Does Avif Express have any unpatched vulnerabilities?

No. All known vulnerabilities in Avif Express have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Avif Express compatible with WordPress 6.8.5?

According to WordPress.org data, Avif Express 2025.08.29 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Avif Express compatible with PHP 7.3+?

Avif Express requires PHP 7.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Avif Express updated?

Avif Express was last updated on Oct 5, 2025. Frequent updates are generally a positive security signal.

What is Avif Express's security score?

Avif Express has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Avif Express Security & Risk Analysis

wordpress.org/plugins/avif-express

Autogenerate avif image on image upload and serve autogenerated Avif images instead of jpeg/png to browsers that supports Avif.

400 active installs v2025.08.29 PHP 7.3+ WP 6.0+ Updated Oct 5, 2025

avifimagesperformance

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Avif Express Safe to Use in 2026?

Generally Safe

Score 100/100

Avif Express has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6mo ago

Risk Assessment

The 'avif-express' plugin exhibits a significant security concern due to its large number of unprotected AJAX handlers. While the plugin demonstrates good practices in other areas, such as using prepared statements for all SQL queries and having no recorded vulnerabilities, the 41 unprotected AJAX entry points present a substantial attack surface. This means that any user, authenticated or not, could potentially trigger these handlers, leading to unintended actions or information exposure if the handlers themselves contain logic flaws. The lack of proper nonce checks on all AJAX handlers further exacerbates this risk, making it easier for attackers to craft requests to these endpoints.

Despite the positive signs of secure SQL handling and a clean vulnerability history, the sheer volume of unprotected AJAX handlers is a critical weakness. This oversight could allow for various vulnerabilities, including Cross-Site Request Forgery (CSRF) or information disclosure, depending on the functionality of these handlers. The plugin's limited capability checks also contribute to this concern, as it suggests that access control might not be sufficiently granular.

In conclusion, while 'avif-express' has strengths in areas like database interaction and a lack of historical vulnerabilities, its security posture is severely compromised by the widespread absence of authentication and nonce checks on its AJAX endpoints. This requires immediate attention to mitigate the significant risks posed by this large, unprotected attack surface.

Key Concerns

Unprotected AJAX handlers
Missing nonce checks on AJAX handlers
Insufficient capability checks
Low percentage of properly escaped output

Vulnerabilities

None known

Avif Express Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Avif Express Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

23 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

35% escaped66 total outputs

Data Flows

All sanitized

Data Flow Analysis

13 flows

ajaxSetOperationMode (core\app\common\Options.php:51)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

41 unprotected

Avif Express Attack Surface

Entry Points41

Unprotected41

AJAX Handlers 41

authwp_ajax_ajaxGetAutoConvtStatuscore\app\Routes.php:13

authwp_ajax_ajaxSetAutoConvtStatuscore\app\Routes.php:14

authwp_ajax_ajaxGetOperationModecore\app\Routes.php:15

authwp_ajax_ajaxSetOperationModecore\app\Routes.php:16

authwp_ajax_ajaxGetImgQualitycore\app\Routes.php:17

authwp_ajax_ajaxSetImgQualitycore\app\Routes.php:18

authwp_ajax_ajaxGetComSpeedcore\app\Routes.php:19

authwp_ajax_ajaxSetComSpeedcore\app\Routes.php:20

authwp_ajax_ajaxGetConversionEnginecore\app\Routes.php:21

authwp_ajax_ajaxSetConversionEnginecore\app\Routes.php:22

authwp_ajax_ajaxGetOnTheFlyAvifcore\app\Routes.php:23

authwp_ajax_ajaxSetOnTheFlyAvifcore\app\Routes.php:24

authwp_ajax_ajaxGetEnableLoggingcore\app\Routes.php:25

authwp_ajax_ajaxSetEnableLoggingcore\app\Routes.php:26

authwp_ajax_ajaxGetApiKeycore\app\Routes.php:27

authwp_ajax_ajaxSetApiKeycore\app\Routes.php:28

authwp_ajax_ajaxGetFallbackModecore\app\Routes.php:29

authwp_ajax_ajaxSetFallbackModecore\app\Routes.php:30

authwp_ajax_ajaxGetLazyLoadcore\app\Routes.php:32

authwp_ajax_ajaxSetLazyLoadcore\app\Routes.php:33

authwp_ajax_ajaxGetLazyLoadJsRootMargincore\app\Routes.php:35

authwp_ajax_ajaxSetLazyLoadJsRootMargincore\app\Routes.php:36

authwp_ajax_ajaxGetLazyLoadJsThresholdcore\app\Routes.php:38

authwp_ajax_ajaxSetLazyLoadJsThresholdcore\app\Routes.php:39

authwp_ajax_ajaxGetLazyBackgroundcore\app\Routes.php:41

authwp_ajax_ajaxSetLazyBackgroundcore\app\Routes.php:42

authwp_ajax_ajaxGetBackgroudConvcore\app\Routes.php:44

authwp_ajax_ajaxSetBackgroudConvcore\app\Routes.php:45

authwp_ajax_ajaxGetBackgroundConvEventcore\app\Routes.php:47

authwp_ajax_ajaxSetBackgroundConvEventcore\app\Routes.php:48

authwp_ajax_ajaxCountMediacore\app\Routes.php:50

authwp_ajax_ajaxConvertRemainingcore\app\Routes.php:51

authwp_ajax_ajaxDeleteAllcore\app\Routes.php:52

authwp_ajax_ajaxGetCurrentThemecore\app\Routes.php:54

authwp_ajax_ajaxThemeFilesConvertcore\app\Routes.php:55

authwp_ajax_ajaxThemeFilesDeletecore\app\Routes.php:56

authwp_ajax_ajaxGetGdInfocore\app\Routes.php:58

authwp_ajax_ajaxGetImagickInfocore\app\Routes.php:59

authwp_ajax_ajaxGetPhpInfocore\app\Routes.php:60

authwp_ajax_ajaxDeleteLogFilecore\app\Routes.php:62

authwp_ajax_ajaxIsLogFileExistscore\app\Routes.php:63

WordPress Hooks 6

actionplugins_loadedavif-express.php:133

actionadmin_enqueue_scriptscore\app\backend\Enqueue.php:14

actionadmin_menucore\app\backend\Ui.php:15

actionwp_generate_attachment_metadatacore\app\common\Image.php:23

actiondelete_attachmentcore\app\common\Image.php:26

actiontemplate_redirectcore\app\frontend\Html.php:48

Maintenance & Trust

Avif Express Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 5, 2025

PHP min version7.3

Downloads11K

Community Trust

Rating76/100

Number of ratings9

Active installs400

Alternatives

Avif Express Alternatives

Modern Image Formats

webp-uploads

100

Converts images to more modern formats such as WebP or AVIF during upload.

100K No CVEs

AVIF Local Support

avif-local-support

100

High-quality AVIF image conversion for WordPress — local, quality-first.

10 No CVEs

Convert to AVIF and Optimise

convert-to-avif-and-optimise

100

Convert and optimise your WordPress media library to AVIF while keeping every reference to your images in sync.

10 No CVEs

ImgSmaller – Optimize Images | Compress Images | Convert WebP & AVIF

imgsmaller

100

Compress and optimize your WordPress media library images using the ImgSmaller API with automated backups and restore controls.

0 No CVEs

Image Optimizer – Optimize Images and Convert to WebP or AVIF

image-optimization

Automatically resize, optimize, and convert images to WebP and AVIF. Compress images in bulk or on upload to boost your WordPress site performance.

1.0M 1 CVE

Developer Profile

Avif Express Developer Profile

Pijush Gupta

3 plugins · 400 total installs

trust score

Avg Security Score

90/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Avif Express

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/avif-express/core/app/backend/assets/dist/app.js/wp-content/plugins/avif-express/core/app/backend/assets/dist/app.css/wp-content/plugins/avif-express/core/app/backend/assets/fonts/fonts.css

Script Paths

/wp-content/plugins/avif-express/core/app/backend/assets/dist/app.js

Version Parameters

avife-vue-scriptavife-tailwind-styleavife-font-style

HTML / DOM Fingerprints

JS Globals

AVIFE_TEXT_DOMAINAVIFE_ADMIN_MENU_TITLEAVIFE_ADMIN_MENU_NAMEAVIFE_SPA_SLUGAVIFE_RELAVIFE_ABS+8 more

FAQ