WP-Safety

Autoptimize Security & Risk Analysis

wordpress.org/plugins/autoptimize

Autoptimize speeds up your website by optimizing JS, CSS, images (incl. lazy-load), HTML and Google Fonts, asyncing JS, removing emoji cruft and more.

900K active installs v3.1.15 PHP 7.1+ WP 5.3+ Updated Mar 14, 2026
core-web-vitalsimagesoptimizepagespeedperformance
77
B · Generally Safe
CVEs total10
Unpatched0
Last CVEDec 3, 2025
Plugin page Download
Safety Verdict

Is Autoptimize Safe to Use in 2026?

Mostly Safe

Score 77/100

Autoptimize is generally safe to use. 10 past CVEs were resolved. Keep it updated.

10 known CVEsLast CVE: Dec 3, 2025Updated 20d ago
Risk Assessment

Autoptimize v3.1.15 presents a mixed security posture. While it demonstrates strong adherence to some security best practices, such as having no unprotected entry points (AJAX, REST API, shortcodes) and performing a significant number of capability checks, there are notable areas of concern. The static analysis reveals that 0% of SQL queries use prepared statements, which is a critical security flaw that could lead to SQL injection vulnerabilities. Furthermore, only 33% of output escaping is properly handled, increasing the risk of Cross-Site Scripting (XSS) attacks. The taint analysis shows four flows with unsanitized paths, although they are not classified as critical or high severity, this still indicates potential for unintended data manipulation or execution if exploited.

The plugin's vulnerability history is a significant red flag. With 10 known CVEs, including past critical and high severity vulnerabilities such as XSS, information exposure, race conditions, unrestricted file uploads, and PHP Remote File Inclusion, this indicates a recurring pattern of security weaknesses. The fact that there are currently no unpatched vulnerabilities is positive, but the sheer volume and types of past issues suggest that the codebase may have inherent complexities that are difficult to secure consistently. The last reported vulnerability date is also in the future (2025), which is likely an error in the data provided but if taken literally would be a critical concern.

Key Concerns

  • 0% of SQL queries use prepared statements
  • Only 33% of output escaping is proper
  • 4 unsanitized path taint flows
  • 10 total known CVEs, including critical/high
Vulnerabilities
10

Autoptimize Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
4 CVEs in 2020
2020
1 CVE in 2021
2021
2 CVEs in 2022
2022
1 CVE in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
2
High
2
Medium
6

10 total CVEs

CVE-2025-13401medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Autoptimize <= 3.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 3, 2025 Patched in 3.1.14 (1d)
CVE-2023-2113medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Autoptimize <= 3.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Rules

Apr 25, 2023 Patched in 3.1.7 (273d)
CVE-2022-4057medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Autoptimize <= 3.0.4 - Sensitive Information Disclosure

Dec 5, 2022 Patched in 3.1.0 (414d)
CVE-2022-2635medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Autoptimize <= 3.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Settings

Jul 19, 2022 Patched in 3.1.1 (553d)
CVE-2021-24332medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Autoptimize <= 2.8.3 - Stored Cross-Site Scripting

May 7, 2021 Patched in 2.8.4 (991d)
CVE-2021-24376critical · 9.8Unrestricted Upload of File with Dangerous Type

Autoptimize <= 2.7.7 - Arbitrary File Upload (and Remote Code Execution) via Import Settings

Oct 9, 2020 Patched in 2.7.8 (1201d)
CVE-2021-24378medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Autoptimize <= 2.7.7 - Unsafe File Upload to Cross-Site Scripting

Oct 9, 2020 Patched in 2.7.8 (1201d)
CVE-2021-24377high · 8.1Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Autoptimize <= 2.7.7 - Race Condition leading to Remote Code Execution

Oct 9, 2020 Patched in 2.7.8 (1201d)
CVE-2020-24948high · 7.2Unrestricted Upload of File with Dangerous Type

Autoptimize <= 2.7.6 - Authenticated Arbitrary File Upload

Aug 24, 2020 Patched in 2.7.7 (1247d)
WF-0d4e3560-2208-4122-812e-0c506fe45126-autoptimizecritical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Autoptimize <= 2.1.0 - Unauthenticated Local File Inclusion

Jun 19, 2017 Patched in 2.1.1 (2553d)
Code Analysis
Analyzed Mar 16, 2026

Autoptimize Code Analysis

Dangerous Functions
0
Raw SQL Queries
7
0 prepared
Unescaped Output
124
60 escaped
Nonce Checks
11
Capability Checks
25
File Operations
58
External Requests
10
Bundled Libraries
0

SQL Query Safety

0% prepared7 total queries

Output Escaping

33% escaped184 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths
wordpress_notfound_fallback (classes\autoptimizeCache.php:687)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Autoptimize Attack Surface

Entry Points10
Unprotected0

AJAX Handlers 10

authwp_ajax_fetch_critcssclasses\autoptimizeCriticalCSSSettingsAjax.php:25
authwp_ajax_save_critcssclasses\autoptimizeCriticalCSSSettingsAjax.php:26
authwp_ajax_rm_critcssclasses\autoptimizeCriticalCSSSettingsAjax.php:27
authwp_ajax_rm_critcss_allclasses\autoptimizeCriticalCSSSettingsAjax.php:28
authwp_ajax_ao_ccss_exportclasses\autoptimizeCriticalCSSSettingsAjax.php:29
authwp_ajax_ao_ccss_importclasses\autoptimizeCriticalCSSSettingsAjax.php:30
authwp_ajax_ao_ccss_queuerunnerclasses\autoptimizeCriticalCSSSettingsAjax.php:31
authwp_ajax_ao_ccss_saverulesclasses\autoptimizeCriticalCSSSettingsAjax.php:32
authwp_ajax_ao_metabox_ccss_addjobclasses\autoptimizeMetabox.php:21
authwp_ajax_autoptimize_delete_cacheclasses\autoptimizeToolbar.php:34
WordPress Hooks 102
actionadmin_noticesautoptimize.php:41
actionadmin_initautoptimize.php:42
actionshutdownclasses\autoptimizeCache.php:424
actionautoptimize_action_cachepurgedclasses\autoptimizeCache.php:425
actionplugins_loadedclasses\autoptimizeCacheChecker.php:29
actionadmin_noticesclasses\autoptimizeCacheChecker.php:32
filterautoptimize_filter_js_noptimizeclasses\autoptimizeCompatibility.php:37
filterautoptimize_filter_js_excludeclasses\autoptimizeCompatibility.php:42
filterautoptimize_filter_js_removablesclasses\autoptimizeCompatibility.php:62
filterautoptimize_filter_js_excludeclasses\autoptimizeCompatibility.php:78
filterautoptimize_filter_js_excludeclasses\autoptimizeCompatibility.php:104
actionnetwork_admin_menuclasses\autoptimizeConfig.php:41
actionadmin_menuclasses\autoptimizeConfig.php:44
actionadmin_initclasses\autoptimizeConfig.php:45
actionadmin_initclasses\autoptimizeConfig.php:46
filterplugin_row_metaclasses\autoptimizeConfig.php:51
actionao_ccss_keycheckerclasses\autoptimizeCriticalCSSBase.php:91
filtercron_schedulesclasses\autoptimizeCriticalCSSBase.php:101
filterautoptimize_filter_css_critcss_minifyclasses\autoptimizeCriticalCSSCore.php:42
filterautoptimize_filter_css_defer_inlineclasses\autoptimizeCriticalCSSCore.php:43
actionautoptimize_action_css_hashclasses\autoptimizeCriticalCSSCore.php:47
filterautoptimize_html_after_minifyclasses\autoptimizeCriticalCSSCore.php:56
filterautoptimize_html_after_minifyclasses\autoptimizeCriticalCSSCore.php:61
actionautoptimize_action_cachepurgedclasses\autoptimizeCriticalCSSCore.php:81
filterautoptimize_filter_css_inlineclasses\autoptimizeCriticalCSSCore.php:203
actionao_ccss_queueclasses\autoptimizeCriticalCSSCron.php:23
actionao_ccss_maintenanceclasses\autoptimizeCriticalCSSCron.php:25
filterautoptimize_filter_settingsscreen_tabsclasses\autoptimizeCriticalCSSSettings.php:39
actionadmin_enqueue_scriptsclasses\autoptimizeCriticalCSSSettings.php:40
actionnetwork_admin_menuclasses\autoptimizeCriticalCSSSettings.php:43
actionadmin_menuclasses\autoptimizeCriticalCSSSettings.php:45
actionadmin_enqueue_scriptsclasses\autoptimizeExitSurvey.php:19
actionadmin_footerclasses\autoptimizeExitSurvey.php:20
actionnetwork_admin_menuclasses\autoptimizeExtra.php:61
actionadmin_menuclasses\autoptimizeExtra.php:63
filterautoptimize_filter_settingsscreen_tabsclasses\autoptimizeExtra.php:65
actionwpclasses\autoptimizeExtra.php:67
filtertiny_mce_pluginsclasses\autoptimizeExtra.php:101
filteremoji_svg_urlclasses\autoptimizeExtra.php:104
filterscript_loader_srcclasses\autoptimizeExtra.php:168
filterstyle_loader_srcclasses\autoptimizeExtra.php:169
filterautoptimize_filter_js_excludeclasses\autoptimizeExtra.php:175
filterwp_resource_hintsclasses\autoptimizeExtra.php:180
filterautoptimize_html_after_minifyclasses\autoptimizeExtra.php:181
filterautoptimize_extra_filter_tobepreconnclasses\autoptimizeExtra.php:182
filterelementor/frontend/print_google_fontsclasses\autoptimizeExtra.php:189
filterfl_builder_google_fonts_pre_enqueueclasses\autoptimizeExtra.php:190
filterwp_resource_hintsclasses\autoptimizeExtra.php:196
filterautoptimize_html_after_minifyclasses\autoptimizeExtra.php:201
actionwp_enqueue_scriptsclasses\autoptimizeExtra.php:492
actionwp_enqueue_scriptsclasses\autoptimizeExtra.php:502
actionnetwork_admin_menuclasses\autoptimizeImages.php:128
actionadmin_menuclasses\autoptimizeImages.php:130
filterautoptimize_filter_settingsscreen_tabsclasses\autoptimizeImages.php:132
actionwpclasses\autoptimizeImages.php:134
filterwp_lazy_loading_enabledclasses\autoptimizeImages.php:141
filterautoptimize_html_after_minifyclasses\autoptimizeImages.php:147
actionwp_footerclasses\autoptimizeImages.php:153
filterautoptimize_html_after_minifyclasses\autoptimizeImages.php:166
filterautoptimize_filter_base_replace_cdnclasses\autoptimizeImages.php:177
filterautoptimize_html_after_minifyclasses\autoptimizeImages.php:184
filterautoptimize_extra_filter_tobepreconnclasses\autoptimizeImages.php:195
filterwp_lazy_loading_enabledclasses\autoptimizeImages.php:204
actionwp_footerclasses\autoptimizeImages.php:210
actionautoptimize_setup_doneclasses\autoptimizeMain.php:67
actionautoptimize_setup_doneclasses\autoptimizeMain.php:68
actionautoptimize_setup_doneclasses\autoptimizeMain.php:69
actionautoptimize_setup_doneclasses\autoptimizeMain.php:70
actionautoptimize_setup_doneclasses\autoptimizeMain.php:71
actionautoptimize_setup_doneclasses\autoptimizeMain.php:72
actionautoptimize_setup_doneclasses\autoptimizeMain.php:73
actioninitclasses\autoptimizeMain.php:75
actioninitclasses\autoptimizeMain.php:79
actioninitclasses\autoptimizeMain.php:176
filterjetpack_force_disable_site_acceleratorclasses\autoptimizeMain.php:195
filterjetpack_photon_skip_for_urlclasses\autoptimizeMain.php:198
actionadmin_noticesclasses\autoptimizeMain.php:203
actionadmin_noticesclasses\autoptimizeMain.php:204
actionadmin_noticesclasses\autoptimizeMain.php:207
actionadmin_noticesclasses\autoptimizeMain.php:220
actionadmin_noticesclasses\autoptimizeMain.php:221
actiontemplate_redirectclasses\autoptimizeMain.php:257
actionadd_meta_boxesclasses\autoptimizeMetabox.php:19
actionsave_postclasses\autoptimizeMetabox.php:20
filterpre_update_optionclasses\autoptimizeOptionWrapper.php:89
filterautoptimize_filter_settingsscreen_tabsclasses\autoptimizePartners.php:21
actionnetwork_admin_menuclasses\autoptimizePartners.php:24
actionadmin_menuclasses\autoptimizePartners.php:26
filterautoptimize_filter_settingsscreen_tabsclasses\autoptimizeProTab.php:28
actionnetwork_admin_menuclasses\autoptimizeProTab.php:31
actionadmin_menuclasses\autoptimizeProTab.php:33
filterautoptimize_js_individual_scriptclasses\autoptimizeSpeedupper.php:21
filterautoptimize_js_after_minifyclasses\autoptimizeSpeedupper.php:22
filterautoptimize_css_individual_styleclasses\autoptimizeSpeedupper.php:25
filterautoptimize_css_after_minifyclasses\autoptimizeSpeedupper.php:26
actionwp_loadedclasses\autoptimizeToolbar.php:21
actionwpclasses\autoptimizeToolbar.php:24
actionadmin_enqueue_scriptsclasses\autoptimizeToolbar.php:39
actionwp_enqueue_scriptsclasses\autoptimizeToolbar.php:41
actionadmin_bar_menuclasses\autoptimizeToolbar.php:45
actionadmin_noticesclasses\autoptimizeVersionUpdatesHandler.php:91
actionadmin_noticesclasses\autoptimizeVersionUpdatesHandler.php:112

Scheduled Events 6

ao_ccss_queue
ao_ccss_maintenance
ao_ccss_keychecker
ao_ccss_queue
ao_ccss_maintenance
ao_ccss_queue
Maintenance & Trust

Autoptimize Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 14, 2026
PHP min version7.1
Downloads43.0M

Community Trust

Rating94/100
Number of ratings1,422
Active installs900K
Alternatives

Autoptimize Alternatives

WP Fastest Cache – WordPress Cache Plugin

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

B
76

The simplest and fastest WP Cache system

1.0M 35 CVEs
AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization

AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization

add-expires-headers

B
76

AEH Speed Optimization boosts site speed with caching, minification, lazy loading, and image optimization to improve performance and SEO.

3K 1 unpatched
LiteSpeed Cache

LiteSpeed Cache

litespeed-cache

B
82

All-in-one unbeatable acceleration & PageSpeed improvement: caching, image/CSS/JS optimization...

7.0M 18 CVEs
W3 Total Cache

W3 Total Cache

w3-total-cache

B
75

Search Engine (SEO) & Performance Optimization (WPO) via caching. Integrated caching: CDN, Page, Minify, Object, Fragment, Database support.

900K 28 CVEs
Aruba HiSpeed Cache

Aruba HiSpeed Cache

aruba-hispeed-cache

A
95

Aruba HiSpeed Cache interfaces directly with an Aruba hosting platform's HiSpeed Cache service and automates its management.

100K 6 CVEs
Developer Profile

Autoptimize Developer Profile

Optimizing Matters

1 plugin · 900K total installs

63
trust score
Avg Security Score
77/100
Avg Patch Time
964 days
View full developer profile
Detection Fingerprints

How We Detect Autoptimize

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/autoptimize/classes/external/php/persist-admin-notices-dismissal/persist-admin-notices-dismissal.php/wp-content/plugins/autoptimize/classes/external/php/jsmin/jsmin.php/wp-content/plugins/autoptimize/classes/external/php/yui-php-cssmin-bundled/cssmin.php/wp-content/plugins/autoptimize/classes/autoptimizeMain.php/wp-content/plugins/autoptimize/classes/autoptimizeConfig.php/wp-content/plugins/autoptimize/classes/autoptimizeUtils.php/wp-content/plugins/autoptimize/classes/autoptimizeCache.php/wp-content/plugins/autoptimize/classes/autoptimizeToolbar.php+2 more
Script Paths
/wp-content/plugins/autoptimize/js/autoptimize.js/wp-content/plugins/autoptimize/js/autoptimize-settings.js
Version Parameters
/wp-content/plugins/autoptimize/js/autoptimize.js?ver=/wp-content/plugins/autoptimize/js/autoptimize-settings.js?ver=/wp-content/plugins/autoptimize/css/autoptimize.css?ver=

HTML / DOM Fingerprints

CSS Classes
autoptimize_bannerunslider-arrowautoptimize_meta_box
HTML Comments
<!-- Autoptimize BEGIN CSS --><!-- Autoptimize END CSS --><!-- Autoptimize BEGIN JS --><!-- Autoptimize END JS -->+1 more
Data Attributes
data-ao-ignoredata-ao-parse
JS Globals
autoptimizeSettingsAO_settings
REST Endpoints
/wp-json/autoptimize/v1/settings
FAQ

Frequently Asked Questions about Autoptimize