WP-Safety

EWWW Image Optimizer Security & Risk Analysis

wordpress.org/plugins/ewww-image-optimizer

Comprehensive image optimization that doesn't require a rocket science degree. Optimize images automatically for Faster Sites and Happy Visitors.

1.0M active installs v8.4.1 PHP 7.4+ WP 6.6+ Updated Feb 19, 2026
compressconvertlazy-loadresizewebp
94
A · Safe
CVEs total6
Unpatched0
Last CVEApr 10, 2024
Plugin page Download
Safety Verdict

Is EWWW Image Optimizer Safe to Use in 2026?

Generally Safe

Score 94/100

EWWW Image Optimizer has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Apr 10, 2024Updated 1mo ago
Risk Assessment

The ewww-image-optimizer plugin v8.4.1 exhibits a mixed security posture. On one hand, the plugin demonstrates good practices with a significant number of nonce and capability checks, and a high percentage of SQL queries using prepared statements. There are also no direct external HTTP requests, which generally reduces attack vectors. However, the static analysis reveals concerning areas, including the presence of dangerous functions like `unserialize` and `exec`, and a substantial number of taint flows with unsanitized paths, including critical and high severity ones. This indicates potential for code injection or unauthorized operations if these flows are exploitable.

The vulnerability history shows a total of 6 known CVEs, with one critical unpatched vulnerability (though the data indicates 0 currently unpatched, this might refer to a prior state or a potential ambiguity). The common vulnerability types (CSRF, information exposure, code injection, XSS) align with the concerns raised by the taint analysis, particularly around improper input handling. The plugin's past vulnerabilities, especially code injection and XSS, coupled with the current taint analysis findings of unsanitized paths and dangerous functions, warrant careful consideration. While the plugin has a strong foundation in some security aspects, the identified code-level risks and historical vulnerability patterns suggest that ongoing vigilance and thorough testing are crucial.

Key Concerns

  • Critical severity taint flows with unsanitized paths
  • High severity taint flows with unsanitized paths
  • Presence of dangerous functions (unserialize, exec)
  • 1 critical known CVE
  • Taint flows with unsanitized paths present
  • Output escaping not fully implemented (74%)
  • SQL queries not fully prepared (84%)
Vulnerabilities
6

EWWW Image Optimizer Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
1 CVE in 2016
2016
1 CVE in 2020
2020
2 CVEs in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
5

6 total CVEs

CVE-2024-31924medium · 4.3Cross-Site Request Forgery (CSRF)

EWWW Image Optimizer <= 7.2.3 - Cross-Site Request Forgery

Apr 10, 2024 Patched in 7.3.0 (28d)
CVE-2023-40600medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

EWWW Image Optimizer <= 7.2.0 - Unauthenticated Sensitive Information Exposure via Debug Log

Nov 14, 2023 Patched in 7.2.1 (70d)
WF-d7d08bfd-9861-4e21-a696-25b00233ad94-ewww-image-optimizermedium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

EWWW Image Optimizer <= 7.2.0 - Sensitive Information Exposure

Sep 8, 2023 Patched in 7.2.1 (137d)
CVE-2020-36750medium · 4.3Cross-Site Request Forgery (CSRF)

EWWW Image Optimizer <= 5.8.1 - Cross-Site Request Forgery Bypass

Sep 6, 2020 Patched in 5.9 (1234d)
CVE-2016-20010critical · 9.6Improper Control of Generation of Code ('Code Injection')

EWWW Image Optimizer <= 2.8.4 - Remote Code Execution

Jun 8, 2016 Patched in 2.8.5 (2785d)
CVE-2014-6243medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

EWWW Image Optimizer <= 2.0.1 - Reflected Cross-Site Scripting

Oct 9, 2014 Patched in 2.0.2 (3393d)
Code Analysis
Analyzed Mar 16, 2026

EWWW Image Optimizer Code Analysis

Dangerous Functions
24
Raw SQL Queries
31
158 prepared
Unescaped Output
84
236 escaped
Nonce Checks
82
Capability Checks
75
File Operations
50
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$meta = unserialize( $attachment );bulk.php:748
unserialize$meta = unserialize( $attachment );bulk.php:794
unserialize$attachments = unserialize( $attachments );classes\class-ewww-flag.php:529
unserialize$attachments = unserialize( $attachments );classes\class-ewww-nextcellent.php:537
unserialize$attachments = unserialize( $attachments );classes\class-ewww-nextgen.php:941
execexec( $cmd, $output, $exit );unique.php:64
execexec( $cmd, $output, $exit );unique.php:67
execexec( $cmd, $output, $exit );unique.php:72
execexec( $cmd, $output, $exit );unique.php:111
execexec( $cmd, $output, $exit );unique.php:185
execexec( $cmd, $output, $exit );unique.php:470
execexec( $cmd, $output, $exit );unique.php:530
execexec( $cmd, $output, $exit );unique.php:561
execexec( $cmd, $output, $exit );unique.php:574
execexec( $cmd, $output, $exit );unique.php:737
execexec( $cmd, $output, $exit );unique.php:766
execexec( $cmd, $output, $exit );unique.php:779
execexec( $cmd, $output, $exit );unique.php:899
execexec( $cmd, $output, $exit );unique.php:1026
execexec( $cmd, $output, $exit );unique.php:1069
execexec( $cmd, $output, $exit );unique.php:1083
execexec( $cmd, $output, $exit );unique.php:1195
execexec( "$nice " . $tool . " -q $quality $sharp_yuv $resize_string -metadata $copy_opt -quiet " . ewwwunique.php:1464
execexec( "$nice " . $tool . " $lossless -metadata $copy_opt -quiet " . ewww_image_optimizer_escapeshellunique.php:1474

SQL Query Safety

84% prepared189 total queries

Output Escaping

74% escaped320 total outputs
Data Flows
13 unsanitized

Data Flow Analysis

19 flows13 with unsanitized paths
ewww_image_optimizer_aux_images_table (aux-optimize.php:80)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

EWWW Image Optimizer Attack Surface

Entry Points41
Unprotected0

AJAX Handlers 41

authwp_ajax_bulk_aux_images_tableaux-optimize.php:2232
authwp_ajax_bulk_aux_images_table_countaux-optimize.php:2233
authwp_ajax_bulk_aux_images_table_clearaux-optimize.php:2234
authwp_ajax_bulk_aux_images_excludeaux-optimize.php:2235
authwp_ajax_bulk_aux_images_removeaux-optimize.php:2236
authwp_ajax_bulk_aux_images_restore_originalaux-optimize.php:2237
authwp_ajax_bulk_aux_images_count_convertedaux-optimize.php:2238
authwp_ajax_bulk_aux_images_converted_cleanaux-optimize.php:2239
authwp_ajax_bulk_aux_images_table_cleanaux-optimize.php:2240
authwp_ajax_bulk_aux_images_meta_cleanaux-optimize.php:2241
authwp_ajax_bulk_aux_images_webp_cleanaux-optimize.php:2242
authwp_ajax_bulk_aux_images_delete_webpaux-optimize.php:2243
authwp_ajax_bulk_aux_images_delete_originalaux-optimize.php:2244
authwp_ajax_ewwwio_get_all_attachmentsaux-optimize.php:2245
authwp_ajax_ewwwio_webp_attachment_countaux-optimize.php:2246
authwp_ajax_ewww_bulk_async_initbulk.php:2666
authwp_ajax_ewww_bulk_async_get_statusbulk.php:2667
authwp_ajax_bulk_scanbulk.php:2668
authwp_ajax_bulk_initbulk.php:2669
authwp_ajax_bulk_loopbulk.php:2670
authwp_ajax_ewww_bulk_update_metabulk.php:2671
authwp_ajax_bulk_cleanupbulk.php:2672
authwp_ajax_bulk_quota_updatebulk.php:2673
authwp_ajax_ewww_flag_manualclasses\class-ewww-flag.php:43
authwp_ajax_ewww_flag_image_restoreclasses\class-ewww-flag.php:44
authwp_ajax_bulk_flag_initclasses\class-ewww-flag.php:48
authwp_ajax_bulk_flag_loopclasses\class-ewww-flag.php:49
authwp_ajax_bulk_flag_cleanupclasses\class-ewww-flag.php:50
authwp_ajax_ewww_ngg_manualclasses\class-ewww-nextcellent.php:32
authwp_ajax_ewww_ngg_cloud_restoreclasses\class-ewww-nextcellent.php:33
authwp_ajax_bulk_ngg_initclasses\class-ewww-nextcellent.php:37
authwp_ajax_bulk_ngg_loopclasses\class-ewww-nextcellent.php:38
authwp_ajax_bulk_ngg_cleanupclasses\class-ewww-nextcellent.php:39
authwp_ajax_ewww_ngg_manualclasses\class-ewww-nextgen.php:47
authwp_ajax_ewww_ngg_image_restoreclasses\class-ewww-nextgen.php:48
authwp_ajax_bulk_ngg_initclasses\class-ewww-nextgen.php:56
authwp_ajax_bulk_ngg_loopclasses\class-ewww-nextgen.php:57
authwp_ajax_bulk_ngg_cleanupclasses\class-ewww-nextgen.php:58
authwp_ajax_webp_initmwebp.php:267
authwp_ajax_webp_loopmwebp.php:268
authwp_ajax_webp_cleanupmwebp.php:269
WordPress Hooks 74
actionadmin_action_ewww_image_optimizer_reset_bulk_restoreaux-optimize.php:2248
actionadmin_action_ewww_image_optimizer_reset_webp_cleanaux-optimize.php:2249
filteradmin_footer_textbulk.php:256
filteradmin_footer_textbulk.php:850
filterupload_dirbulk.php:1599
filterupload_dirbulk.php:1602
filterewww_image_optimizer_allowed_reoptbulk.php:2253
filteras3cf_pre_update_attachment_metadatabulk.php:2470
filterw3tc_cdn_update_attachment_metadatabulk.php:2622
actionadmin_enqueue_scriptsbulk.php:2664
actionadmin_enqueue_scriptsbulk.php:2665
actionadmin_action_ewww_image_optimizer_clear_queuebulk.php:2675
actionadmin_action_ewww_image_optimizer_pause_queuebulk.php:2677
actionadmin_action_ewww_image_optimizer_resume_queuebulk.php:2679
filterewww_image_optimizer_count_optimized_queriesbulk.php:2680
filtercron_schedulesclasses\class-background-process.php:134
actioninitclasses\class-background-process.php:148
filterewww_image_optimizer_bypassclasses\class-backup.php:91
filterflag_manage_images_columnsclasses\class-ewww-flag.php:25
actionflag_manage_gallery_custom_columnclasses\class-ewww-flag.php:26
actionadmin_enqueue_scriptsclasses\class-ewww-flag.php:27
actionflag_manage_images_bulkactionclasses\class-ewww-flag.php:29
actionflag_manage_galleries_bulkactionclasses\class-ewww-flag.php:30
actionflag_manage_post_processor_imagesclasses\class-ewww-flag.php:31
actionflag_manage_post_processor_galleriesclasses\class-ewww-flag.php:32
actionflag_image_optimizedclasses\class-ewww-flag.php:35
actionflag_image_resizedclasses\class-ewww-flag.php:36
actionflag_image_optimizedclasses\class-ewww-flag.php:38
actionflag_image_resizedclasses\class-ewww-flag.php:39
actionflag_thumbnail_createdclasses\class-ewww-flag.php:42
actionadmin_action_ewww_flag_manualclasses\class-ewww-flag.php:45
actionadmin_menuclasses\class-ewww-flag.php:46
actionadmin_enqueue_scriptsclasses\class-ewww-flag.php:47
actionflag_image_optimizedclasses\class-ewww-flag.php:401
filterngg_manage_images_columnsclasses\class-ewww-nextcellent.php:24
actionngg_manage_image_custom_columnclasses\class-ewww-nextcellent.php:25
actionngg_after_new_images_addedclasses\class-ewww-nextcellent.php:27
actionngg_added_new_imageclasses\class-ewww-nextcellent.php:29
actionadmin_enqueue_scriptsclasses\class-ewww-nextcellent.php:31
actionadmin_action_ewww_ngg_manualclasses\class-ewww-nextcellent.php:34
actionadmin_menuclasses\class-ewww-nextcellent.php:35
actionadmin_enqueue_scriptsclasses\class-ewww-nextcellent.php:36
actionngg_ajax_image_saveclasses\class-ewww-nextcellent.php:40
filterngg_manage_images_number_of_columnsclasses\class-ewww-nextgen.php:37
filterngg_manage_images_columnsclasses\class-ewww-nextgen.php:38
filterngg_manage_images_row_actionsclasses\class-ewww-nextgen.php:39
actionngg_added_new_imageclasses\class-ewww-nextgen.php:41
actionngg_added_new_imageclasses\class-ewww-nextgen.php:44
actionadmin_action_ewww_ngg_manualclasses\class-ewww-nextgen.php:49
actionadmin_enqueue_scriptsclasses\class-ewww-nextgen.php:50
actionadmin_menuclasses\class-ewww-nextgen.php:51
actionadmin_menuclasses\class-ewww-nextgen.php:52
actionadmin_headclasses\class-ewww-nextgen.php:53
actionadmin_initclasses\class-ewww-nextgen.php:54
actionadmin_enqueue_scriptsclasses\class-ewww-nextgen.php:55
actionngg_generated_imageclasses\class-ewww-nextgen.php:59
filterngg_get_image_size_paramsclasses\class-ewww-nextgen.php:60
actionadmin_headclasses\class-ewww-nextgen.php:903
filterewww_image_optimizer_timeoutclasses\class-ewwwio-cli.php:122
filterewww_image_optimizer_timeoutclasses\class-ewwwio-cli.php:188
filtercron_schedulesclasses\class-ewwwio-relative-migration.php:163
actionewww_image_optimizer_relative_migrationclasses\class-ewwwio-relative-migration.php:164
filterexactdn_override_image_downsizeclasses\class-exactdn.php:3325
filterexactdn_skip_imageclasses\class-exactdn.php:3326
filterexactdn_srcset_multipliersclasses\class-exactdn.php:3327
filterautoptimize_filter_html_before_minifyclasses\class-lazy-load.php:163
filtereio_lazify_external_cssclasses\class-plugin.php:366
actionnetwork_admin_noticesewww-image-optimizer.php:29
actionadmin_noticesewww-image-optimizer.php:30
actionnetwork_admin_noticesewww-image-optimizer.php:33
actionadmin_noticesewww-image-optimizer.php:34
actionadmin_enqueue_scriptsmwebp.php:266
actionadmin_action_ewww_image_optimizer_install_pngoutunique.php:16
actionadmin_action_ewww_image_optimizer_install_svgcleanerunique.php:18

Scheduled Events 1

ewww_image_optimizer_relative_migration
Maintenance & Trust

EWWW Image Optimizer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 19, 2026
PHP min version7.4
Downloads45.2M

Community Trust

Rating96/100
Number of ratings1,820
Active installs1.0M
Alternatives

EWWW Image Optimizer Alternatives

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

shortpixel-image-optimiser

A
95

Optimize images & PDFs smartly. Create and compress next-gen WebP and AVIF formats. Smart crop and resize.

300K 6 CVEs
QODE Optimizer

QODE Optimizer

qode-optimizer

A
100

The QODE Optimizer plugin is developed to allow you to convert, compress and adjust file sizes for all the images found on your website.

20K No CVEs
JPrompt's Pixengine – Image Converter & Optimizer

JPrompt's Pixengine – Image Converter & Optimizer

jprompts-pixengine

A
100

Automatically convert and optimize images to WebP and AVIF formats with intelligent resizing, lazy loading, and caching. Boost page speed by 40-70% wi &hellip;

0 No CVEs
Image Optimizer – Optimize Images and Convert to WebP or AVIF

Image Optimizer – Optimize Images and Convert to WebP or AVIF

image-optimization

A
99

Automatically resize, optimize, and convert images to WebP and AVIF. Compress images in bulk or on upload to boost your WordPress site performance.

1.0M 1 CVE
Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

imagify

A
100

Optimize images in 1-click: compress images, convert to WebP & AVIF, resize, and boost your site with the easiest WordPress image optimization plugin!

1.0M No CVEs
Developer Profile

EWWW Image Optimizer Developer Profile

nosilver4u

5 plugins · 1.4M total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
1275 days
View full developer profile
Detection Fingerprints

How We Detect EWWW Image Optimizer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ewww-image-optimizer/css/ewww-admin.css/wp-content/plugins/ewww-image-optimizer/css/ewww-admin-common.css/wp-content/plugins/ewww-image-optimizer/css/ewww-bulk.css/wp-content/plugins/ewww-image-optimizer/css/ewww-common.css/wp-content/plugins/ewww-image-optimizer/css/ewww-icons.css/wp-content/plugins/ewww-image-optimizer/css/ewww-settings.css/wp-content/plugins/ewww-image-optimizer/js/ewww-admin.js/wp-content/plugins/ewww-image-optimizer/js/ewww-bulk.js+6 more
Script Paths
/wp-content/plugins/ewww-image-optimizer/js/ewww-admin.js/wp-content/plugins/ewww-image-optimizer/js/ewww-bulk.js/wp-content/plugins/ewww-image-optimizer/js/ewww-common.js/wp-content/plugins/ewww-image-optimizer/js/ewww-custom-fields.js/wp-content/plugins/ewww-image-optimizer/js/ewww-gallery.js/wp-content/plugins/ewww-image-optimizer/js/ewww-media-library.js+2 more
Version Parameters
ewww-image-optimizer/css/ewww-admin.css?ver=ewww-image-optimizer/css/ewww-admin-common.css?ver=ewww-image-optimizer/css/ewww-bulk.css?ver=ewww-image-optimizer/css/ewww-common.css?ver=ewww-image-optimizer/css/ewww-icons.css?ver=ewww-image-optimizer/css/ewww-settings.css?ver=ewww-image-optimizer/js/ewww-admin.js?ver=ewww-image-optimizer/js/ewww-bulk.js?ver=ewww-image-optimizer/js/ewww-common.js?ver=ewww-image-optimizer/js/ewww-custom-fields.js?ver=ewww-image-optimizer/js/ewww-gallery.js?ver=ewww-image-optimizer/js/ewww-media-library.js?ver=ewww-image-optimizer/js/ewww-rest.js?ver=ewww-image-optimizer/js/ewww-settings.js?ver=

HTML / DOM Fingerprints

CSS Classes
ewww-aux-formsewww-aux-tableewww-bulk-tableewww-tool-dividerewww-tool-info
Data Attributes
data-ewww-image-editor-nonce
JS Globals
ewww_media_library_bulk_paramsewww_gallery_paramsewww_custom_fields_paramsewww_settings_paramsewww_rest_paramsewww_bulk_params+2 more
REST Endpoints
/wp-json/ewww/v1/media/wp-json/ewww/v1/settings
FAQ

Frequently Asked Questions about EWWW Image Optimizer