statistics (Real Time Traffic) <= 8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 20, 2025 Patched in 8.3 (7d)

CVE-2025-53566medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Visitor Statistics (Real Time Traffic) <= 7.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 3, 2025 Patched in 7.9 (6d)

CVE-2025-49996medium · 5.3Missing Authorization

WP Visitor Statistics (Real Time Traffic) <= 7.8 - Missing Authorization

Jun 19, 2025Unpatched

CVE-2025-24675medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Visitor Statistics (Real Time Traffic) <= 7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 7.3 (5d)

CVE-2025-22304medium · 4.3Missing Authorization

WP Visitor Statistics (Real Time Traffic) <= 7.5 - Missing Authorization

Jan 6, 2025 Patched in 7.6 (29d)

CVE-2024-24867medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WP Visitor Statistics (Real Time Traffic) <= 6.9.4 - Sensitive Information Exposure via Log File

Feb 2, 2024 Patched in 6.9.5 (4d)

CVE-2023-0600critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Visitor Statistics (Real Time Traffic) <= 6.8.1 - Unauthenticated SQL Injection

Apr 24, 2023 Patched in 6.9 (274d)

CVE-2022-4656medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Visitor Statistics (Real Time Traffic) <= 6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 17, 2023 Patched in 6.5 (371d)

CVE-2022-33965critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Visitor Statistics (Real Time Traffic) <= 5.7 - Unauthenticated SQL Injection

Jul 6, 2022 Patched in 5.8 (566d)

CVE-2022-0410high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Visitor Statistics (Real Time Traffic) <= 5.5 - SQL Injection

Feb 14, 2022 Patched in 5.6 (708d)

CVE-2021-25042medium · 5.4Missing Authorization

WP Visitor Statistics (Real Time Traffic) <= 5.4 - Missing Authorization to Stored Cross-Site Scripting

Jan 31, 2022 Patched in 5.5 (722d)

CVE-2021-24750high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Visitor Statistics (Real Time Traffic) <= 4.7 - SQL Injection

Dec 22, 2021 Patched in 4.8 (762d)

Code Analysis

Analyzed Mar 16, 2026

WP Visitor Statistics (Real Time Traffic) Code Analysis

Dangerous Functions

Raw SQL Queries

202 prepared

Unescaped Output

425 escaped

Nonce Checks

Capability Checks

101

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$arrResult = unserialize($result['content']);includes\wsm_db.php:1454

unserialize$arrResult = unserialize($result['content']);includes\wsm_db.php:1631

unserialize$arrResult = unserialize($result['content']);includes\wsm_db.php:1743

SQL Query Safety

99% prepared204 total queries

Output Escaping

81% escaped522 total outputs

Data Flows

7 unsanitized

Data Flow Analysis

13 flows7 with unsanitized paths

wsm_getTimezoneByCountry (includes\wsm_init.php:1073)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

11 unprotected

WP Visitor Statistics (Real Time Traffic) Attack Surface

Entry Points11

Unprotected11

AJAX Handlers 11

authwp_ajax_liveStatsincludes\wsm_init.php:30

authwp_ajax_uoSummaryincludes\wsm_init.php:31

authwp_ajax_timezoneByCountryincludes\wsm_init.php:32

authwp_ajax_refDetailsincludes\wsm_init.php:33

authwp_ajax_refUrlDetailsincludes\wsm_init.php:34

authwp_ajax_getReferralOSDetailsincludes\wsm_init.php:35

authwp_ajax_getDateWiseLocationDetailincludes\wsm_init.php:36

authwp_ajax_getContentUrlDayViewincludes\wsm_init.php:37

authwp_ajax_save_ipadressincludes\wsm_init.php:38

authwp_ajax_deleteIpAddressincludes\wsm_init.php:39

authwp_ajax_updateIpAddressincludes\wsm_init.php:40

WordPress Hooks 57

actioncustomize_controls_print_stylesincludes\wsm_functions.php:18

actionwpmu_new_blogincludes\wsm_init.php:21

actioninitincludes\wsm_init.php:22

actionwp_headincludes\wsm_init.php:23

actionadmin_initincludes\wsm_init.php:24

actionadmin_menuincludes\wsm_init.php:25

actionadmin_headincludes\wsm_init.php:26

actionwp_footerincludes\wsm_init.php:28

actionadmin_print_footer_scriptsincludes\wsm_init.php:29

filterclean_urlincludes\wsm_init.php:41

actionwp_enqueue_scriptsincludes\wsm_init.php:42

actionadmin_footerincludes\wsm_init.php:43

filterscript_loader_tagincludes\wsm_init.php:44

actionadmin_bar_menuincludes\wsm_init.php:47

actionwp_enqueue_scriptsincludes\wsm_init.php:48

actionadmin_enqueue_scriptsincludes\wsm_init.php:49

filterdo_shortcode_tagincludes\wsm_init.php:566

actionadmin_enqueue_scriptsincludes\wsm_init.php:1291

actionadmin_enqueue_scriptsincludes\wsm_init.php:1294

actionadmin_noticesincludes\wsm_init.php:1312

actionadmin_noticesincludes\wsm_init.php:1362

actionwp_footerincludes\wsm_statistics.php:58

actionwp_footerincludes\wsm_statistics.php:104

actionwp_footerincludes\wsm_statistics.php:138

actionwp_footerincludes\wsm_statistics.php:174

actionwp_footerincludes\wsm_statistics.php:232

actionwp_footerincludes\wsm_statistics.php:313

actionwp_footerincludes\wsm_statistics.php:324

actionwp_footerincludes\wsm_statistics.php:561

actionwp_footerincludes\wsm_statistics.php:762

actionwp_footerincludes\wsm_statistics.php:825

actionwp_footerincludes\wsm_statistics.php:889

actionwp_footerincludes\wsm_statistics.php:924

actionwp_footerincludes\wsm_statistics.php:964

actionwp_footerincludes\wsm_statistics.php:1013

actionwp_footerincludes\wsm_statistics.php:1081

actionwp_footerincludes\wsm_statistics.php:1229

actionwp_footerincludes\wsm_statistics.php:1259

actionwp_footerincludes\wsm_statistics.php:1586

actionwp_footerincludes\wsm_statistics.php:1844

actionwp_footerincludes\wsm_statistics.php:2234

actionwp_footerincludes\wsm_statistics.php:2540

actionwp_footerincludes\wsm_statistics.php:2971

actionwp_footerincludes\wsm_statistics.php:3090

actionwp_footerincludes\wsm_statistics.php:3431

actionwp_footerincludes\wsm_statistics.php:3819

actionwp_footerincludes\wsm_statistics.php:3910

actionwp_footerincludes\wsm_statistics.php:3956

actionwp_footerincludes\wsm_statistics.php:4090

actionwp_footerincludes\wsm_statistics.php:4321

actionwp_footerincludes\wsm_statistics.php:4502

actionwp_footerincludes\wsm_statistics.php:4815

actionwp_footerincludes\wsm_statistics.php:5083

actionadmin_initnotifications.php:41

actionadmin_noticesnotifications.php:42

actionadmin_noticesnotifications.php:189

actionplugins_loadedwp-stats-manager.php:154

Maintenance & Trust

WP Visitor Statistics (Real Time Traffic) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 6, 2025

PHP min version

Downloads891K

Community Trust

Rating90/100

Number of ratings154

Active installs20K

Alternatives

WP Visitor Statistics (Real Time Traffic) Alternatives

WP Statistics – Simple, privacy-friendly Google Analytics alternative

wp-statistics

Get website traffic insights with GDPR/CCPA compliant, privacy-friendly analytics. Includes visitor data, stunning graphs, and no data sharing.

600K 35 CVEs

Weblix – Online Users

weblix

Display online users and page views in the last 30 minutes, just like Google Analytics, but without slowing down your website.

80 No CVEs

ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)

google-analytics-dashboard-for-wp

Connects Google Analytics with your WordPress site. Displays stats to help you understand your users and site content on a whole new level!

300K 5 CVEs

Koko Analytics – Privacy Friendly Statistics for WordPress

koko-analytics

Koko Analytics is a privacy-friendly statistics plugin for WordPress that is an easy to use alternative to Google Analytics.

60K 2 CVEs

Fathom Analytics for WP

fathom-analytics

Fathom is a simple, GDPR compliant Google Analytics alternative.

10K 2 CVEs

Developer Profile

WP Visitor Statistics (Real Time Traffic) Developer Profile

osama.esh

2 plugins · 22K total installs

trust score

Avg Security Score

67/100

Avg Patch Time

313 days

View full developer profile

Detection Fingerprints

How We Detect WP Visitor Statistics (Real Time Traffic)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-stats-manager/includes/wsm-admin-js.js/wp-content/plugins/wp-stats-manager/includes/wsm-admin-css.css/wp-content/plugins/wp-stats-manager/includes/wsm-tracking.js

Script Paths

/wp-content/plugins/wp-stats-manager/includes/wsm-admin-js.js/wp-content/plugins/wp-stats-manager/includes/wsm-tracking.js

Version Parameters

wp-stats-manager/includes/wsm-admin-js.js?ver=wp-stats-manager/includes/wsm-admin-css.css?ver=wp-stats-manager/includes/wsm-tracking.js?ver=

HTML / DOM Fingerprints

CSS Classes

wsm-admin-pagewsm-visitors-listwsm-visitor-detailswsm-dashboard-widgetwsm-settings-form

HTML Comments

Data Attributes

data-wsm-tracking-iddata-wsm-site-id

JS Globals

wsm_ajax_objectwsm_tracking_data

REST Endpoints

/wp-json/wp-stats-manager/v1/stats/wp-json/wp-stats-manager/v1/settings

Shortcode Output

[wsm_visitor_count][wsm_online_users]

FAQ