| #1 | Matomo Analytics – Powerful, Privacy-First Insights for WordPress | 19 | 1,909 | 878 | 100k+ | | | Exception output is not escaped |
| #2 | UserFeedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds | 22 | 444 | 243 | 200k+ | | | Text Domain Mismatch |
| #3 | Tracking and Consent Manager – WP Full Picture | 23 | 1,280 | 3,223 | 3k+ | | | Non-prefixed global variable |
| #4 | GAinWP Google Analytics Integration for WordPress | 23 | 525 | 176 | 8k+ | | | Output is not escaped |
| #5 | Local Google Analytics for WordPress – caches external requests | 23 | 551 | 199 | 3k+ | | | Output is not escaped |
| #6 | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) | 24 | 118 | 442 | 300k+ | | | Nonce verification recommended |
| #7 | Koko Analytics – Privacy-Friendly WordPress Analytics | 24 | 161 | 280 | 60k+ | | | Short PHP open tag found |
| #8 | Opt-Out for Google Analytics (DSGVO / GDPR) | 24 | 290 | 1,978 | 3k+ | | | Non-prefixed global variable |
| #9 | SEO Engine – Smart SEO with AI, Schema & Redirection for WordPress | 24 | 236 | 304 | 1k+ | | | Direct Query |
| #10 | Enhanced Ecommerce Google Analytics for WooCommerce | 24 | 771 | 1,480 | 2k+ | | | Non-prefixed global variable |
| #11 | SlimStat Analytics | 24 | 1,169 | 737 | 70k+ | | | Exception output is not escaped |
| #12 | MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) | 25 | 116 | 441 | 2m+ | | | Nonce verification recommended |
| #13 | Site Kit by Google – Analytics, Search Console, AdSense, Speed | 25 | 1,304 | 242 | 5m+ | | | Missing direct file access protection |
| #14 | Independent Analytics – WordPress Analytics Plugin | 25 | 1,148 | 2,293 | 100k+ | | | Non-prefixed global variable |
| #15 | Analytify – Google Analytics Dashboard For WordPress (GA4 analytics tracking) | 25 | 169 | 295 | 20k+ | | | Non-prefixed global variable |
| #16 | WP Statistics – Simple, privacy-friendly Google Analytics alternative | 25 | 610 | 2,465 | 600k+ | | | Non-prefixed global variable |
| #17 | GTmetrix for WordPress | 28 | 109 | 70 | 8k+ | | | Output is not escaped |
| #18 | Connect Matomo – Analytics Dashboard for WordPress | 28 | 100 | 102 | 60k+ | | | Missing Translators Comment |
| #19 | Better Google Analytics | 29 | 376 | 869 | 2k+ | | | Non-prefixed global variable |
| #20 | Post Views Counter | 29 | 179 | 398 | 200k+ | | | Non-prefixed hook name |
| #21 | WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics | 29 | 118 | 128 | 5k+ | | | Output is not escaped |
| #22 | QA Assistants – Driven by data | 30 | 4 | 867 | 2k+ | | | Non-prefixed global variable |
| #23 | HT Easy GA4 – Google Analytics WordPress Plugin | 31 | 475 | 93 | 6k+ | | | Text Domain Mismatch |
| #24 | WP Visitor Statistics (Real Time Traffic) | 31 | 353 | 691 | 20k+ | | | Nonce verification recommended |
| #25 | Clicky Analytics | 33 | 166 | 92 | 10k+ | | | Output is not escaped |
| #26 | Plausible Analytics | 33 | 284 | 67 | 10k+ | | | Exception output is not escaped |
| #27 | Seriously Simple Stats | 34 | 99 | 126 | 5k+ | | | Output is not escaped |
| #28 | Aurora Heatmap | 35 | 14 | 18 | 20k+ | | | Non-prefixed global variable |
| #29 | Integrate Umami | 35 | 10 | 0 | 2k+ | | | Hidden files included |
| #30 | OPcache Manager | 35 | 155 | 75 | 1k+ | | | Output is not escaped |
| #31 | Piwik PRO | 35 | 22 | 3 | 3k+ | | | Output is not escaped |
| #32 | WP Views Counter | 35 | 81 | 42 | 2k+ | | | Output is not escaped |
| #33 | Lara's Google Analytics (GA4) | 36 | 303 | 57 | 9k+ | | | Unsafe printing function |
| #34 | Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation | 37 | 42 | 33 | 10k+ | | | Output is not escaped |
| #35 | Tracking Script Manager | 37 | 82 | 57 | 2k+ | | | Non Singular String Literal Domain |
| #36 | Goal Tracker – Custom Event Tracking for GA4 | 38 | 541 | 25 | 2k+ | | | Output is not escaped |
| #37 | CAOS | Host Google Analytics Locally | 38 | 124 | 44 | 10k+ | | | Output is not escaped |
| #38 | SRS Simple Hits Counter | 38 | 43 | 98 | 8k+ | | | Output is not escaped |
| #39 | WP Client Reports | 38 | 95 | 80 | 6k+ | | | Unsafe printing function |
| #40 | Traffic Monitor | 39 | 6 | 143 | 1k+ | | | Direct Query |
| #41 | UserHeat Plugin | 39 | 121 | 20 | 6k+ | | | Non Singular String Literal Domain |
| #42 | Yandex Metrica | 39 | 92 | 46 | 20k+ | | | Output is not escaped |
| #43 | Analytics Germanized for Google Analytics (GDPR / DSGVO) | 40 | 49 | 14 | 8k+ | | | Output is not escaped |
| #44 | heatmap for WordPress – Realtime analytics | 40 | 94 | 15 | 1k+ | | | Non Singular String Literal Domain |
| #45 | Statify Widget | 40 | 52 | 13 | 4k+ | | | Output is not escaped |
| #46 | ShinyStat Analytics | 41 | 88 | 25 | 1k+ | | | Output is not escaped |
| #47 | GA Google Analytics – Connect Google Analytics to WordPress | 42 | 46 | 30 | 400k+ | | | Output is not escaped |
| #48 | Goolytics – Simple Google Analytics | 42 | 37 | 5 | 4k+ | | | Unsafe printing function |
| #49 | Super Simple Google Analytics | 48 | 55 | 3 | 2k+ | | | Output is not escaped |
| #50 | User Activity Tracking and Log | 51 | 28 | 237 | 3k+ | | | Non-prefixed global variable |
