WP-Safety

Core Web Vitals & PageSpeed Booster Security & Risk Analysis

wordpress.org/plugins/core-web-vitals-pagespeed-booster

Core Web Vitals (CWV) is the new ranking factor

1K active installs v1.0.28 PHP + WP 3.0+ Updated Jan 27, 2026
cachecore-web-vitalsoptimizationpagespeedperformance
76
B · Generally Safe
CVEs total2
Unpatched1
Last CVEDec 31, 2025
Download
Safety Verdict

Is Core Web Vitals & PageSpeed Booster Safe to Use in 2026?

Mostly Safe

Score 76/100

Core Web Vitals & PageSpeed Booster is generally safe to use. 2 past CVEs were resolved. Keep it updated.

2 known CVEs 1 unpatched Last CVE: Dec 31, 2025Updated 2mo ago
Risk Assessment

The 'core-web-vitals-pagespeed-booster' plugin v1.0.28 exhibits a mixed security posture. While it demonstrates good practices in SQL query preparation and output escaping, several concerns are present. The plugin has a notable attack surface with 15 AJAX handlers, one of which is not protected by any authentication checks, posing a significant risk for unauthorized actions. The presence of the `create_function` dangerous function is also a concern, as it can lead to code injection vulnerabilities if not handled with extreme care. Taint analysis, while not revealing critical or high severity flaws, did identify flows with unsanitized paths, which could potentially be exploited in conjunction with other vulnerabilities.

The plugin's vulnerability history shows a pattern of medium severity issues, specifically Missing Authorization and Open Redirects. The fact that one of the two known CVEs remains unpatched, with the last reported vulnerability dated in the future (2025-12-31), is alarming. This indicates a lack of timely patching and potentially an ongoing security oversight. The combination of an unprotected entry point, historical vulnerabilities related to authorization and redirection, and the presence of dangerous functions suggests that this plugin requires careful review and potential remediation before widespread use.

In conclusion, while the plugin incorporates some robust security measures like prepared statements and proper output escaping, the unprotected AJAX handler, historical vulnerability trends, and the presence of dangerous code constructs significantly detract from its overall security. The unpatched CVE is a critical red flag. Users should be cautious and ensure the plugin is updated to address all known vulnerabilities. Further in-depth analysis of the unsanitized path flows is also recommended.

Key Concerns

  • Unprotected AJAX handler
  • Dangerous function 'create_function' used
  • Flows with unsanitized paths
  • 1 unpatched CVE (medium severity)
  • Historical medium severity CVEs (Missing Auth, Open Redirect)
  • Bundled library 'DataTables'
Vulnerabilities
2

Core Web Vitals & PageSpeed Booster Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-62144medium · 4.3Missing Authorization

Core Web Vitals & PageSpeed Booster <= 1.0.27 - Missing Authorization

Dec 31, 2025Unpatched
CVE-2023-35883medium · 4.7URL Redirection to Untrusted Site ('Open Redirect')

Core Web Vitals & PageSpeed Booster <= 1.0.12 - Open Redirect via _wp_http_referer

Jun 19, 2023 Patched in 1.0.13 (218d)
Code Analysis
Analyzed Mar 16, 2026

Core Web Vitals & PageSpeed Booster Code Analysis

Dangerous Functions
12
Raw SQL Queries
14
101 prepared
Unescaped Output
58
205 escaped
Nonce Checks
18
Capability Checks
21
File Operations
16
External Requests
8
Bundled Libraries
1

Dangerous Functions Found

create_function$this->callback = create_function($paramList, $code);includes\images\phpQuery-onefile.php:1011
create_functioncreate_function('$node', 'includes\images\phpQuery-onefile.php:2048
create_functioncreate_function('$node', 'includes\images\phpQuery-onefile.php:2055
create_functioncreate_function('$node', 'includes\images\phpQuery-onefile.php:2070
create_functioncreate_function('$node',includes\images\phpQuery-onefile.php:2076
create_functioncreate_function('$node',includes\images\phpQuery-onefile.php:2087
create_functioncreate_function('$node', 'return pq($node)->prevAll()->size() == 0 ? $node : null;')includes\images\phpQuery-onefile.php:2093
create_functioncreate_function('$node', 'return pq($node)->nextAll()->size() == 0 ? $node : null;')includes\images\phpQuery-onefile.php:2098
create_functioncreate_function('$node, $param',includes\images\phpQuery-onefile.php:2111
create_functioncreate_function('$node, $param',includes\images\phpQuery-onefile.php:2124
create_functioncreate_function('$node, $index',includes\images\phpQuery-onefile.php:2164
create_functioncreate_function('$m',includes\images\phpQuery-onefile.php:4642

Bundled Libraries

DataTables

SQL Query Safety

88% prepared115 total queries

Output Escaping

78% escaped263 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

13 flows3 with unsanitized paths
get_asset (includes\cache\class-cwvpsb-cache-disk.php:90)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Core Web Vitals & PageSpeed Booster Attack Surface

Entry Points15
Unprotected1

AJAX Handlers 15

authwp_ajax_cwvpsb_subscribe_to_news_letterincludes\admin\class-cwvpb-newsletter.php:22
authwp_ajax_list_files_to_convertincludes\admin\class-cwvpsb-admin-settings.php:11
authwp_ajax_webvital_webp_convert_fileincludes\admin\class-cwvpsb-admin-settings.php:12
authwp_ajax_get_images_countincludes\admin\class-cwvpsb-admin-settings.php:13
authwp_ajax_cwvpsb_purge_cacheincludes\admin\class-cwvpsb-admin-settings.php:1222
authwp_ajax_cwvpsb_update_critical_css_statincludes\admin\class-cwvpsb-admin-settings.php:1223
authwp_ajax_cwvpsb_showdetails_dataincludes\admin\class-cwvpsb-admin-settings.php:1224
authwp_ajax_cwv_send_feedbackincludes\admin\helper-function.php:114
authwp_ajax_cwvpsb_send_query_messageincludes\admin\helper-function.php:207
authwp_ajax_cwvpsb_resend_urls_for_cacheincludes\css\class-cwvpsb-critical-css.php:53
authwp_ajax_cwvpsb_resend_single_url_for_cacheincludes\css\class-cwvpsb-critical-css.php:54
authwp_ajax_cwvpsb_reset_urls_cacheincludes\css\class-cwvpsb-critical-css.php:55
authwp_ajax_cwvpsb_recheck_urls_cacheincludes\css\class-cwvpsb-critical-css.php:56
authwp_ajax_cwvpsb_cc_all_cronincludes\css\class-cwvpsb-critical-css.php:57
authwp_ajax_cwvpsb_clear_cached_cssincludes\functions.php:98
WordPress Hooks 71
actionplugins_loadedcore-web-vitals-pagespeed-booster.php:69
filterwp_handle_uploadcore-web-vitals-pagespeed-booster.php:72
actionupgrader_process_completecore-web-vitals-pagespeed-booster.php:198
actionupdate_option_cwvpsb_get_settingscore-web-vitals-pagespeed-booster.php:212
filtercwvpsb_localize_filterincludes\admin\class-cwvpb-newsletter.php:21
actionadmin_menuincludes\admin\class-cwvpsb-admin-settings.php:8
actionadmin_initincludes\admin\class-cwvpsb-admin-settings.php:9
actioninitincludes\admin\class-cwvpsb-admin-settings.php:10
actionadmin_bar_menuincludes\admin\class-cwvpsb-admin-settings.php:14
actionadmin_enqueue_scriptsincludes\admin\helper-function.php:118
filteradmin_footerincludes\admin\helper-function.php:138
actioninitincludes\cache\class-cwvpsb-cache.php:26
action_core_updated_successfullyincludes\cache\class-cwvpsb-cache.php:34
actionswitch_themeincludes\cache\class-cwvpsb-cache.php:41
actionwp_trash_postincludes\cache\class-cwvpsb-cache.php:48
actioninitincludes\cache\class-cwvpsb-cache.php:56
actiontransition_post_statusincludes\cache\class-cwvpsb-cache.php:64
actionsanitize_comment_cookiesincludes\cache\class-cwvpsb-cache.php:76
filtercwvpsb_complete_html_after_dom_loadedincludes\cache\class-cwvpsb-cache.php:84
actioninitincludes\cache\class-cwvpsb-cache.php:92
actioncwvpsb_autoclear_cronincludes\cache\class-cwvpsb-cache.php:93
actionnetwork_admin_noticesincludes\cache\class-cwvpsb-cache.php:319
actionadmin_noticesincludes\cache\class-cwvpsb-cache.php:337
actionadmin_noticesincludes\cache\class-cwvpsb-cache.php:357
actionadmin_noticesincludes\css\class-cwvpsb-critical-css.php:35
actionwpincludes\css\class-cwvpsb-critical-css.php:37
actioncreate_termincludes\css\class-cwvpsb-critical-css.php:40
actionsave_postincludes\css\class-cwvpsb-critical-css.php:44
actionwp_insert_postincludes\css\class-cwvpsb-critical-css.php:47
actionwp_headincludes\css\class-cwvpsb-critical-css.php:51
filtercron_schedulesincludes\css\class-cwvpsb-critical-css.php:59
actionisa_add_every_one_hourincludes\css\class-cwvpsb-critical-css.php:63
actioncurrent_screenincludes\css\class-cwvpsb-critical-css.php:67
filtercwvpsb_complete_html_after_dom_loadedincludes\css\class-cwvpsb-critical-css.php:110
filtercwvpsb_complete_html_after_dom_loadedincludes\css\google-fonts.php:6
filtercwvpsb_complete_html_after_dom_loadedincludes\css\minify.php:6
filtercwvpsb_complete_html_after_dom_loadedincludes\css\unused-css.php:5
actioncwvpsb_css_whitelist_dataincludes\css\unused-css.php:35
filtercwvpsb_whitelist_cssincludes\css\unused-css.php:56
filtercwvpsb_whitelist_css_codeincludes\css\unused-css.php:65
actionwpincludes\functions.php:30
actionplugins_loadedincludes\functions.php:45
actioninitincludes\functions.php:93
actionadmin_enqueue_scriptsincludes\functions.php:227
filtercwvpsb_complete_html_after_dom_loadedincludes\functions.php:251
filtercwvpsb_complete_html_after_dom_loadedincludes\functions.php:260
actioncurrent_screenincludes\functions.php:348
filteradmin_footer_textincludes\functions.php:353
filterupdate_footerincludes\functions.php:354
actionpre_amp_render_postincludes\functions.php:359
actionwpincludes\functions.php:364
filtercwvpsb_complete_html_after_dom_loadedincludes\functions.php:386
filterthe_contentincludes\functions.php:390
actionwp_footerincludes\functions.php:403
filterget_avatarincludes\gravatar.php:6
actiondelete_gravatars_folderincludes\gravatar.php:42
actionwp_enqueue_scriptsincludes\images\class-cwv-lazy-loading.php:50
filtercwvpsb_complete_html_after_dom_loadedincludes\images\class-cwv-lazy-loading.php:53
filtercwvpsb_complete_html_after_dom_loadedincludes\images\class-cwv-lazy-loading.php:55
filterrocket_delay_js_exclusionsincludes\images\class-cwv-lazy-loading.php:59
actionwpincludes\images\convert-webp.php:7
filtercwvpsb_complete_html_after_dom_loadedincludes\images\convert-webp.php:10
filtercwvpsb_complete_html_after_dom_loadedincludes\images\convert-webp.php:12
filterrocket_delay_js_exclusionsincludes\javascript\delay-js.php:57
filtercwvpsb_complete_html_after_dom_loadedincludes\javascript\delay-js.php:60
filtercwvpsb_complete_html_after_dom_loadedincludes\javascript\delay-js.php:61
actionwp_footerincludes\javascript\delay-js.php:62
actionwpincludes\javascript\delay-js.php:64
actionwp_enqueue_scriptsincludes\javascript\delay-js.php:203
filterscript_loader_srcincludes\javascript\delay-js.php:285
filtercwvpsb_complete_html_after_dom_loadedincludes\javascript\delay-jswithjs.php:6

Scheduled Events 3

cwvpsb_autoclear_cron
isa_add_every_one_hour
delete_gravatars_folder
Maintenance & Trust

Core Web Vitals & PageSpeed Booster Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 27, 2026
PHP min version
Downloads97K

Community Trust

Rating78/100
Number of ratings15
Active installs1K
Alternatives

Core Web Vitals & PageSpeed Booster Alternatives

WP Fastest Cache – WordPress Cache Plugin

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

B
76

The simplest and fastest WP Cache system

1.0M 35 CVEs
Speed Booster Pack ⚡ PageSpeed Optimization Suite

Speed Booster Pack ⚡ PageSpeed Optimization Suite

speed-booster-pack

A
98

PageSpeed optimization is vital for SEO: A faster website equals better conversions. Optimize your Core Web Vitals metrics (CLS, LCP, TBT) today!

10K 2 CVEs
AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization

AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization

add-expires-headers

B
76

AEH Speed Optimization boosts site speed with caching, minification, lazy loading, and image optimization to improve performance and SEO.

3K 1 unpatched
F12 Profiler

F12 Profiler

f12-profiler

A
99

Comprehensive WordPress performance analysis with crawling, load time measurement, server diagnostics, and integrated optimization tools. Free.

500 1 CVE
Site Speed Test – SpeedGuard

Site Speed Test – SpeedGuard

speedguard

A
92

Tracks Core Web Vitals for you. Every single day, for free.

200 No CVEs
Developer Profile

Core Web Vitals & PageSpeed Booster Developer Profile

Mohammed Kaludi

3 plugins · 91K total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
416 days
View full developer profile
Detection Fingerprints

How We Detect Core Web Vitals & PageSpeed Booster

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/core-web-vitals-pagespeed-booster/assets/css/cwvpsb-admin.css/wp-content/plugins/core-web-vitals-pagespeed-booster/assets/js/cwvpsb-admin.js/wp-content/plugins/core-web-vitals-pagespeed-booster/assets/js/cwvpsb-frontend.js
Script Paths
/wp-content/plugins/core-web-vitals-pagespeed-booster/assets/js/cwvpsb-frontend.js
Version Parameters
core-web-vitals-pagespeed-booster/assets/css/cwvpsb-admin.css?ver=core-web-vitals-pagespeed-booster/assets/js/cwvpsb-admin.js?ver=core-web-vitals-pagespeed-booster/assets/js/cwvpsb-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
cwvpsb-admin-page
HTML Comments
CWVPSB Rules
Data Attributes
data-cwvpsb-noncedata-cwvpsb-url
JS Globals
cwvpsb_ajax_object
FAQ

Frequently Asked Questions about Core Web Vitals & PageSpeed Booster