WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Wp Statistics safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Wp Statistics WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: wp-statistics
  • Requires PHP: 7.4+
  • Max supported PHP (analyzed): <8.0

Known vulnerabilities

  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-0651, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Blind SQL Injection (SQLi) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated Blind SQL Injection via current_page_type, WP Statistics &lt; 13.1.6 - Unauthenticated Blind SQL Injection via current_page_type]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-25148, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Blind SQL Injection (SQLi) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated SQL Injection, WP Statistics &lt; 13.1.6 - Unauthenticated Blind SQL Injection via current_page_id]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-25149, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Blind SQL Injection (SQLi) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated Blind SQL Injection via IP, WP Statistics &lt; 13.1.6 - Unauthenticated Blind SQL Injection via IP]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-25305, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting via IP]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-25306, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting via browser]
+ 56 more known vulnerabilities
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-25307, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting via platform, WP Statistics &lt; 13.1.6 - Multiple Unauthenticated Stored Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.5 [CVE-2022-0513, WordPress WP Statistics plugin <= 13.1.4 - Unauthenticated SQL Injection vulnerability, WP Statistics <= 13.1.4 - Unauthenticated Blind SQL Injection, WP Statistics &lt; 13.1.5 - Unauthenticated Blind SQL Injection]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.0.8 [CVE-2021-24340, WP Statistics <= 13.0.7 - Unauthenticated SQL Injection, WP Statistics &lt; 13.0.8 - Unauthenticated SQL Injection]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.8 [CVE-2017-18515, WP Statistics <= 12.0.7 - Authenticated SQL Injection, WP Statistics &lt;= 12.0.7 - Authenticated SQL Injection]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.7 [CVE-2019-13275, WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection, WP Statistics &lt;= 12.6.6.1 - Unauthenticated Blind SQL Injection]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.6.1 [CVE-2019-12566, WordPress WP Statistics plugin <= 12.6.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 12.6.5 - Stored Cross-Site Scripting, WP Statistics &lt;= 12.6.5 - Authenticated Stored XSS]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.4 [CVE-2019-10864, WordPress WP Statistics plugin <= 12.6.3 - Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 12.6.3 - Referer Cross-Site Scripting, WP Statistics &lt;= 12.6.3 - Referer Cross-Site Scripting (XSS)]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] >= 12.0.2 - <= 12.0.5 [CVE-2018-1000556]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.10 [CVE-2017-10991, WP Statistics <= 12.0.9 - Authenticated Cross-Site Scripting, WP Statistics &lt;= 12.0.9 - Authenticated Cross-Site Scripting (XSS)]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.5 [CVE-2017-2135, WordPress plugin "WP Statistics" vulnerable to cross-site scripting, WP Statistics &lt;= 12.0.4 - Reflected Cross-Site Scripting (XSS)]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] <= 12.0.4 [CVE-2017-2147, WordPress plugin "WP Statistics" vulnerable to cross-site scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.5 [CVE-2017-2136, WordPress plugin "WP Statistics" vulnerable to cross-site scripting, WP Statistics <= 12.0.4 - Stored Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.0.8 [WordPress WP Statistics plugin <= 13.0.7 - Unauthenticated Time-Based Blind SQL Injection (SQLi) vulnerability]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.7 [WordPress WP Statistics plugin <= 12.6.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.2 [CVE-2022-27231, WordPress plugin "WP Statistics" vulnerable to cross-site scripting, WordPress WP Statistics plugin <= 13.2.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 13.1.7 - Cross-Site Scripting, WP Statistic &lt; 13.2.2 - Admin+ Stored Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.2 [CVE-2022-1005, WordPress WP Statistics plugin <= 13.2.1 - Reflected Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 13.2.1 - Reflected Cross-Site Scripting, WP Statistics &lt; 13.2.2 - Reflected Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.8 [WordPress WP Statistics plugin <=12.0.7 - Authenticated SQL Injection vulnerability]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.6 [WordPress WP Statistics plugin <=12.0.5 - Reflected Cross-Site Scripting (XSS) vulnerability]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.4.1 [WordPress WP Statistics Plugin <= 9.4 - SQL Injection]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.5.2 [WordPress WP Statistics Plugin <= 9.5.1 - Cross Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 2.2.5 [WordPress WP Statistics Plugin <= 2.2.4 - Cross Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.1.3 [WordPress WP Statistics Plugin <= 9.1.2 - Stored Cross Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.3.1 [WordPress WP Statistics Plugin <= 8.3 - Stored & Reflected XSS]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.5 [WordPress WP Statistics Plugin <= 8.4 - Stored XSS]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.6 [WP Statistics <= 13.2.5 - Authenticated (Subscriber+) SQL Injection]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.6 [WP Statistics <= 13.2.5 - Information Disclosure]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1 [WP Statistics <= 13.0.9 - Reflected Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.7 [WP Statistics <= 12.6.6.1 - Unauthenticated Stored Cross-Site Scripting via IP Manipulation]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.9 [WP Statistics <= 12.0.8.1 - Reflected Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.9 [CVE-2022-4230, WordPress WP Statistics Plugin < 13.2.9 is vulnerable to SQL Injection, WP Statistics <= 13.2.8 - Authenticated (Admin+) SQL Injection, WP Statistics &lt; 13.2.9 - Authenticated SQLi]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.5.2 [WP Statistics <= 9.5.1 - Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.4.1 [WP Statistics < 9.4.1 - Authenticated Blind SQL Injection]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.1.3 [WP Statistics < 9.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.5 [WP Statistics <= 8.4 - Stored Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.3.1 [WP Statistics < 8.3.1 - Multiple Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 2.2.5 [WP Statistics <= 2.2.4 - Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.11 [CVE-2022-38074, WordPress WP Statistics Plugin <= 13.2.10 is vulnerable to SQL Injection, WP Statistics <= 13.2.10 - Authenticated (Subscriber+) SQL Injection, WP Statistics &lt; 13.2.11 - Subscriber+ SQLi]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.2 [CVE-2021-4333, WP Statistics <= 13.1.1 - Cross-Site Request Forgery to Arbitrary Plugin Activation and Deactivation, WP Statistics &lt; 13.1.2 - Arbitrary Plugin Activation/Deactivation via CSRF]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.0 [CVE-2023-0955, WordPress WP Statistics Plugin < 14.0 is vulnerable to SQL Injection, WP Statistics <= 13.2.16 - Authenticated (Admin+) SQL Injection, WP Statistics &lt; 14.0 - Authenticated SQLi]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1 [WP Statistic &lt; 13.1 - Reflected Cross-Site Scripting (XSS)]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.7 [WP Statistics &lt;= 12.6.6.1 - Unauthenticated Stored XSS Under Certain Configurations]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.9 [WP Statistics &lt;= 12.0.8.1 - Authenticated Reflected Cross-Site Scripting (XSS)]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.5.2 [WP Statistics &lt;= 9.5.1 - Referer Cross-Site Scripting (XSS)]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.4.1 [WP Statistics &lt;= 9.4 - Authenticated SQL Injection]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.1.3 [WP Statistics &lt;= 9.1.2 - Authenticated Stored Cross-Site Scripting (XSS)]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.5 [WP Statistics &lt;= 8.4 - Unauthenticated Referer Header Stored XSS]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.3.1 [WP Statistics &lt;= 8.3 - Stored &amp; Reflected Cross-Site Scripting (XSS)]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 2.2.5 [WP Statistics &lt;= 2.2.4 - Cross-Site Scripting (XSS)]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [WP Statistic &lt; 13.1.6 - Reflected Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.5.1 [CVE-2024-2194, WP Statistics <= 14.5 - Unauthenticated Stored Cross-Site Scripting, WordPress WP Statistics Plugin <= 14.5 is vulnerable to Cross Site Scripting (XSS), WP Statistics &lt; 14.5.1 - Unauthenticated Stored Cross-Site Scripting]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.13.4 [CVE-2025-3953, WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin <= 14.13.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update, WordPress WP Statistics Plugin <= 14.13.3 is vulnerable to Broken Access Control, EUVD-2025-12674]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.15.2 [CVE-2025-55716, WP Statistics <= 14.15 - Missing Authorization, EUVD-2025-24928]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.15.5 [WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header, EUVD-2025-31405, WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.16.5 [CVE-2026-5231, WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.16.5 [CVE-2026-3488, WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation]
  • WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.16.7 [CVE-2026-48839, WP Statistics – Simple, privacy-friendly Google Analytics alternative <= 14.16.6 - Unauthenticated Stored Cross-Site Scripting, WP Statistics – Simple, privacy-friendly Google Analytics alternative &lt;= 14.16.6 - Unauthenticated Stored Cross-Site Scripting]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.