PLUGIN SECURITY
Is Wp Statistics safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Wp Statistics WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
wp-statistics - Requires PHP: 7.4+
- Max supported PHP (analyzed): <8.0
Known vulnerabilities
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-0651, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Blind SQL Injection (SQLi) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated Blind SQL Injection via current_page_type, WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_type]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-25148, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Blind SQL Injection (SQLi) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated SQL Injection, WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_id]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-25149, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Blind SQL Injection (SQLi) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated Blind SQL Injection via IP, WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via IP]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-25305, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting via IP]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-25306, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting via browser]
+ 56 more known vulnerabilities
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [CVE-2022-25307, WordPress WP Statistics plugin <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 13.1.5 - Unauthenticated Stored Cross-Site Scripting via platform, WP Statistics < 13.1.6 - Multiple Unauthenticated Stored Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.5 [CVE-2022-0513, WordPress WP Statistics plugin <= 13.1.4 - Unauthenticated SQL Injection vulnerability, WP Statistics <= 13.1.4 - Unauthenticated Blind SQL Injection, WP Statistics < 13.1.5 - Unauthenticated Blind SQL Injection]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.0.8 [CVE-2021-24340, WP Statistics <= 13.0.7 - Unauthenticated SQL Injection, WP Statistics < 13.0.8 - Unauthenticated SQL Injection]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.8 [CVE-2017-18515, WP Statistics <= 12.0.7 - Authenticated SQL Injection, WP Statistics <= 12.0.7 - Authenticated SQL Injection]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.7 [CVE-2019-13275, WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection, WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.6.1 [CVE-2019-12566, WordPress WP Statistics plugin <= 12.6.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 12.6.5 - Stored Cross-Site Scripting, WP Statistics <= 12.6.5 - Authenticated Stored XSS]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.4 [CVE-2019-10864, WordPress WP Statistics plugin <= 12.6.3 - Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 12.6.3 - Referer Cross-Site Scripting, WP Statistics <= 12.6.3 - Referer Cross-Site Scripting (XSS)]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] >= 12.0.2 - <= 12.0.5 [CVE-2018-1000556]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.10 [CVE-2017-10991, WP Statistics <= 12.0.9 - Authenticated Cross-Site Scripting, WP Statistics <= 12.0.9 - Authenticated Cross-Site Scripting (XSS)]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.5 [CVE-2017-2135, WordPress plugin "WP Statistics" vulnerable to cross-site scripting, WP Statistics <= 12.0.4 - Reflected Cross-Site Scripting (XSS)]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] <= 12.0.4 [CVE-2017-2147, WordPress plugin "WP Statistics" vulnerable to cross-site scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.5 [CVE-2017-2136, WordPress plugin "WP Statistics" vulnerable to cross-site scripting, WP Statistics <= 12.0.4 - Stored Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.0.8 [WordPress WP Statistics plugin <= 13.0.7 - Unauthenticated Time-Based Blind SQL Injection (SQLi) vulnerability]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.7 [WordPress WP Statistics plugin <= 12.6.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.2 [CVE-2022-27231, WordPress plugin "WP Statistics" vulnerable to cross-site scripting, WordPress WP Statistics plugin <= 13.2.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 13.1.7 - Cross-Site Scripting, WP Statistic < 13.2.2 - Admin+ Stored Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.2 [CVE-2022-1005, WordPress WP Statistics plugin <= 13.2.1 - Reflected Cross-Site Scripting (XSS) vulnerability, WP Statistics <= 13.2.1 - Reflected Cross-Site Scripting, WP Statistics < 13.2.2 - Reflected Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.8 [WordPress WP Statistics plugin <=12.0.7 - Authenticated SQL Injection vulnerability]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.6 [WordPress WP Statistics plugin <=12.0.5 - Reflected Cross-Site Scripting (XSS) vulnerability]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.4.1 [WordPress WP Statistics Plugin <= 9.4 - SQL Injection]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.5.2 [WordPress WP Statistics Plugin <= 9.5.1 - Cross Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 2.2.5 [WordPress WP Statistics Plugin <= 2.2.4 - Cross Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.1.3 [WordPress WP Statistics Plugin <= 9.1.2 - Stored Cross Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.3.1 [WordPress WP Statistics Plugin <= 8.3 - Stored & Reflected XSS]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.5 [WordPress WP Statistics Plugin <= 8.4 - Stored XSS]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.6 [WP Statistics <= 13.2.5 - Authenticated (Subscriber+) SQL Injection]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.6 [WP Statistics <= 13.2.5 - Information Disclosure]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1 [WP Statistics <= 13.0.9 - Reflected Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.7 [WP Statistics <= 12.6.6.1 - Unauthenticated Stored Cross-Site Scripting via IP Manipulation]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.9 [WP Statistics <= 12.0.8.1 - Reflected Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.9 [CVE-2022-4230, WordPress WP Statistics Plugin < 13.2.9 is vulnerable to SQL Injection, WP Statistics <= 13.2.8 - Authenticated (Admin+) SQL Injection, WP Statistics < 13.2.9 - Authenticated SQLi]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.5.2 [WP Statistics <= 9.5.1 - Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.4.1 [WP Statistics < 9.4.1 - Authenticated Blind SQL Injection]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.1.3 [WP Statistics < 9.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.5 [WP Statistics <= 8.4 - Stored Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.3.1 [WP Statistics < 8.3.1 - Multiple Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 2.2.5 [WP Statistics <= 2.2.4 - Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.2.11 [CVE-2022-38074, WordPress WP Statistics Plugin <= 13.2.10 is vulnerable to SQL Injection, WP Statistics <= 13.2.10 - Authenticated (Subscriber+) SQL Injection, WP Statistics < 13.2.11 - Subscriber+ SQLi]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.2 [CVE-2021-4333, WP Statistics <= 13.1.1 - Cross-Site Request Forgery to Arbitrary Plugin Activation and Deactivation, WP Statistics < 13.1.2 - Arbitrary Plugin Activation/Deactivation via CSRF]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.0 [CVE-2023-0955, WordPress WP Statistics Plugin < 14.0 is vulnerable to SQL Injection, WP Statistics <= 13.2.16 - Authenticated (Admin+) SQL Injection, WP Statistics < 14.0 - Authenticated SQLi]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1 [WP Statistic < 13.1 - Reflected Cross-Site Scripting (XSS)]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.6.7 [WP Statistics <= 12.6.6.1 - Unauthenticated Stored XSS Under Certain Configurations]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 12.0.9 [WP Statistics <= 12.0.8.1 - Authenticated Reflected Cross-Site Scripting (XSS)]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.5.2 [WP Statistics <= 9.5.1 - Referer Cross-Site Scripting (XSS)]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.4.1 [WP Statistics <= 9.4 - Authenticated SQL Injection]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 9.1.3 [WP Statistics <= 9.1.2 - Authenticated Stored Cross-Site Scripting (XSS)]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.5 [WP Statistics <= 8.4 - Unauthenticated Referer Header Stored XSS]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 8.3.1 [WP Statistics <= 8.3 - Stored & Reflected Cross-Site Scripting (XSS)]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 2.2.5 [WP Statistics <= 2.2.4 - Cross-Site Scripting (XSS)]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 13.1.6 [WP Statistic < 13.1.6 - Reflected Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.5.1 [CVE-2024-2194, WP Statistics <= 14.5 - Unauthenticated Stored Cross-Site Scripting, WordPress WP Statistics Plugin <= 14.5 is vulnerable to Cross Site Scripting (XSS), WP Statistics < 14.5.1 - Unauthenticated Stored Cross-Site Scripting]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.13.4 [CVE-2025-3953, WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin <= 14.13.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update, WordPress WP Statistics Plugin <= 14.13.3 is vulnerable to Broken Access Control, EUVD-2025-12674]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.15.2 [CVE-2025-55716, WP Statistics <= 14.15 - Missing Authorization, EUVD-2025-24928]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.15.5 [WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header, EUVD-2025-31405, WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.16.5 [CVE-2026-5231, WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.16.5 [CVE-2026-3488, WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation]
- WP Statistics – Simple, privacy-friendly Google Analytics alternative [wp-statistics] < 14.16.7 [CVE-2026-48839, WP Statistics – Simple, privacy-friendly Google Analytics alternative <= 14.16.6 - Unauthenticated Stored Cross-Site Scripting, WP Statistics – Simple, privacy-friendly Google Analytics alternative <= 14.16.6 - Unauthenticated Stored Cross-Site Scripting]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Site Kit by Google – Analytics, Search Console, AdSense, Speed — 5000000+ active installs
- MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) — 2000000+ active installs — max PHP 8.4
- GTM4WP – A Google Tag Manager (GTM) plugin for WordPress — 700000+ active installs — max PHP 8.4
- GA Google Analytics – Connect Google Analytics to WordPress — 400000+ active installs — max PHP 8.4
- ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) — 300000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.