Does Core Vitals Monitor have any unpatched vulnerabilities?

No. All known vulnerabilities in Core Vitals Monitor have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Core Vitals Monitor compatible with WordPress 6.1.10?

According to WordPress.org data, Core Vitals Monitor 1.0 has been tested up to WordPress 6.1.10. Check the plugin's changelog for the latest compatibility information.

Is Core Vitals Monitor compatible with PHP 5.4+?

Core Vitals Monitor requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Core Vitals Monitor updated?

Core Vitals Monitor was last updated on Jan 27, 2023. Frequent updates are generally a positive security signal.

What is Core Vitals Monitor's security score?

Core Vitals Monitor has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Core Vitals Monitor Security & Risk Analysis

wordpress.org/plugins/core-vitals-monitor

Tests performance metrics (security and performance) on- a periodic schedule

0 active installs v1.0 PHP 5.4+ WP 3.0+ Updated Jan 27, 2023

phpsecurityspeedtestwp

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Core Vitals Monitor Safe to Use in 2026?

Generally Safe

Score 85/100

Core Vitals Monitor has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago

Risk Assessment

The core-vitals-monitor plugin version 1.0 exhibits a mixed security posture. While it demonstrates strong practices in SQL query handling and output escaping, a significant concern arises from its unprotected entry points. The plugin exposes two AJAX handlers without any authentication or capability checks, creating a direct attack vector for unauthorized actions. The absence of taint analysis data for this version is notable, meaning potential vulnerabilities within data processing flows have not been assessed. Furthermore, the complete lack of nonce checks on its AJAX endpoints amplifies the risk associated with these unprotected handlers. The plugin's vulnerability history is clean, with zero recorded CVEs, which is a positive indicator of past security diligence. However, this lack of history, combined with the identified security flaws, suggests that while it may not have been historically exploited, the current implementation has exploitable weaknesses that could be leveraged by attackers.

Key Concerns

Unprotected AJAX handlers
Missing nonce checks on AJAX
Missing capability checks on AJAX

Vulnerabilities

None known

Core Vitals Monitor Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Core Vitals Monitor Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

68 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

97% escaped70 total outputs

Attack Surface

2 unprotected

Core Vitals Monitor Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_km_dba86c5b66802692309f2059adc4includes\class-key-metrics.php:75

authwp_ajax_km_92309f2059adc4dba86c5b668026includes\class-key-metrics.php:76

WordPress Hooks 6

actionadmin_menuincludes\class-key-metrics.php:55

actionkey_metrics_refresh_dataincludes\class-key-metrics.php:56

actionadmin_noticesincludes\class-key-metrics.php:58

filterplugin_action_links_core-vitals-monitor/key-metrics.phpincludes\class-key-metrics.php:59

actionadmin_enqueue_scriptsincludes\class-key-metrics.php:63

filtercron_scheduleskey-metrics.php:57

Scheduled Events 2

key_metrics_refresh_data

Maintenance & Trust

Core Vitals Monitor Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10

Last updatedJan 27, 2023

PHP min version5.4

Downloads1K

Community Trust

Rating100/100

Number of ratings1

Active installs0

Alternatives

Core Vitals Monitor Alternatives

WPLifeCycle – Free PHP Version Info & Website Manager

free-php-version-info

100

This plugin shows your current PHP version, its lifecycle security support days, and can send version data to the WPLifeCycle for proactive planning.

100 No CVEs

Admin Login Hide – PTI

admin-login-hide-pti

100

Easily hide or customize your WordPress login URL to enhance security and prevent unauthorized access.

10 No CVEs

Custom Login URL Manager – Hide Login Admin URL

custom-login-url-manager

100

Change the default WordPress login URL and redirect unauthorized attempts to a specified page for enhanced security.

0 No CVEs

WPS Hide Login

wps-hide-login

Change wp-login.php to anything you want.

2.0M 10 CVEs

Admin Menu Editor

admin-menu-editor

Lets you edit the WordPress admin menu. You can re-order, hide or rename menus, add custom menus and more.

400K 3 CVEs

Developer Profile

Core Vitals Monitor Developer Profile

speedplussecurity

1 plugin · 0 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Core Vitals Monitor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/core-vitals-monitor/res/cvm_actions.js/wp-content/plugins/core-vitals-monitor/res/cvm_styles.css

Script Paths

/wp-content/plugins/core-vitals-monitor/res/cvm_actions.js

Version Parameters

core-vitals-monitor/key-metrics.php?ver=CORE_VITALS_MONITOR_VERSION

HTML / DOM Fingerprints

JS Globals

window.core_vitals_monitor_ajax_object

REST Endpoints

/wp-json/key_metrics/v1/refresh/wp-json/key_metrics/v1/save

FAQ