WP-Safety

Offload, AI & Optimize with Cloudflare Images Security & Risk Analysis

wordpress.org/plugins/cf-images

Offload you media library images to the Cloudflare Images service. Store, resize, optimize and deliver images in a fast and secure manner.

1K active installs v1.9.8 PHP 7.0+ WP 5.6+ Updated Dec 30, 2025
cdncloudflare-imagescompressimage-aioptimize
99
A · Safe
CVEs total1
Unpatched0
Last CVENov 20, 2025
Plugin page Download
Safety Verdict

Is Offload, AI & Optimize with Cloudflare Images Safe to Use in 2026?

Generally Safe

Score 99/100

Offload, AI & Optimize with Cloudflare Images has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 20, 2025Updated 3mo ago
Risk Assessment

The "cf-images" v1.9.8 plugin exhibits a concerning security posture, primarily due to a significant number of unprotected AJAX handlers. While the plugin demonstrates good practices in output escaping and uses prepared statements for a majority of its SQL queries, the lack of authorization checks on all identified entry points presents a major risk. This indicates that any user, regardless of their role or permissions, could potentially interact with and trigger functionality via these AJAX endpoints, leading to unintended actions or data exposure.

The static analysis reveals no critical or high-severity issues in taint analysis, and the plugin avoids dangerous functions. However, the presence of a past medium-severity vulnerability related to missing authorization suggests a recurring pattern of insecure access control. The fact that this vulnerability is marked as patched is positive, but the ongoing large attack surface without authentication is a persistent concern. The plugin also has a limited number of nonces and capability checks relative to its unprotected entry points.

In conclusion, while the plugin has some positive security attributes like strong output escaping, the overwhelming presence of unprotected AJAX handlers creates a substantial risk of privilege escalation or unauthorized actions. The past vulnerability history reinforces the need for robust authentication and authorization mechanisms on all user-facing functionalities. The plugin would benefit greatly from implementing proper authorization checks on all its AJAX endpoints to mitigate these risks.

Key Concerns

  • All AJAX handlers lack authorization checks
  • Large attack surface without authentication
  • Low number of nonce checks
  • Low number of capability checks
  • Past medium severity vulnerability (Missing Authorization)
Vulnerabilities
1

Offload, AI & Optimize with Cloudflare Images Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-66104medium · 4.3Missing Authorization

Offload, AI & Optimize with Cloudflare Images <= 1.9.5 - Missing Authorization

Nov 20, 2025 Patched in 1.9.6 (31d)
Code Analysis
Analyzed Mar 16, 2026

Offload, AI & Optimize with Cloudflare Images Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
2 prepared
Unescaped Output
1
68 escaped
Nonce Checks
2
Capability Checks
3
File Operations
10
External Requests
3
Bundled Libraries
0

SQL Query Safety

67% prepared3 total queries

Output Escaping

99% escaped69 total outputs
Attack Surface
29 unprotected

Offload, AI & Optimize with Cloudflare Images Attack Surface

Entry Points29
Unprotected29

AJAX Handlers 29

authwp_ajax_cf_images_do_setupapp\class-admin.php:60
authwp_ajax_cf_images_disconnectapp\class-admin.php:61
authwp_ajax_cf_images_hide_sidebarapp\class-admin.php:62
authwp_ajax_cf_images_check_statusapp\class-admin.php:63
authwp_ajax_cf_images_offload_imageapp\class-admin.php:65
authwp_ajax_cf_images_bulk_processapp\class-admin.php:66
authwp_ajax_cf_images_skip_imageapp\class-admin.php:67
authwp_ajax_cf_images_undo_imageapp\class-admin.php:68
authwp_ajax_cf_images_delete_imageapp\class-admin.php:69
authwp_ajax_cf_images_restore_imageapp\class-admin.php:70
authwp_ajax_cf_images_update_settingsapp\class-settings.php:62
authwp_ajax_cf_images_set_custom_domainapp\class-settings.php:63
authwp_ajax_flatsome_additional_variation_images_load_images_ajax_frontendapp\integrations\class-flatsome.php:35
noprivwp_ajax_flatsome_additional_variation_images_load_images_ajax_frontendapp\integrations\class-flatsome.php:36
authwp_ajax_cf_images_update_integrationsapp\integrations\class-integration.php:66
authwp_ajax_cf_images_set_ttlapp\modules\class-cache-ttl.php:43
authwp_ajax_cf_image_enable_cdnapp\modules\class-cdn.php:53
authwp_ajax_cf_image_purge_cdn_cacheapp\modules\class-cdn.php:54
authwp_ajax_cf_image_cdn_statusapp\modules\class-cdn.php:55
authwp_ajax_cf_images_get_cf_statusapp\modules\class-custom-path.php:44
authwp_ajax_cf_images_ai_captionapp\modules\class-image-ai.php:48
authwp_ajax_cf_images_ai_loginapp\modules\class-image-ai.php:59
authwp_ajax_cf_images_ai_disconnectapp\modules\class-image-ai.php:60
authwp_ajax_cf_images_ai_saveapp\modules\class-image-ai.php:61
authwp_ajax_cf_images_compressapp\modules\class-image-compress.php:59
authwp_ajax_cf_images_ai_generateapp\modules\class-image-generate.php:42
authwp_ajax_cf_images_get_logsapp\modules\class-logging.php:54
authwp_ajax_cf_images_clear_logsapp\modules\class-logging.php:55
authwp_ajax_cf_images_reset_ignoredapp\modules\class-service.php:40
WordPress Hooks 90
actionshutdownapp\async\class-task.php:131
filterwp_die_handlerapp\async\class-task.php:193
actionadmin_enqueue_scriptsapp\class-admin.php:52
actionadmin_enqueue_scriptsapp\class-admin.php:53
actionadmin_menuapp\class-admin.php:55
filterplugin_action_links_cf-images/cf-images.phpapp\class-admin.php:56
actioncf_images_errorapp\class-core.php:120
actionadmin_initapp\class-core.php:121
actionadmin_initapp\class-core.php:122
actionadmin_enqueue_scriptsapp\class-media.php:47
filtermanage_media_columnsapp\class-media.php:49
actionmanage_media_custom_columnapp\class-media.php:50
filterwp_prepare_attachment_for_jsapp\class-media.php:51
filtermanage_upload_sortable_columnsapp\class-media.php:54
actionrestrict_manage_postsapp\class-media.php:57
actionpre_get_postsapp\class-media.php:58
actiondelete_attachmentapp\class-media.php:61
filterbulk_actions-uploadapp\class-media.php:64
filterhandle_bulk_actions-uploadapp\class-media.php:65
actionadmin_noticesapp\class-media.php:66
filterwp_get_attachment_urlapp\integrations\class-acf.php:33
actionwp_headapp\integrations\class-aio-seo.php:53
actionwp_headapp\integrations\class-aio-seo.php:54
filtercf_images_skip_imageapp\integrations\class-aio-seo.php:89
filterelementor/widget/render_contentapp\integrations\class-elementor.php:41
filterwp_get_attachment_image_srcapp\integrations\class-flatsome.php:46
filtercf_images_i10napp\integrations\class-integration.php:61
filtercf_images_integration_optionsapp\integrations\class-integration.php:62
filtercf_images_integration_option_valueapp\integrations\class-integration.php:63
filtervc_wpb_getimagesizeapp\integrations\class-js-composer.php:38
filtercf_images_attachment_metaapp\integrations\class-multisite-global-media.php:40
filterwp_get_attachment_metadataapp\integrations\class-multisite-global-media.php:41
actioninitapp\integrations\class-rank-math.php:69
filterrank_math/replacementsapp\integrations\class-rank-math.php:70
filtercf_images_skip_imageapp\integrations\class-rank-math.php:71
actioncf_images_get_attachment_image_srcapp\integrations\class-rank-math.php:72
actionshortpixel/image/optimisedapp\integrations\class-shortpixel.php:37
actionshortpixel/image/after_restoreapp\integrations\class-shortpixel.php:38
filtercf_images_content_attachment_idapp\integrations\class-spectra.php:33
filteruagb_block_attributes_for_css_and_jsapp\integrations\class-spectra.php:34
filtercf_images_media_post_idapp\integrations\class-wpml.php:41
actioncf_images_before_wp_queryapp\integrations\class-wpml.php:42
actioncf_images_upload_successapp\integrations\class-wpml.php:43
actioncf_images_remove_successapp\integrations\class-wpml.php:44
filtercf_images_wp_query_argsapp\integrations\class-wpml.php:45
actionadmin_initapp\modules\class-auto-offload.php:39
actionrest_insert_attachmentapp\modules\class-auto-offload.php:40
filterwp_generate_attachment_metadataapp\modules\class-auto-offload.php:51
filterwp_update_attachment_metadataapp\modules\class-auto-offload.php:52
filterwp_async_wp_generate_attachment_metadataapp\modules\class-auto-offload.php:54
filterwp_async_wp_save_image_editor_fileapp\modules\class-auto-offload.php:55
filtercf_images_replace_pathsapp\modules\class-auto-resize.php:48
filtercf_images_default_settingsapp\modules\class-cdn.php:37
filtercf_images_core_module_statusapp\modules\class-cdn.php:38
actioncf_images_save_settingsapp\modules\class-cdn.php:39
filtercf_images_module_statusapp\modules\class-cdn.php:48
actioncf_images_cdn_statusapp\modules\class-cdn.php:49
actionadmin_initapp\modules\class-cdn.php:50
actioninitapp\modules\class-cloudflare-images.php:93
filterwp_get_attachment_image_srcapp\modules\class-cloudflare-images.php:100
filterwp_prepare_attachment_for_jsapp\modules\class-cloudflare-images.php:101
filterwp_calculate_image_srcsetapp\modules\class-cloudflare-images.php:102
filterwp_get_attachment_urlapp\modules\class-cloudflare-images.php:105
filterwp_content_img_tagapp\modules\class-cloudflare-images.php:108
filterwp_resource_hintsapp\modules\class-cloudflare-images.php:111
filtercf_images_upload_dataapp\modules\class-custom-id.php:34
filtercf_images_default_settingsapp\modules\class-custom-path.php:39
actioncf_images_save_settingsapp\modules\class-custom-path.php:40
filtercf_images_module_statusapp\modules\class-custom-path.php:41
filtercf_images_hashapp\modules\class-custom-path.php:54
filterbig_image_size_thresholdapp\modules\class-disable-generation.php:34
filterintermediate_image_sizes_advancedapp\modules\class-disable-generation.php:35
filtercf_images_bulk_actionsapp\modules\class-full-offload.php:47
filtercf_images_wp_query_argsapp\modules\class-full-offload.php:48
actioncf_images_bulk_stepapp\modules\class-full-offload.php:49
filtercf_images_bulk_actionsapp\modules\class-image-ai.php:43
filtercf_images_wp_query_argsapp\modules\class-image-ai.php:44
actioncf_images_bulk_stepapp\modules\class-image-ai.php:45
filtercf_images_hashapp\modules\class-image-ai.php:157
actioncf_images_media_custom_columnapp\modules\class-image-compress.php:50
actioncf_images_media_module_actionsapp\modules\class-image-compress.php:51
filtercf_images_bulk_actionsapp\modules\class-image-compress.php:54
filtercf_images_wp_query_argsapp\modules\class-image-compress.php:55
actioncf_images_bulk_stepapp\modules\class-image-compress.php:56
actioncf_images_logapp\modules\class-logging.php:51
filtercf_images_module_enabledapp\modules\class-module.php:72
actioncf_images_save_settingsapp\modules\class-multisite.php:46
filtercf_images_settingsapp\modules\class-multisite.php:47
filtercf_images_default_settingsapp\modules\class-page-parser.php:45
actiontemplate_redirectapp\modules\class-page-parser.php:58

Scheduled Events 1

cf_images_cdn_status
Maintenance & Trust

Offload, AI & Optimize with Cloudflare Images Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedDec 30, 2025
PHP min version7.0
Downloads36K

Community Trust

Rating98/100
Number of ratings34
Active installs1K
Alternatives

Offload, AI & Optimize with Cloudflare Images Alternatives

Image Optimizer, Resizer and CDN – Sirv

Image Optimizer, Resizer and CDN – Sirv

sirv

B
81

Serve perfectly optimized images, videos, models and 360 spins. The best WordPress & WooCommerce CDN plugin for media.

1K 12 CVEs
Flux Media Optimizer by Flux Plugins

Flux Media Optimizer by Flux Plugins

flux-media-optimizer

A
100

Automatically optimize images, compress videos, and deliver media via global CDN. Boost Core Web Vitals and SEO with 50-70% smaller file sizes.

0 No CVEs
Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

imagify

A
100

Optimize images in 1-click: compress images, convert to WebP & AVIF, resize, and boost your site with the easiest WordPress image optimization plugin!

1.0M No CVEs
Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN

wp-smushit

A
93

Optimize and compress images with lossless and lossy compression, lazy load, WebP & AVIF conversion, and global image CDN.

1.0M 6 CVEs
W3 Total Cache

W3 Total Cache

w3-total-cache

B
75

Search Engine (SEO) & Performance Optimization (WPO) via caching. Integrated caching: CDN, Page, Minify, Object, Fragment, Database support.

900K 28 CVEs
Developer Profile

Offload, AI & Optimize with Cloudflare Images Developer Profile

Anton Vanyukov

2 plugins · 2K total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
12 days
View full developer profile
Detection Fingerprints

How We Detect Offload, AI & Optimize with Cloudflare Images

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cf-images/assets/css/admin.css/wp-content/plugins/cf-images/assets/css/frontend.css/wp-content/plugins/cf-images/assets/js/admin.js/wp-content/plugins/cf-images/assets/js/frontend.js
Script Paths
/wp-content/plugins/cf-images/assets/js/admin.js/wp-content/plugins/cf-images/assets/js/frontend.js
Version Parameters
cf-images/assets/css/admin.css?ver=cf-images/assets/css/frontend.css?ver=cf-images/assets/js/admin.js?ver=cf-images/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
cf-image-wrappercf-image-settings
HTML Comments
<!-- cf-images begin shortcode --><!-- cf-images end shortcode -->
Data Attributes
data-cfimages-settings
JS Globals
cfImagesAdmincfImagesFrontend
REST Endpoints
/wp-json/cf-images/v1/settings
Shortcode Output
<div class="cf-image-wrapper"><img src="" alt="" loading="lazy"/>
FAQ

Frequently Asked Questions about Offload, AI & Optimize with Cloudflare Images