Plugin inspection:

Google Analytics for WordPress

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 4.3.3 of this plugin, but the most recent version is 9.2.0. These findings may no longer be correct.

Findings

Among the issues identified are:

  • No SQL escaping.
  • No HTML escaping.
  • Some additional SQL (again, unescaped) gets executed only when a certain global variable ($cart_log_id) is set, so may be more vulnerable when combined with certain themes or plugins.

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

No SQL escaping, no HTML escaping.

Failure criteria

  • Execution of unprepared SQL statements
  • Lack of proper output escaping
  • Very large codebase

Read more about our failure criteria.