Does XMPP Statistics have any unpatched vulnerabilities?

No. All known vulnerabilities in XMPP Statistics have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is XMPP Statistics compatible with WordPress 6.6.5?

According to WordPress.org data, XMPP Statistics 1.12 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

Is XMPP Statistics compatible with PHP 7.0+?

XMPP Statistics requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is XMPP Statistics updated?

XMPP Statistics was last updated on Oct 27, 2024. Frequent updates are generally a positive security signal.

What is XMPP Statistics's security score?

XMPP Statistics has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

XMPP Statistics Security & Risk Analysis

wordpress.org/plugins/xmpp-statistics

Displays the statistics from ejabberd XMPP server through ReST API.

10 active installs v1.12 PHP 7.0+ WP 4.4+ Updated Oct 27, 2024

ejabberdjabberxmpp

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is XMPP Statistics Safe to Use in 2026?

Generally Safe

Score 92/100

XMPP Statistics has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The "xmpp-statistics" plugin version 1.12 presents a significant security risk primarily due to its extensive unprotected REST API routes. With 26 out of 26 REST API routes lacking permission callbacks, any unauthenticated user can potentially interact with these endpoints, leading to unauthorized data access or manipulation. The lack of nonce checks, capability checks, and dangerously low output escaping (8%) further exacerbates this vulnerability. The plugin also exhibits poor SQL query practices, with 51 queries entirely lacking prepared statements, which opens it up to SQL injection attacks. Despite a clean vulnerability history with no recorded CVEs, this does not negate the inherent risks posed by the code's current state. The plugin's static analysis reveals a large attack surface with a high proportion of unprotected entry points (26 out of 52). While no critical taint flows or dangerous functions were identified, the identified weaknesses represent a substantial security concern. The plugin needs immediate attention to implement proper authentication and authorization for its REST API, as well as address its SQL query and output escaping vulnerabilities.

Key Concerns

Unprotected REST API routes
No capability checks
Low output escaping percentage
Raw SQL queries without prepared statements
Unprotected AJAX handlers
No nonce checks

Vulnerabilities

None known

XMPP Statistics Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

XMPP Statistics Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared51 total queries

Output Escaping

8% escaped12 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

xmpp_stats_settings_page (includes\settings.php:108)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

26 unprotected

XMPP Statistics Attack Surface

Entry Points52

Unprotected26

REST API Routes 26

GET/wp-json/xmpp-statisticsonline-users-daily-chartincludes\charts.php:58

GET/wp-json/xmpp-statisticsonline-users-weekly-chartincludes\charts.php:187

GET/wp-json/xmpp-statisticsregistered-users-daily-chartincludes\charts.php:303

GET/wp-json/xmpp-statisticsregistered-users-weekly-chartincludes\charts.php:402

GET/wp-json/xmpp-statisticsserver-uptime-daily-chartincludes\charts.php:500

GET/wp-json/xmpp-statisticsserver-uptime-weekly-chartincludes\charts.php:597

GET/wp-json/xmpp-statisticssystem-uptime-daily-chartincludes\charts.php:695

GET/wp-json/xmpp-statisticssystem-uptime-weekly-chartincludes\charts.php:792

GET/wp-json/xmpp-statisticssystem-memory-usage-daily-chartincludes\charts.php:890

GET/wp-json/xmpp-statisticssystem-memory-usage-weekly-chartincludes\charts.php:1019

GET/wp-json/xmpp-statisticssystem-disk-usage-daily-chartincludes\charts.php:1141

GET/wp-json/xmpp-statisticssystem-disk-usage-weekly-chartincludes\charts.php:1270

GET/wp-json/xmpp-statisticss2s-out-daily-chartincludes\charts.php:1392

GET/wp-json/xmpp-statisticss2s-out-weekly-chartincludes\charts.php:1521

GET/wp-json/xmpp-statisticss2s-in-daily-chartincludes\charts.php:1643

GET/wp-json/xmpp-statisticss2s-in-weekly-chartincludes\charts.php:1772

GET/wp-json/xmpp-statisticsonline-usersincludes\simple.php:43

GET/wp-json/xmpp-statisticsregistered-usersincludes\simple.php:65

GET/wp-json/xmpp-statisticss2s-outincludes\simple.php:87

GET/wp-json/xmpp-statisticss2s-inincludes\simple.php:109

GET/wp-json/xmpp-statisticsxmpp-uptimeincludes\simple.php:131

GET/wp-json/xmpp-statisticsxmpp-versionincludes\simple.php:153

GET/wp-json/xmpp-statisticssystem-diskincludes\simple.php:176

GET/wp-json/xmpp-statisticssystem-versionincludes\simple.php:202

GET/wp-json/xmpp-statisticssystem-uptimeincludes\simple.php:224

GET/wp-json/xmpp-statisticssystem-memoryincludes\simple.php:246

Shortcodes 26

[xmpp_online_users_daily_chart] includes\charts.php:54

[xmpp_online_users_weekly_chart] includes\charts.php:183

[xmpp_registered_users_daily_chart] includes\charts.php:299

[xmpp_registered_users_weekly_chart] includes\charts.php:398

[xmpp_uptime_daily_chart] includes\charts.php:496

[xmpp_uptime_weekly_chart] includes\charts.php:593

[system_uptime_daily_chart] includes\charts.php:691

[system_uptime_weekly_chart] includes\charts.php:788

[memory_usage_daily_chart] includes\charts.php:886

[memory_usage_weekly_chart] includes\charts.php:1015

[disk_usage_daily_chart] includes\charts.php:1137

[disk_usage_weekly_chart] includes\charts.php:1266

[xmpp_s2s_out_daily_chart] includes\charts.php:1388

[xmpp_s2s_out_weekly_chart] includes\charts.php:1517

[xmpp_s2s_in_daily_chart] includes\charts.php:1639

[xmpp_s2s_in_weekly_chart] includes\charts.php:1768

[xmpp_onlineusers] includes\simple.php:39

[xmpp_registeredusers] includes\simple.php:61

[xmpp_s2s_out] includes\simple.php:83

[xmpp_s2s_in] includes\simple.php:105

[xmpp_uptime] includes\simple.php:127

[xmpp_version] includes\simple.php:149

[system_disk_usage] includes\simple.php:172

[system_version] includes\simple.php:198

[system_uptime] includes\simple.php:220

[system_memory_usage] includes\simple.php:242

WordPress Hooks 33

actionwp_enqueue_scriptsincludes\charts.php:48

actionrest_api_initincludes\charts.php:64

actionrest_api_initincludes\charts.php:193

actionrest_api_initincludes\charts.php:309

actionrest_api_initincludes\charts.php:408

actionrest_api_initincludes\charts.php:506

actionrest_api_initincludes\charts.php:603

actionrest_api_initincludes\charts.php:701

actionrest_api_initincludes\charts.php:798

actionrest_api_initincludes\charts.php:896

actionrest_api_initincludes\charts.php:1025

actionrest_api_initincludes\charts.php:1147

actionrest_api_initincludes\charts.php:1276

actionrest_api_initincludes\charts.php:1398

actionrest_api_initincludes\charts.php:1527

actionrest_api_initincludes\charts.php:1649

actionrest_api_initincludes\charts.php:1778

filtercron_schedulesincludes\cron.php:45

actionxmpp_stats_cronincludes\cron.php:105

actionadmin_initincludes\settings.php:25

actionadmin_enqueue_scriptsincludes\settings.php:39

actionadmin_menuincludes\settings.php:46

actionwp_enqueue_scriptsincludes\simple.php:32

actionrest_api_initincludes\simple.php:49

actionrest_api_initincludes\simple.php:71

actionrest_api_initincludes\simple.php:93

actionrest_api_initincludes\simple.php:115

actionrest_api_initincludes\simple.php:137

actionrest_api_initincludes\simple.php:159

actionrest_api_initincludes\simple.php:182

actionrest_api_initincludes\simple.php:208

actionrest_api_initincludes\simple.php:230

actionrest_api_initincludes\simple.php:252

Scheduled Events 1

xmpp_stats_cron

Maintenance & Trust

XMPP Statistics Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedOct 27, 2024

PHP min version7.0

Downloads6K

Community Trust

Rating0/100

Number of ratings0

Active installs10

Alternatives

XMPP Statistics Alternatives

Ejabberd Account Tools

ejabberd-account-tools

Provides a set of useful tools for the ejabberd server, both for the frontend and backend spaces

10 No CVEs

ConverseJS

conversejs

100

Converse.js is an open source webchat client, that runs in the browser and can be integrated into any website.

10 No CVEs

P3chat

p3chat

This plugin provides support for p3chat.com online chat service on Your wordpress website.

10 No CVEs

XMPP Authentication

xmpp-auth

Allows users to authenticate without password via XMPP and for visitors to be filtered by XMPP verification.

10 No CVEs

Custom Google Talk Chatback

custom-google-talk-chatback

Easily embed Goole Talk Chatback on your site for online chat support. Widget, Shortcode and Template Tag support!

10 No CVEs

Developer Profile

XMPP Statistics Developer Profile

Beherit

7 plugins · 420 total installs

trust score

Avg Security Score

87/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect XMPP Statistics

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/xmpp-statistics/css/style.min.css/wp-content/plugins/xmpp-statistics/js/flot/jquery.canvaswrapper.js/wp-content/plugins/xmpp-statistics/js/flot/jquery.colorhelpers.js/wp-content/plugins/xmpp-statistics/js/flot/jquery.flot.js/wp-content/plugins/xmpp-statistics/js/flot/jquery.flot.browser.js/wp-content/plugins/xmpp-statistics/js/flot/jquery.flot.drawSeries.js/wp-content/plugins/xmpp-statistics/js/flot/jquery.flot.hover.js/wp-content/plugins/xmpp-statistics/js/flot/jquery.flot.resize.js+4 more

Script Paths

js/flot/jquery.canvaswrapper.jsjs/flot/jquery.colorhelpers.jsjs/flot/jquery.flot.jsjs/flot/jquery.flot.browser.jsjs/flot/jquery.flot.drawSeries.jsjs/flot/jquery.flot.hover.js+5 more

Version Parameters

xmpp-statistics/css/style.min.css?ver=xmpp-statistics/js/flot/jquery.canvaswrapper.js?ver=xmpp-statistics/js/flot/jquery.colorhelpers.js?ver=xmpp-statistics/js/flot/jquery.flot.js?ver=xmpp-statistics/js/flot/jquery.flot.browser.js?ver=xmpp-statistics/js/flot/jquery.flot.drawSeries.js?ver=xmpp-statistics/js/flot/jquery.flot.hover.js?ver=xmpp-statistics/js/flot/jquery.flot.resize.js?ver=xmpp-statistics/js/flot/jquery.flot.saturated.js?ver=xmpp-statistics/js/flot/jquery.flot.time.js?ver=xmpp-statistics/js/flot/jquery.flot.uiConstants.js?ver=xmpp-statistics/js/jquery.xmpp-stats-charts.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

xmpp-stats-chart-titlexmpp-stats-chartloader

Data Attributes

data-action="online-users-daily-chart"data-action="online-users-weekly-chart"data-action="registered-users-daily-chart"data-action="registered-users-weekly-chart"data-action="uptime-daily-chart"data-action="uptime-weekly-chart"+10 more

JS Globals

xmpp_stats

REST Endpoints

/wp-json/xmpp-statistics/online-users-daily-chart/wp-json/xmpp-statistics/online-users-weekly-chart/wp-json/xmpp-statistics/registered-users-daily-chart/wp-json/xmpp-statistics/registered-users-weekly-chart/wp-json/xmpp-statistics/uptime-daily-chart/wp-json/xmpp-statistics/uptime-weekly-chart/wp-json/xmpp-statistics/system-uptime-daily-chart/wp-json/xmpp-statistics/system-uptime-weekly-chart/wp-json/xmpp-statistics/memory-usage-daily-chart/wp-json/xmpp-statistics/memory-usage-weekly-chart/wp-json/xmpp-statistics/disk-usage-daily-chart/wp-json/xmpp-statistics/disk-usage-weekly-chart/wp-json/xmpp-statistics/xmpp-s2s-out-daily-chart/wp-json/xmpp-statistics/xmpp-s2s-out-weekly-chart/wp-json/xmpp-statistics/xmpp-s2s-in-daily-chart/wp-json/xmpp-statistics/xmpp-s2s-in-weekly-chart

Shortcode Output

<div class="xmpp-stats-chart-title">__('Logged in users', 'xmpp-statistics') - __('by day', 'xmpp-statistics')</div><div data-action="online-users-daily-chart" class="xmpp-stats-chart" style="max-width:

<div class="xmpp-stats-chart-title">__('Logged in users', 'xmpp-statistics') - __('by week', 'xmpp-statistics')</div><div data-action="online-users-weekly-chart" class="xmpp-stats-chart" style="max-width:

<div class="xmpp-stats-chart-title">__('Registered users', 'xmpp-statistics') - __('by day', 'xmpp-statistics')</div><div data-action="registered-users-daily-chart" class="xmpp-stats-chart" style="max-width:

<div class="xmpp-stats-chart-title">__('Registered users', 'xmpp-statistics') - __('by week', 'xmpp-statistics')</div><div data-action="registered-users-weekly-chart" class="xmpp-stats-chart" style="max-width:

FAQ

XMPP Statistics Security & Risk Analysis

Is XMPP Statistics Safe to Use in 2026?

Generally Safe

Key Concerns

XMPP Statistics Security Vulnerabilities

XMPP Statistics Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

XMPP Statistics Attack Surface

REST API Routes 26

Shortcodes 26

Scheduled Events 1

XMPP Statistics Maintenance & Trust

Maintenance Signals

Community Trust

XMPP Statistics Alternatives

Ejabberd Account Tools

ConverseJS

P3chat

XMPP Authentication

Custom Google Talk Chatback

XMPP Statistics Developer Profile

How We Detect XMPP Statistics

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about XMPP Statistics