WP-Safety

Flux Media Optimizer by Flux Plugins Security & Risk Analysis

wordpress.org/plugins/flux-media-optimizer

Automatically optimize images, compress videos, and deliver media via global CDN. Boost Core Web Vitals and SEO with 50-70% smaller file sizes.

0 active installs v4.1.3 PHP 8.0+ WP 5.8+ Updated Jan 27, 2026
avifcdnmedia-optimizervideo-compressionwebp
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Flux Media Optimizer by Flux Plugins Safe to Use in 2026?

Generally Safe

Score 100/100

Flux Media Optimizer by Flux Plugins has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The flux-media-optimizer plugin v4.1.3 presents a mixed security posture. While it shows good practices in SQL query preparation and output escaping, significant concerns arise from its attack surface. A high proportion of AJAX handlers and REST API routes lack proper authentication and permission checks, creating numerous entry points vulnerable to unauthorized access and manipulation. The presence of dangerous functions like proc_open and shell_exec within the codebase is also a serious red flag, suggesting potential for remote code execution if these functions are improperly handled.

The vulnerability history is currently clean, with no known CVEs recorded. This, coupled with the absence of critical or high-severity taint flows, might suggest a historically secure plugin or one that has been diligently patched. However, the static analysis clearly indicates latent risks due to the exposed attack surface and the use of powerful, potentially insecure functions. The lack of recorded vulnerabilities does not negate the immediate risks identified in the code itself. Therefore, while the plugin has demonstrated an absence of historical issues, the current version's code analysis warrants caution and immediate attention to secure its exposed endpoints and dangerous function usage.

Key Concerns

  • AJAX handlers without authentication
  • REST API routes without permission callbacks
  • Use of dangerous functions (proc_open, shell_exec, exec)
  • Limited nonce checks
  • Limited capability checks
Vulnerabilities
None known

Flux Media Optimizer by Flux Plugins Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Flux Media Optimizer by Flux Plugins Code Analysis

Dangerous Functions
16
Raw SQL Queries
12
65 prepared
Unescaped Output
14
126 escaped
Nonce Checks
4
Capability Checks
13
File Operations
108
External Requests
8
Bundled Libraries
0

Dangerous Functions Found

proc_open$this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);vendor-prefixed\monolog\monolog\src\Monolog\Handler\ProcessHandler.php:116
shell_exec$branches = shell_exec('git branch -v --no-abbrev');vendor-prefixed\monolog\monolog\src\Monolog\Processor\GitProcessor.php:67
shell_exec$result = explode(' ', trim((string) shell_exec('hg id -nb')));vendor-prefixed\monolog\monolog\src\Monolog\Processor\MercurialProcessor.php:66
unserialize$value = unserialize($value);vendor-prefixed\symfony\cache\Adapter\ArrayAdapter.php:340
unserializeself::$signalingException ??= unserialize("O:9:\"Exception\":1:{s:16:\"\0Exception\0trace\";a:0:{}}"vendor-prefixed\symfony\cache\LockRegistry.php:99
unserializeif (false !== $value = unserialize($value)) {vendor-prefixed\symfony\cache\Marshaller\DefaultMarshaller.php:74
exec$execResult = exec('command -v -- '.escapeshellarg($name));vendor-prefixed\symfony\process\ExecutableFinder.php:95
proc_open$this->process = @proc_open($commandline, $descriptors, $this->processPipes->pipes, $this->cwd, $envvendor-prefixed\symfony\process\Process.php:353
proc_open$isTtySupported = (bool) @proc_open('echo 1 >/dev/null', [['file', '/dev/tty', 'r'], ['file', '/dev/vendor-prefixed\symfony\process\Process.php:1261
proc_openreturn $result = (bool) @proc_open('echo 1 >/dev/null', [['pty'], ['pty'], ['pty']], $pipes);vendor-prefixed\symfony\process\Process.php:1284
execexec(sprintf('taskkill /F /T /PID %d 2>&1', $pid), $output, $exitCode);vendor-prefixed\symfony\process\Process.php:1524
proc_open} elseif ($ok = proc_open(sprintf('kill -%d %d', $signal, $pid), [2 => ['pipe', 'w']], $pipes)) {vendor-prefixed\symfony\process\Process.php:1537
unserialize$instance = unserialize('C:'.\strlen($class).':"'.$class.'":0:{}');vendor-prefixed\symfony\var-exporter\Instantiator.php:52
unserialize$instance = unserialize('O:'.\strlen($class).':"'.$class.'":0:{}');vendor-prefixed\symfony\var-exporter\Instantiator.php:54
unserialize$objects[$k] = unserialize($v);vendor-prefixed\symfony\var-exporter\Internal\Registry.php:43
unserialize$proto = @unserialize($proto.\strlen($class).':"'.$class.'":0:{}');vendor-prefixed\symfony\var-exporter\Internal\Registry.php:94

SQL Query Safety

84% prepared77 total queries

Output Escaping

90% escaped140 total outputs
Attack Surface
12 unprotected

Flux Media Optimizer by Flux Plugins Attack Surface

Entry Points16
Unprotected12

AJAX Handlers 6

authwp_ajax_flux_media_optimizer_convert_attachmentapp\Plugin.php:282
authwp_ajax_flux_media_optimizer_disable_conversionapp\Plugin.php:283
authwp_ajax_flux_media_optimizer_enable_conversionapp\Plugin.php:284
authwp_ajax_flux_media_optimizer_convert_attachmentapp\Services\WordPressProvider.php:187
authwp_ajax_flux_media_optimizer_disable_conversionapp\Services\WordPressProvider.php:188
authwp_ajax_flux_media_optimizer_enable_conversionapp\Services\WordPressProvider.php:189

REST API Routes 10

GET/wp-json/flux-media-optimizer/v1/conversions/statsapp\Http\Controllers\ConversionsController.php:48
GET/wp-json/flux-media-optimizer/v1/logsapp\Http\Controllers\LogsController.php:48
GET/wp-json/flux-media-optimizer/v1/optionsapp\Http\Controllers\OptionsController.php:50
GET/wp-json/flux-media-optimizer/v1/statusapp\Http\Controllers\StatusController.php:62
POST/wp-json/flux-media-optimizer/v1/webhookapp\Http\Controllers\WebhookController.php:40
GET/wp-json/flux-plugins-common/v1/licensevendor-prefixed\stratease\flux-plugins-common\src\Http\Controllers\LicenseController.php:62
GET/wp-json/flux-plugins-common/v1/license/activatevendor-prefixed\stratease\flux-plugins-common\src\Http\Controllers\LicenseController.php:70
GET/wp-json/flux-plugins-common/v1/license/validatevendor-prefixed\stratease\flux-plugins-common\src\Http\Controllers\LicenseController.php:85
GET/wp-json/flux-plugins-common/v1/account-idvendor-prefixed\stratease\flux-plugins-common\src\Http\Controllers\LicenseController.php:93
GET/wp-json/flux-plugins-common/v1/logsvendor-prefixed\stratease\flux-plugins-common\src\Http\Controllers\LogsController.php:62
WordPress Hooks 50
actioninitapp\Http\Controllers\AdminController.php:51
actionadmin_enqueue_scriptsapp\Http\Controllers\AdminController.php:53
actioninitapp\Plugin.php:94
actioninitapp\Plugin.php:128
actionadmin_enqueue_scriptsapp\Plugin.php:157
actionrest_api_initapp\Plugin.php:191
actionflux_media_optimizer_bulk_discoveryapp\Services\ActionSchedulerService.php:96
actionflux_media_optimizer_convert_attachmentapp\Services\ActionSchedulerService.php:99
actionflux_media_optimizer_retry_failed_jobsapp\Services\ExternalOptimizationProvider.php:75
filterwp_update_attachment_metadataapp\Services\WordPressProvider.php:174
filterupdate_attached_fileapp\Services\WordPressProvider.php:179
filterwp_save_image_editor_fileapp\Services\WordPressProvider.php:184
actionflux_media_optimizer_process_videoapp\Services\WordPressProvider.php:192
actioninitapp\Services\WordPressProvider.php:200
filterimage_downsizeapp\Services\WordPressProvider.php:210
filterwp_get_attachment_urlapp\Services\WordPressProvider.php:215
filterwp_get_attachment_image_srcapp\Services\WordPressProvider.php:218
filterrest_prepare_attachmentapp\Services\WordPressProvider.php:222
filterwp_calculate_image_srcsetapp\Services\WordPressProvider.php:224
filterwp_content_img_tagapp\Services\WordPressProvider.php:229
filterthe_contentapp\Services\WordPressProvider.php:230
filterrender_blockapp\Services\WordPressProvider.php:231
filterpost_thumbnail_htmlapp\Services\WordPressProvider.php:234
filterwp_get_attachment_imageapp\Services\WordPressProvider.php:235
filterattachment_fields_to_editapp\Services\WordPressProvider.php:238
actiondelete_attachmentapp\Services\WordPressProvider.php:242
actionshutdownapp\Services\WordPressProvider.php:1404
actionadmin_noticesflux-media-optimizer.php:65
actionadmin_noticesflux-media-optimizer.php:73
actionadmin_noticesflux-media-optimizer.php:129
actionplugins_loadedflux-media-optimizer.php:166
actionadmin_initflux-media-optimizer.php:169
actioninitflux-media-optimizer.php:183
actionadmin_noticesvendor-prefixed\stratease\flux-plugins-common\src\Compatibility\CompatibilityNoticeHandler.php:83
actioninitvendor-prefixed\stratease\flux-plugins-common\src\FluxPlugins.php:115
actionadmin_initvendor-prefixed\stratease\flux-plugins-common\src\FluxPlugins.php:118
actionadmin_noticesvendor-prefixed\stratease\flux-plugins-common\src\FluxPlugins.php:186
actioninitvendor-prefixed\stratease\flux-plugins-common\src\Services\CompatibilityService.php:132
actionadmin_initvendor-prefixed\stratease\flux-plugins-common\src\Services\CompatibilityService.php:135
actionadmin_enqueue_scriptsvendor-prefixed\stratease\flux-plugins-common\src\Services\CompatibilityService.php:249
actioninitvendor-prefixed\stratease\flux-plugins-common\src\Services\MenuService.php:148
actionadmin_menuvendor-prefixed\stratease\flux-plugins-common\src\Services\MenuService.php:196
actionadmin_menuvendor-prefixed\stratease\flux-plugins-common\src\Services\MenuService.php:238
actionadmin_menuvendor-prefixed\stratease\flux-plugins-common\src\Services\MenuService.php:286
actionadmin_menuvendor-prefixed\stratease\flux-plugins-common\src\Services\MenuService.php:347
actionadmin_menuvendor-prefixed\stratease\flux-plugins-common\src\Services\MenuService.php:437
actionadmin_enqueue_scriptsvendor-prefixed\stratease\flux-plugins-common\src\Services\MenuService.php:799
actionadmin_enqueue_scriptsvendor-prefixed\stratease\flux-plugins-common\src\Services\MenuService.php:923
actionrest_api_initvendor-prefixed\stratease\flux-plugins-common\src\Services\RestApiService.php:104
actionadmin_menuvendor-prefixed\stratease\flux-plugins-common\src\WordPress\MenuService.php:112

Scheduled Events 2

flux_media_optimizer_retry_failed_jobs
flux_media_optimizer_cleanup
Maintenance & Trust

Flux Media Optimizer by Flux Plugins Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 27, 2026
PHP min version8.0
Downloads347

Community Trust

Rating100/100
Number of ratings1
Active installs0
Alternatives

Flux Media Optimizer by Flux Plugins Alternatives

AVIF, WebP, Image Optimization, CDN, Service Worker & Client Hints All in One

AVIF, WebP, Image Optimization, CDN, Service Worker & Client Hints All in One

imghaste

A
85

Speed up your website using cutting edge Image Service. Service Worker, Client Hints, WebP, 100% white labeled. NO URL Rewrite required.

200 No CVEs
ImageEngine – Optimize the Images on Your WordPress Site Like No Other Plugin

ImageEngine – Optimize the Images on Your WordPress Site Like No Other Plugin

image-cdn

A
100

Automatically optimize and serve WEBP, AVIF and JPEGXL with ImageEngine, the global Image CDN. 60 sec setup.

90 No CVEs
Automatic Image Optimizer & CDN by wpimg.io

Automatic Image Optimizer & CDN by wpimg.io

automatic-image-optimizer-cdn

A
100

Instantly speed up your site with automated image optimization, WebP/AVIF, and global CDN. Zero setup required.

0 No CVEs
Image Optimizer – Optimize Images and Convert to WebP or AVIF

Image Optimizer – Optimize Images and Convert to WebP or AVIF

image-optimization

A
99

Automatically resize, optimize, and convert images to WebP and AVIF. Compress images in bulk or on upload to boost your WordPress site performance.

1.0M 1 CVE
Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

imagify

A
100

Optimize images in 1-click: compress images, convert to WebP & AVIF, resize, and boost your site with the easiest WordPress image optimization plugin!

1.0M No CVEs
Developer Profile

Flux Media Optimizer by Flux Plugins Developer Profile

edaniels

2 plugins · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Flux Media Optimizer by Flux Plugins

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/flux-media-optimizer/src/assets/common/css/flux-plugins.css/wp-content/plugins/flux-media-optimizer/src/assets/common/js/flux-plugins.js/wp-content/plugins/flux-media-optimizer/src/assets/js/admin.js/wp-content/plugins/flux-media-optimizer/src/assets/css/admin.css
Script Paths
/wp-content/plugins/flux-media-optimizer/src/assets/common/js/flux-plugins.js/wp-content/plugins/flux-media-optimizer/src/assets/js/admin.js
Version Parameters
flux-media-optimizer/src/assets/common/css/flux-plugins.css?ver=flux-media-optimizer/src/assets/common/js/flux-plugins.js?ver=flux-media-optimizer/src/assets/js/admin.js?ver=flux-media-optimizer/src/assets/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
flux-plugins-admin
HTML Comments
<!-- Flux Plugins Framework --><!-- Flux Media Optimizer Plugin -->
Data Attributes
data-flux-plugins-admin
JS Globals
FluxPluginsAdmin
REST Endpoints
/wp-json/fmo/v1/settings/wp-json/fmo/v1/optimization/wp-json/fmo/v1/usage
FAQ

Frequently Asked Questions about Flux Media Optimizer by Flux Plugins