Does HTTP Requests Manager have any unpatched vulnerabilities?

No. All known vulnerabilities in HTTP Requests Manager have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is HTTP Requests Manager compatible with WordPress 6.9.4?

According to WordPress.org data, HTTP Requests Manager 1.3.10 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is HTTP Requests Manager updated?

HTTP Requests Manager was last updated on Mar 6, 2026. Frequent updates are generally a positive security signal.

What is HTTP Requests Manager's security score?

HTTP Requests Manager has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

HTTP Requests Manager Security & Risk Analysis

wordpress.org/plugins/http-requests-manager

Limit, Debug, Optimize WP_HTTP requests. Limit by request count, page load time, reduce timeout for each request. Speed up login and admin pages.

1K active installs v1.3.10 PHP + WP 4.7+ Updated Mar 6, 2026

debuglimitlogoptimizationwp_http

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is HTTP Requests Manager Safe to Use in 2026?

Generally Safe

Score 100/100

HTTP Requests Manager has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 29d ago

Risk Assessment

The 'http-requests-manager' plugin, version 1.3.10, presents a significant security risk due to its unprotected AJAX handlers. All 8 identified AJAX entry points lack authentication checks, meaning any unauthenticated user could potentially trigger these functions. While the plugin doesn't exhibit known vulnerabilities or critical code signals like dangerous functions or unsanitized taint flows, the sheer number of unprotected entry points creates a substantial attack surface. The limited output escaping also raises concerns about potential cross-site scripting (XSS) vulnerabilities, although the specific impact is unclear without deeper code review. The absence of recorded vulnerabilities historically is a positive sign, suggesting the developers might be attentive to security. However, this should not overshadow the immediate risks posed by the unprotected AJAX handlers. The plugin has a moderate security posture, with notable weaknesses in access control for its AJAX endpoints that demand immediate attention.

Key Concerns

8 AJAX handlers without auth checks
Only 32% of outputs properly escaped

Vulnerabilities

None known

HTTP Requests Manager Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

HTTP Requests Manager Code Analysis

Dangerous Functions

Raw SQL Queries

15 prepared

Unescaped Output

24 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

79% prepared19 total queries

Output Escaping

32% escaped76 total outputs

Attack Surface

8 unprotected

HTTP Requests Manager Attack Surface

Entry Points8

Unprotected8

AJAX Handlers 8

authwp_ajax_vphrm_queryhttp-requests-manager.php:160

authwp_ajax_vphrm_clearhttp-requests-manager.php:161

authwp_ajax_vphrm_mode_changehttp-requests-manager.php:162

authwp_ajax_vphrm_disable_logginghttp-requests-manager.php:163

authwp_ajax_vphrm_load_must_usehttp-requests-manager.php:164

authwp_ajax_vphrm_save_viewhttp-requests-manager.php:165

authwp_ajax_vphrm_custom_rule_savehttp-requests-manager.php:166

authwp_ajax_vphrm_custom_rule_deletehttp-requests-manager.php:167

WordPress Hooks 26

actionshutdownhttp-requests-manager.php:131

actioninithttp-requests-manager.php:139

filterhttp_request_argshttp-requests-manager.php:140

filterpre_http_requesthttp-requests-manager.php:141

actionhttp_api_debughttp-requests-manager.php:142

actionvphrm_cleanup_cronhttp-requests-manager.php:143

actionpre_get_ready_cron_jobshttp-requests-manager.php:144

actionadmin_menuhttp-requests-manager.php:149

actionadmin_enqueue_scriptshttp-requests-manager.php:150

actionadmin_noticeshttp-requests-manager.php:151

filterplugin_action_linkshttp-requests-manager.php:152

actionplugin_loadedhttp-requests-manager.php:1849

actionplugins_loadedhttp-requests-manager.php:1852

actionplugins_loadedhttp-requests-manager.php:1853

actionmuplugins_loadedhttp-requests-manager.php:1854

filterhttp_request_timeouthttp-requests-manager.php:2742

filterhttp_request_redirection_counthttp-requests-manager.php:2743

filterhttp_request_argshttp-requests-manager.php:2746

filterpre_http_requesthttp-requests-manager.php:2749

actionpre_pinghttp-requests-manager.php:2754

filterenclosure_linkshttp-requests-manager.php:2757

filtersite_transient_update_pluginshttp-requests-manager.php:2760

filtersite_transient_update_themeshttp-requests-manager.php:2761

filtersite_transient_update_corehttp-requests-manager.php:2762

actionpre_get_ready_cron_jobshttp-requests-manager.php:2979

actionshutdownhttp-requests-manager.php:2982

Scheduled Events 1

vphrm_cleanup_cron

Maintenance & Trust

HTTP Requests Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 6, 2026

PHP min version

Downloads13K

Community Trust

Rating100/100

Number of ratings8

Active installs1K

Alternatives

HTTP Requests Manager Alternatives

Robin Image Optimizer – Unlimited Image Optimization & WebP Converter

robin-image-optimizer

Unlimited automatic image optimization for WordPress. Compress images, convert to WebP, and improve site speed without losing image quality.

100K 2 CVEs

WPS Limit Login

wps-limit-login

WPS Limit login limit connection attempts by IP address

100K 3 CVEs

Titan Anti-spam & Security

anti-spam

Block spam comments, defend against login attempts, and strengthen site security with anti-spam, brute-force protection, and two-factor authentication …

60K 3 CVEs

Inactive Logout

inactive-logout

Automatically logout idle user sessions, with logout redirections and concurrent limit logins all in one place.

20K 3 CVEs

FluentAuth – The Ultimate Authorization & Security Plugin for WordPress

fluent-security

Enhance the Security and User Experience of Your Site with Login/Signup Security, Two-Factor Email Authentication, Social Logins and more...

10K 2 CVEs

Developer Profile

HTTP Requests Manager Developer Profile

veppa

2 plugins · 2K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect HTTP Requests Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/http-requests-manager/assets/css/http-requests-manager.css/wp-content/plugins/http-requests-manager/assets/js/http-requests-manager.js/wp-content/plugins/http-requests-manager/assets/js/app.js

Script Paths

/wp-content/plugins/http-requests-manager/assets/js/http-requests-manager.js/wp-content/plugins/http-requests-manager/assets/js/app.js

Version Parameters

http-requests-manager/assets/css/http-requests-manager.css?ver=http-requests-manager/assets/js/http-requests-manager.js?ver=http-requests-manager/assets/js/app.js?ver=

HTML / DOM Fingerprints

CSS Classes

http-requests-manager-wrapvphrm-custom-rule-item

HTML Comments

TODO:NOT POSSIBLE:conflict test.safemode URL parameter to disable logging

Data Attributes

data-vphrm-iddata-vphrm-titledata-vphrm-rule-typedata-vphrm-rule-value

JS Globals

VPHRM_AJAX_URLVPHRM_AJAX_NONCEVPHRM_CURRENT_PAGEVPHRM_PLUGIN_VERSIONvphrm_localize

REST Endpoints

/wp-json/http-requests-manager/v1/rules/wp-json/http-requests-manager/v1/logs/wp-json/http-requests-manager/v1/settings

FAQ