WP-Safety

GTmetrix for WordPress Security & Risk Analysis

wordpress.org/plugins/gtmetrix-for-wordpress

GTmetrix can help you develop a faster, more efficient, and all-around improved website experience for your users. Your users will love you for it.

9K active installs v0.4.8 PHP + WP 3.3.1+ Updated Aug 25, 2023
analyticsgtmetrixmonitoringoptimizationpage-speed
84
B · Generally Safe
CVEs total3
Unpatched0
Last CVEJul 19, 2023
Plugin page Download
Safety Verdict

Is GTmetrix for WordPress Safe to Use in 2026?

Mostly Safe

Score 84/100

GTmetrix for WordPress is generally safe to use though it hasn't been updated recently. 3 past CVEs were resolved. Keep it updated.

3 known CVEsLast CVE: Jul 19, 2023Updated 2yr ago
Risk Assessment

The gtmetrix-for-wordpress plugin version 0.4.8 presents a mixed security posture. On the positive side, it demonstrates good practices such as using prepared statements for all SQL queries and a reasonable percentage of properly escaped outputs. The absence of critical or high severity vulnerabilities in its history, and no currently unpatched CVEs, are also encouraging signs. However, several areas raise significant concerns. The presence of 3 AJAX handlers without authentication checks creates a direct attack vector, allowing unauthorized users to potentially trigger plugin functionalities. Furthermore, the use of dangerous functions like `unserialize` and `create_function` indicates potential vulnerabilities if inputs are not meticulously sanitized, as hinted by the taint analysis showing flows with unsanitized paths. While the historical medium severity vulnerabilities (CSRF and XSS) are patched, their recurrence pattern suggests that the plugin might have underlying architectural weaknesses that need constant vigilance and patching.

Key Concerns

  • 3 AJAX handlers without auth checks
  • 2 flows with unsanitized paths
  • Dangerous functions: unserialize, create_function
  • 72% output properly escaped (below 90%)
  • 2 external HTTP requests
Vulnerabilities
3

GTmetrix for WordPress Security Vulnerabilities

CVEs by Year

3 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2023-37996medium · 4.3Cross-Site Request Forgery (CSRF)

GTmetrix for WordPress <= 0.4.7 - Cross-Site Request Forgery

Jul 19, 2023 Patched in 0.4.8 (188d)
CVE-2023-32503medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

GTmetrix for WordPress <= 0.4.6 - Reflected Cross-Site Scripting via 'report_id' and 'event_id'

May 9, 2023 Patched in 0.4.7 (259d)
CVE-2023-23677medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

GTmetrix for WordPress <= 0.4.5 - Reflected Cross-Site Scripting via 'url'

Mar 2, 2023 Patched in 0.4.6 (327d)
Code Analysis
Analyzed Mar 16, 2026

GTmetrix for WordPress Code Analysis

Dangerous Functions
3
Raw SQL Queries
0
1 prepared
Unescaped Output
54
141 escaped
Nonce Checks
5
Capability Checks
2
File Operations
0
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserializeforeach ( unserialize( $event_custom['gfw_notifications'][0] ) as $key => $value ) {gtmetrix-for-wordpress.php:193
create_functionadd_filter( 'wp_mail_content_type', create_function( '', 'return "text/html";' ) );gtmetrix-for-wordpress.php:279
unserialize$notifications = unserialize( $custom_fields['gfw_notifications'][0] );gtmetrix-for-wordpress.php:1356

SQL Query Safety

100% prepared1 total queries

Output Escaping

72% escaped195 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
expand_report_callback (gtmetrix-for-wordpress.php:938)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

GTmetrix for WordPress Attack Surface

Entry Points8
Unprotected3

AJAX Handlers 8

authwp_ajax_autocompletegtmetrix-for-wordpress.php:43
authwp_ajax_save_reportgtmetrix-for-wordpress.php:44
authwp_ajax_delete_reportgtmetrix-for-wordpress.php:45
authwp_ajax_delete_eventgtmetrix-for-wordpress.php:46
authwp_ajax_pause_eventgtmetrix-for-wordpress.php:47
authwp_ajax_expand_reportgtmetrix-for-wordpress.php:48
authwp_ajax_report_graphgtmetrix-for-wordpress.php:49
authwp_ajax_resetgtmetrix-for-wordpress.php:50
WordPress Hooks 16
actioninitgtmetrix-for-wordpress.php:31
actionadmin_initgtmetrix-for-wordpress.php:32
actionadmin_initgtmetrix-for-wordpress.php:33
actionadmin_menugtmetrix-for-wordpress.php:34
actionadmin_print_stylesgtmetrix-for-wordpress.php:35
actionadmin_noticesgtmetrix-for-wordpress.php:36
actionadmin_bar_menugtmetrix-for-wordpress.php:37
actionwp_dashboard_setupgtmetrix-for-wordpress.php:38
actiongfw_hourly_eventgtmetrix-for-wordpress.php:39
actiongfw_daily_eventgtmetrix-for-wordpress.php:40
actiongfw_weekly_eventgtmetrix-for-wordpress.php:41
actiongfw_monthly_eventgtmetrix-for-wordpress.php:42
actionwidgets_initgtmetrix-for-wordpress.php:51
filtercron_schedulesgtmetrix-for-wordpress.php:52
filterplugin_row_metagtmetrix-for-wordpress.php:53
filterwp_mail_content_typegtmetrix-for-wordpress.php:279

Scheduled Events 4

gfw_hourly_event
gfw_daily_event
gfw_weekly_event
gfw_monthly_event
Maintenance & Trust

GTmetrix for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11
Last updatedAug 25, 2023
PHP min version
Downloads262K

Community Trust

Rating96/100
Number of ratings14
Active installs9K
Alternatives

GTmetrix for WordPress Alternatives

Fast Velocity Minify

Fast Velocity Minify

fast-velocity-minify

A
98

Maximize GTmetrix, PageSpeed and enhance Web Vitals by minifying CSS/JS, lazy loading scripts, optimizing images, and improving load speed overall.

40K 2 CVEs
PhastPress

PhastPress

phastpress

A
93

PhastPress automatically optimizes your site for the best possible performance.

10K 2 CVEs
Machete

Machete

machete

A
100

Machete is a lean and simple suite of tools that solve common WordPress annoyances: cookie bar, tracking codes, header cleanup, social sharing

7K No CVEs
Lucky Orange

Lucky Orange

lucky-orange

A
100

Less time crunching numbers, more time growing your business.

2K No CVEs
SEO Engine

SEO Engine

seo-engine

A
100

Made it through the SEO plugin wasteland? You've earned a coffee ☺️ Quietly powerful AI SEO that actually works. No bloat, just results. Enjoy! 💕

1K No CVEs
Developer Profile

GTmetrix for WordPress Developer Profile

GTmetrix

1 plugin · 9K total installs

68
trust score
Avg Security Score
84/100
Avg Patch Time
258 days
View full developer profile
Detection Fingerprints

How We Detect GTmetrix for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/gtmetrix-for-wordpress/css/admin.css/wp-content/plugins/gtmetrix-for-wordpress/css/dashboard.css/wp-content/plugins/gtmetrix-for-wordpress/js/admin.js/wp-content/plugins/gtmetrix-for-wordpress/js/dashboard.js/wp-content/plugins/gtmetrix-for-wordpress/js/gtmetrix.js
Script Paths
/wp-content/plugins/gtmetrix-for-wordpress/js/admin.js/wp-content/plugins/gtmetrix-for-wordpress/js/dashboard.js/wp-content/plugins/gtmetrix-for-wordpress/js/gtmetrix.js
Version Parameters
gtmetrix-for-wordpress/css/admin.css?ver=gtmetrix-for-wordpress/css/dashboard.css?ver=gtmetrix-for-wordpress/js/admin.js?ver=gtmetrix-for-wordpress/js/dashboard.js?ver=gtmetrix-for-wordpress/js/gtmetrix.js?ver=

HTML / DOM Fingerprints

CSS Classes
gfw-widget-titlegtmetrix-report-linkgtmetrix-report-details
HTML Comments
GTmetrix for WordPressPlugin Name: GTmetrix for WordPress
Data Attributes
data-gfw-urldata-gfw-api-key
JS Globals
gfw_ajax_objectGFW_WP_VERSIONGFW_VERSIONGFW_USER_AGENTGFW_TIMEZONEGFW_AUTHORIZED+7 more
REST Endpoints
/wp-json/gtmetrix/v1/test/wp-json/gtmetrix/v1/reports
Shortcode Output
[gtmetrix_report][gtmetrix_score]
FAQ

Frequently Asked Questions about GTmetrix for WordPress