WP-Safety

Yandex.Metrica Security & Risk Analysis

wordpress.org/plugins/wp-yandex-metrika

The free official Yandex.Metrica plugin for WordPress.

60K active installs v1.2.2 PHP 5.6.20+ WP 5.2.9+ Updated Sep 25, 2025
%d1%8f%d0%bd%d0%b4%d0%b5%d0%ba%d1%81%d1%8f%d0%bd%d0%b4%d0%b5%d0%ba%d1%81-%d0%bc%d0%b5%d1%82%d1%80%d0%b8%d0%ba%d0%b0%d0%bc%d0%b5%d1%82%d1%80%d0%b8%d0%ba%d0%b0metricayandex
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVEDec 7, 2025
Plugin page Download
Safety Verdict

Is Yandex.Metrica Safe to Use in 2026?

Mostly Safe

Score 78/100

Yandex.Metrica is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Dec 7, 2025Updated 6mo ago
Risk Assessment

The wp-yandex-metrika plugin, version 1.2.2, exhibits a concerning security posture primarily due to its unprotected attack surface. All five identified AJAX handlers lack authorization checks, presenting a significant risk for unauthorized actions. While the static analysis shows no dangerous functions or raw SQL queries, and external HTTP requests are absent, the lack of basic security controls on entry points is a major weakness. The plugin's vulnerability history, including a known unpatched medium-severity vulnerability (dated in the future, likely a placeholder), indicates a recurring pattern of security oversights, specifically missing authorization. This suggests a need for more robust security practices during development and testing to prevent potential exploits targeting these unprotected AJAX endpoints. Despite the absence of critical taint flows and the proper use of prepared statements, the unprotected entry points and historical vulnerabilities create a notable risk.

Key Concerns

  • AJAX handlers without auth checks
  • Unprotected entry points (all AJAX)
  • No nonce checks on AJAX handlers
  • One unpatched medium severity CVE
  • Missing capability checks
Vulnerabilities
1

Yandex.Metrica Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-63063medium · 5.3Missing Authorization

Yandex.Metrica <= 1.2.2 - Missing Authorization

Dec 7, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Yandex.Metrica Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
24
59 escaped
Nonce Checks
0
Capability Checks
0
File Operations
2
External Requests
0
Bundled Libraries
0

Output Escaping

71% escaped83 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<class.ya-metrika> (includes\class.ya-metrika.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

Yandex.Metrica Attack Surface

Entry Points5
Unprotected5

AJAX Handlers 5

authwp_ajax_yam_get_cart_itemsincludes\class.ya-metrika-woocommerce.php:22
noprivwp_ajax_yam_get_cart_itemsincludes\class.ya-metrika-woocommerce.php:23
authwp_ajax_yam_get_purchaseincludes\class.ya-metrika-woocommerce.php:24
noprivwp_ajax_yam_get_purchaseincludes\class.ya-metrika-woocommerce.php:25
authwp_ajax_yam_dismiss_messageincludes\class.ya-metrika.php:24
WordPress Hooks 43
actionadmin_menuincludes\class.ya-metrika-backend.php:12
actionadmin_initincludes\class.ya-metrika-backend.php:13
actionadmin_enqueue_scriptsincludes\class.ya-metrika-backend.php:14
actionadmin_headincludes\class.ya-metrika-backend.php:15
actionwp_headincludes\class.ya-metrika-backend.php:16
actionwp_enqueue_scriptsincludes\class.ya-metrika-clickToChat.php:9
actionwp_enqueue_scriptsincludes\class.ya-metrika-contactFormSeven.php:9
actionwp_enqueue_scriptsincludes\class.ya-metrika-elementor.php:9
actioninitincludes\class.ya-metrika-frontend.php:9
actionwp_enqueue_scriptsincludes\class.ya-metrika-frontend.php:10
actionwp_enqueue_scriptsincludes\class.ya-metrika-frontend.php:11
actionwp_headincludes\class.ya-metrika-frontend.php:12
actionwp_footerincludes\class.ya-metrika-frontend.php:13
actionwp_enqueue_scriptsincludes\class.ya-metrika-mailchimpWoocommerce.php:9
actionwp_enqueue_scriptsincludes\class.ya-metrika-mailpoet.php:9
actionwp_enqueue_scriptsincludes\class.ya-metrika-mc4wp.php:9
actionwp_enqueue_scriptsincludes\class.ya-metrika-newsletter.php:9
actionwp_enqueue_scriptsincludes\class.ya-metrika-ninjaForms.php:9
actionadmin_noticesincludes\class.ya-metrika-ninjaForms.php:10
actionwp_enqueue_scriptsincludes\class.ya-metrika-popupMaker.php:9
actionwp_enqueue_scriptsincludes\class.ya-metrika-whatsappme.php:9
actionwp_enqueue_scriptsincludes\class.ya-metrika-woocommerce.php:12
actionwp_print_footer_scriptsincludes\class.ya-metrika-woocommerce.php:13
actionwp_headincludes\class.ya-metrika-woocommerce.php:14
actioninitincludes\class.ya-metrika-woocommerce.php:15
actionthe_postincludes\class.ya-metrika-woocommerce.php:18
filterwc_get_template_partincludes\class.ya-metrika-woocommerce.php:19
filterwoocommerce_blocks_product_grid_item_htmlincludes\class.ya-metrika-woocommerce.php:20
actionwoocommerce_after_cart_item_quantity_updateincludes\class.ya-metrika-woocommerce.php:29
actionwoocommerce_add_to_cartincludes\class.ya-metrika-woocommerce.php:30
actionwoocommerce_remove_cart_itemincludes\class.ya-metrika-woocommerce.php:31
actionwoocommerce_cart_item_restoredincludes\class.ya-metrika-woocommerce.php:32
actionwoocommerce_before_thankyouincludes\class.ya-metrika-woocommerce.php:33
actionshutdownincludes\class.ya-metrika-woocommerce.php:36
actionwp_print_footer_scriptsincludes\class.ya-metrika-woocommerce.php:464
actionwp_print_footer_scriptsincludes\class.ya-metrika-woocommerce.php:589
actionwp_enqueue_scriptsincludes\class.ya-metrika-wpforms.php:9
actionadmin_noticesincludes\class.ya-metrika-wpforms.php:10
actionwp_enqueue_scriptsincludes\class.ya-metrika-yith-woocommerce-wishlist.php:9
actionplugins_loadedincludes\class.ya-metrika.php:22
actionplugin_action_linksincludes\class.ya-metrika.php:23
actionadmin_noticesincludes\class.ya-metrika.php:25
actioncurrent_screenincludes\class.ya-metrika.php:26
Maintenance & Trust

Yandex.Metrica Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 25, 2025
PHP min version5.6.20
Downloads263K

Community Trust

Rating70/100
Number of ratings13
Active installs60K
Alternatives

Yandex.Metrica Alternatives

WT Yandex Metrika

WT Yandex Metrika

wt-yandex-metrika

A
85

Простое добавление на сайт счетчика Яндекс.Метрика

6K No CVEs
Easy Yandex Metrica

Easy Yandex Metrica

easy-yandex-metrica

A
92

Easily add statistics display Yandex Metrica to the Wordpress admin panel.

1K No CVEs
Fast Yandex Metrika

Fast Yandex Metrika

fast-yandex-metrika

A
100

Plugin for configuring the counter and Yandex Metrica goals.

200 No CVEs
Simple Counter

Simple Counter

abwp-simple-counter

B
71

The installation of the counter of Yandex.Metrics and Google Analytics on the website without editing the files of the selected theme.

1K 1 unpatched
Yandex Metrica

Yandex Metrica

yandex-metrica

A
92

Easy way to use Yandex Metrica on your WordPress site.

20K No CVEs
Developer Profile

Yandex.Metrica Developer Profile

Yandex Metrika

1 plugin · 60K total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Yandex.Metrica

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-yandex-metrika/assets/admin.min.css/wp-content/plugins/wp-yandex-metrika/assets/fonts/fonts.min.css/wp-content/plugins/wp-yandex-metrika/assets/admin.min.js
Script Paths
https://cdn.jsdelivr.net/npm/select2@4.1.0-rc.0/dist/js/select2.min.jshttps://cdn.jsdelivr.net/npm/select2@4.1.0-rc.0/dist/js/i18n/ru.js
Version Parameters
/wp-content/plugins/wp-yandex-metrika/assets/admin.min.css?ver=/wp-content/plugins/wp-yandex-metrika/assets/fonts/fonts.min.css?ver=/wp-content/plugins/wp-yandex-metrika/assets/admin.min.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-input-type="number"
JS Globals
YAM_SLUGYAM_VER
FAQ

Frequently Asked Questions about Yandex.Metrica