Does Zipfstats have any unpatched vulnerabilities?

No. All known vulnerabilities in Zipfstats have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Zipfstats compatible with WordPress 4.7.32?

According to WordPress.org data, Zipfstats 1.2 has been tested up to WordPress 4.7.32. Check the plugin's changelog for the latest compatibility information.

How often is Zipfstats updated?

Zipfstats was last updated on Jan 3, 2017. Frequent updates are generally a positive security signal.

What is Zipfstats's security score?

Zipfstats has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Zipfstats Security & Risk Analysis

wordpress.org/plugins/zipfstats

Zipfstats provides a widget plotting the frequency each word appears in a post/page and its rank (most frequent->least) against a Zipf distribution …

10 active installs v1.2 PHP + WP 3.8.1+ Updated Jan 3, 2017

analysispagespostsstatisticsword-count

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Zipfstats Safe to Use in 2026?

Generally Safe

Score 85/100

Zipfstats has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago

Risk Assessment

The zipfstats v1.2 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all its SQL queries and has no recorded vulnerabilities in its history. Furthermore, the static analysis reveals a very small attack surface, consisting of a single shortcode with no identified unprotected entry points. The absence of dangerous functions, file operations, and external HTTP requests is also a positive indicator. However, a significant concern arises from the complete lack of output escaping. This means that any data processed or displayed by the plugin, even if originating from trusted sources, is not properly sanitized, potentially leading to cross-site scripting (XSS) vulnerabilities. The absence of nonce checks, while less critical given the limited entry points, is also a minor oversight. The lack of taint analysis results is neutral, as it might indicate no complex data flows were analyzed or that the tool did not find any issues. Overall, while the plugin has a clean vulnerability history and minimal attack surface, the unescaped output represents a critical weakness that requires immediate attention to prevent potential client-side attacks.

Key Concerns

All outputs are unescaped
No nonce checks present

Vulnerabilities

None known

Zipfstats Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Zipfstats Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped17 total outputs

Attack Surface

Zipfstats Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[zipf] jbl-zipfstats.php:42

WordPress Hooks 2

actionwidgets_initjbl-zipfstats.php:54

filterthe_contentjbl-zipfstats.php:132

Maintenance & Trust

Zipfstats Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.32

Last updatedJan 3, 2017

PHP min version

Downloads2K

Community Trust

Rating80/100

Number of ratings1

Active installs10

Alternatives

Zipfstats Alternatives

Word Count Wizard

word-count-wizard

Plugin for bloggers who need detailed word count statistics of their blogs.

70 No CVEs

Article Word Count

article-word-count-column

Displays the word count for each post and page in the WordPress admin panel.

2K No CVEs

Sortable Word Count Reloaded

sortable-word-count-reloaded

100

Adds a sortable column to the posts and pages admin list with the word count of each page/post.

2K No CVEs

WP Post Stats & Analysis

wp-post-stats-analysis

License: GNU Version 2 or Any Later Version WP Post Stats & Analysis plugin shows post stats & analysis on your WordPress site dashboard for …

10 No CVEs

Duplicate Post

copy-delete-posts

Duplicate post

300K 2 CVEs

Developer Profile

Zipfstats Developer Profile

James Luberda

1 plugin · 10 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Zipfstats

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/zipfstats/css/jbl_zipfplot.css

Script Paths

/wp-content/plugins/zipfstats/includes/jqPlot/jquery.jqplot.min.js/wp-content/plugins/zipfstats/includes/jqPlot/plugins/jqplot.canvasAxisLabelRenderer.min.js/wp-content/plugins/zipfstats/includes/jqPlot/plugins/jqplot.canvasTextRenderer.min.js/wp-content/plugins/zipfstats/includes/jqPlot/plugins/jqplot.enhancedLegendRenderer.min.js

Version Parameters

zipfstats/css/jbl_zipfplot.css?ver=zipfstats/includes/jqPlot/jquery.jqplot.min.js?ver=zipfstats/includes/jqPlot/plugins/jqplot.canvasAxisLabelRenderer.min.js?ver=zipfstats/includes/jqPlot/plugins/jqplot.canvasTextRenderer.min.js?ver=zipfstats/includes/jqPlot/plugins/jqplot.enhancedLegendRenderer.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

zipfstats_widget_class

Data Attributes

name="jbl_zipf_adminonly"name="jbl_zipf_shortcodes"name="jbl_zipf_show_graph"name="jbl_zipf_show_wordlist"name="jbl_zipf_expand_wordlist"name="jbl_zipf_numwords"

JS Globals

jQuery

Shortcode Output

argle-bargle argle-bargle argle-bargle

FAQ