Does F12 Profiler have any unpatched vulnerabilities?

No. All known vulnerabilities in F12 Profiler have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is F12 Profiler compatible with WordPress 6.9.4?

According to WordPress.org data, F12 Profiler 2.1.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is F12 Profiler compatible with PHP 8.0+?

F12 Profiler requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is F12 Profiler updated?

F12 Profiler was last updated on Feb 13, 2026. Frequent updates are generally a positive security signal.

What is F12 Profiler's security score?

F12 Profiler has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

F12 Profiler Security & Risk Analysis

wordpress.org/plugins/f12-profiler

Comprehensive WordPress performance analysis with crawling, load time measurement, server diagnostics, and integrated optimization tools. Free.

500 active installs v2.1.0 PHP 8.0+ WP 6.0+ Updated Feb 13, 2026

cacheoptimizationpagespeedperformancespeed

A · Safe

CVEs total1

Unpatched0

Last CVEFeb 24, 2025

Plugin page Download

Safety Verdict

Is F12 Profiler Safe to Use in 2026?

Generally Safe

Score 99/100

F12 Profiler has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 24, 2025Updated 1mo ago

Risk Assessment

The 'f12-profiler' v2.1.0 plugin presents a mixed security posture. On the positive side, the plugin demonstrates good practices by implementing nonce checks and capability checks for its single AJAX entry point, indicating an effort to protect against unauthorized access. The high percentage of SQL queries using prepared statements and properly escaped output also suggests a conscientious approach to preventing common web vulnerabilities. However, the presence of the `unserialize` function is a significant concern, as it can lead to remote code execution if not handled with extreme care and proper input validation.

The static analysis shows that while the attack surface is small and protected, the use of a dangerous function like `unserialize` requires careful scrutiny. Taint analysis did not reveal critical or high-severity unsanitized paths, which is a positive indicator, but the lack of detail on the specific flows analyzed limits a comprehensive understanding of this area.

The vulnerability history reveals a past medium-severity Cross-Site Request Forgery (CSRF) vulnerability. While this vulnerability is reported as patched and not currently unpatched, the existence of even one CVE indicates that the plugin has had security flaws. The absence of recent critical or high-severity vulnerabilities is encouraging, but the history suggests that the plugin is not entirely immune to security weaknesses. Overall, the plugin has strengths in its access control and query sanitization, but the `unserialize` function poses a notable risk that requires vigilant oversight and secure coding practices.

Key Concerns

Dangerous function 'unserialize' found
One past medium severity CVE

Vulnerabilities

F12 Profiler Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-27340medium · 4.3Cross-Site Request Forgery (CSRF)

F12-Profiler <= 1.3.9 - Cross-Site Request Forgery

Feb 24, 2025 Patched in 1.4.0 (40d)

Code Analysis

Analyzed Mar 16, 2026

F12 Profiler Code Analysis

Dangerous Functions

Raw SQL Queries

164 prepared

Unescaped Output

16 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$decoded = @unserialize(base64_decode($raw));src\Core\LicenseManager.php:217

SQL Query Safety

69% prepared238 total queries

Output Escaping

84% escaped19 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

6 flows6 with unsanitized paths

outputMarker (src\Crawler\CrawlTimingMarker.php:26)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

F12 Profiler Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_f12_prof_dismiss_noticesrc\Automation\NotificationManager.php:22

WordPress Hooks 68

actioninitf12-profiler.php:26

actionplugins_loadedf12-profiler.php:35

actionplugins_loadedf12-profiler.php:36

actionplugins_loadedf12-profiler.php:37

actionplugins_loadedf12-profiler.php:40

actionplugins_loadedf12-profiler.php:41

actionplugins_loadedf12-profiler.php:42

actionplugins_loadedf12-profiler.php:43

actionplugins_loadedf12-profiler.php:44

actionplugins_loadedf12-profiler.php:45

actionplugins_loadedf12-profiler.php:46

actionwp_loadedf12-profiler.php:50

actionplugins_loadedf12-profiler.php:62

actionadmin_noticessrc\Admin\AdminPage.php:84

actionf12_prof_crawl_completedsrc\Automation\NotificationManager.php:18

actionadmin_noticessrc\Automation\NotificationManager.php:21

actionadmin_initsrc\Automation\ScheduledCleanup.php:17

filtercron_schedulessrc\Automation\ScheduledCrawl.php:18

actionadmin_initsrc\Automation\ScheduledCrawl.php:31

actionadmin_initsrc\Core\Plugin.php:39

actionadmin_menusrc\Core\Plugin.php:52

actionadmin_enqueue_scriptssrc\Core\Plugin.php:53

actionadmin_bar_menusrc\Core\Plugin.php:58

actionwp_headsrc\Core\Plugin.php:59

actionadmin_headsrc\Core\Plugin.php:60

actionrest_api_initsrc\Core\Plugin.php:63

actionshutdownsrc\Crawler\CrawlTimingMarker.php:23

filterpre_http_requestsrc\Profiler\HttpTracker.php:14

actionhttp_api_debugsrc\Profiler\HttpTracker.php:15

filterquerysrc\Profiler\RequestProfiler.php:105

actionafter_setup_themesrc\Profiler\RequestProfiler.php:113

actioninitsrc\Profiler\RequestProfiler.php:114

actionwp_loadedsrc\Profiler\RequestProfiler.php:115

actiontemplate_redirectsrc\Profiler\RequestProfiler.php:116

actionwp_headsrc\Profiler\RequestProfiler.php:117

actionwp_footersrc\Profiler\RequestProfiler.php:118

actionshutdownsrc\Profiler\RequestProfiler.php:119

filterstyle_loader_srcsrc\Tools\AssetMinifier.php:38

filterscript_loader_srcsrc\Tools\AssetMinifier.php:41

actionwp_enqueue_scriptssrc\Tools\AssetScanner.php:63

actionsave_postsrc\Tools\AssetScanQueue.php:191

actioninitsrc\Tools\BloatRemover.php:44

actioninitsrc\Tools\BloatRemover.php:49

actioninitsrc\Tools\BloatRemover.php:54

actioninitsrc\Tools\BloatRemover.php:59

actioninitsrc\Tools\BloatRemover.php:64

actionwp_enqueue_scriptssrc\Tools\BloatRemover.php:69

actionwp_default_scriptssrc\Tools\BloatRemover.php:74

filterscript_loader_srcsrc\Tools\BloatRemover.php:79

filterstyle_loader_srcsrc\Tools\BloatRemover.php:80

actionwp_enqueue_scriptssrc\Tools\BloatRemover.php:87

filterheartbeat_settingssrc\Tools\BloatRemover.php:89

filterxmlrpc_enabledsrc\Tools\BloatRemover.php:95

filterwp_headerssrc\Tools\BloatRemover.php:96

actioninitsrc\Tools\BloatRemover.php:97

filtertiny_mce_pluginssrc\Tools\BloatRemover.php:115

filteremoji_svg_urlsrc\Tools\BloatRemover.php:119

filterwp_resource_hintssrc\Tools\BloatRemover.php:122

filterembed_oembed_discoversrc\Tools\BloatRemover.php:142

actionwp_enqueue_scriptssrc\Tools\BloatRemover.php:145

filterxmlrpc_methodssrc\Tools\BloatRemover.php:250

filterstyle_loader_srcsrc\Tools\FontDisplayOptimizer.php:30

actiontemplate_redirectsrc\Tools\FontDisplayOptimizer.php:33

actiontemplate_redirectsrc\Tools\HtmlMinifier.php:32

actiontemplate_redirectsrc\Tools\ImageDimensionInjector.php:32

actiontemplate_redirectsrc\Tools\LazyLoader.php:28

actionwp_enqueue_scriptssrc\Tools\ScriptDeferManager.php:38

filterscript_loader_tagsrc\Tools\ScriptDeferManager.php:42

Maintenance & Trust

F12 Profiler Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 13, 2026

PHP min version8.0

Downloads46K

Community Trust

Rating76/100

Number of ratings5

Active installs500

Alternatives

F12 Profiler Alternatives

Core Web Vitals & PageSpeed Booster

core-web-vitals-pagespeed-booster

Core Web Vitals (CWV) is the new ranking factor

1K 1 unpatched

SpeedForge

speedforge

100

Speed up WordPress with page caching, critical CSS, image optimization, lazy loading, and more.

0 No CVEs

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

The simplest and fastest WP Cache system

1.0M 35 CVEs

Aruba HiSpeed Cache

aruba-hispeed-cache

Aruba HiSpeed Cache interfaces directly with an Aruba hosting platform's HiSpeed Cache service and automates its management.

100K 6 CVEs

10Web Booster – Website speed optimization, Cache & Page Speed optimizer

tenweb-speed-optimizer

Speed up your site with 10Web Booster. Pass Core Web Vitals by optimizing HTML / CSS / JavaScript, Image Optimization, Lazy Loading, Cache, Google Fon …

90K 5 CVEs

Developer Profile

F12 Profiler Developer Profile

Forge12 Interactive GmbH

6 plugins · 12K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

76 days

View full developer profile

Detection Fingerprints

How We Detect F12 Profiler

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/f12-profiler/build/f12-profiler.css/wp-content/plugins/f12-profiler/build/f12-profiler.js

Script Paths

/wp-content/plugins/f12-profiler/build/f12-profiler.js

Version Parameters

/wp-content/plugins/f12-profiler/build/f12-profiler.css?ver=/wp-content/plugins/f12-profiler/build/f12-profiler.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-f12-profiler-license-activedata-f12-profiler-license-plandata-f12-profiler-license-expiresdata-f12-profiler-pro-plugin-active

JS Globals

f12ProfData

REST Endpoints

/wp-json/f12-prof/v1/

FAQ