Does Cloudflare have any unpatched vulnerabilities?

No. All known vulnerabilities in Cloudflare have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Cloudflare compatible with WordPress 6.9.0?

According to WordPress.org data, Cloudflare 4.14.2 has been tested up to WordPress 6.9.0. Check the plugin's changelog for the latest compatibility information.

Is Cloudflare compatible with PHP 7.4+?

Cloudflare requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Cloudflare updated?

Cloudflare was last updated on Dec 22, 2025. Frequent updates are generally a positive security signal.

What is Cloudflare's security score?

Cloudflare has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Cloudflare Security & Risk Analysis

wordpress.org/plugins/cloudflare

All of Cloudflare’s performance and security benefits in a simple one-click install.

200K active installs v4.14.2 PHP 7.4+ WP 5.0+ Updated Dec 22, 2025

cloudflareddosseospeedssl

A · Safe

CVEs total2

Unpatched0

Last CVEJan 4, 2024

Plugin page Download

Safety Verdict

Is Cloudflare Safe to Use in 2026?

Generally Safe

Score 99/100

Cloudflare has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 4, 2024Updated 3mo ago

Risk Assessment

The Cloudflare plugin v4.14.2 exhibits a mixed security posture. While it demonstrates strong practices in other areas, a critical concern arises from its single unprotected AJAX handler, representing the entire attack surface entry point. This lack of authentication check on an AJAX endpoint presents a significant risk for unauthorized actions or data manipulation if an attacker can trigger this handler. The plugin's vulnerability history, with a past high-severity vulnerability related to missing authorization and a medium-severity cross-site scripting issue, further highlights the importance of robust access controls, especially for publicly accessible entry points.

Despite the presence of a nonce check and capability check, the uncovered AJAX handler remains a substantial weakness. The plugin does utilize prepared statements for all SQL queries, which is a positive indicator of secure database interaction. However, the 50% rate of improperly escaped output is also a concern, potentially leading to cross-site scripting vulnerabilities. The limited taint analysis data is inconclusive but doesn't negate the risks identified by the static analysis and vulnerability history. Overall, while the plugin shows good practices in areas like SQL querying, the unprotected AJAX endpoint and past vulnerability trends necessitate careful attention to mitigate potential exploitation.

Key Concerns

Unprotected AJAX handler
Half of outputs improperly escaped
Past high severity vulnerability (Missing Authorization)
Past medium severity vulnerability (XSS)

Vulnerabilities

Cloudflare Security Vulnerabilities

CVEs by Year

1 CVE in 2016

2016

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2024-0212medium · 6.4Missing Authorization

Cloudflare <= 4.12.2 - Missing Authorization via initProxy

Jan 4, 2024 Patched in 4.12.3 (34d)

WF-b8d63789-16b3-443b-8dcb-67b1e5e25d20-cloudflarehigh · 7.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cloudflare < 1.3.21 - Cross-Site Scripting

Mar 28, 2016 Patched in 1.3.21 (2857d)

Code Analysis

Analyzed Mar 16, 2026

Cloudflare Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

4 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

Output Escaping

50% escaped8 total outputs

Attack Surface

1 unprotected

Cloudflare Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_cloudflare_proxycloudflare.loader.php:50

WordPress Hooks 15

actionplugins_loadedcloudflare.loader.php:27

actionplugins_loadedcloudflare.loader.php:39

actioninitcloudflare.loader.php:43

actioninitcloudflare.loader.php:46

actionadmin_menucloudflare.loader.php:53

actionplugin_action_links_cloudflare/cloudflare.phpcloudflare.loader.php:56

actiontransition_post_statuscloudflare.loader.php:114

actiontransition_comment_statuscloudflare.loader.php:119

actioncomment_postcloudflare.loader.php:120

actionwp_headsrc\WordPress\HTTP2ServerPush.php:29

filterautoptimize_filter_cache_getnamesrc\WordPress\HTTP2ServerPush.php:33

filterscript_loader_srcsrc\WordPress\HTTP2ServerPush.php:35

filterstyle_loader_srcsrc\WordPress\HTTP2ServerPush.php:38

filterscript_loader_srcsrc\WordPress\HTTP2ServerPush.php:42

filterstyle_loader_srcsrc\WordPress\HTTP2ServerPush.php:43

Maintenance & Trust

Cloudflare Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0

Last updatedDec 22, 2025

PHP min version7.4

Downloads9.2M

Community Trust

Rating70/100

Number of ratings179

Active installs200K

Alternatives

Cloudflare Alternatives

LiteSpeed Cache

litespeed-cache

All-in-one unbeatable acceleration & PageSpeed improvement: caching, image/CSS/JS optimization...

7.0M 18 CVEs

SpeedyCache – Cache, Optimization, Performance

speedycache

SpeedyCache is a WordPress cache plugin that helps you improve performance of your WordPress site by caching, minifying, and compressing your website.

600K 4 CVEs