Does Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS have any unpatched vulnerabilities?

No. All known vulnerabilities in Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS compatible with WordPress 6.9.4?

According to WordPress.org data, Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS 1.10.42 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS Security & Risk Analysis

wordpress.org/plugins/http2-push-content

HTTP2 Server push, Async JavaScript, Defer Render Blocking CSS, with fine rule set to control js and css on different page types,

7K active installs v1.10.42 PHP 7.4+ WP 4.0+ Updated Feb 23, 2026

async-cssasync-jsdefer-cssdefer-jshttp2

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS Safe to Use in 2026?

Generally Safe

Score 100/100

Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The http2-push-content plugin exhibits a generally strong security posture based on the provided static analysis. The absence of direct entry points like AJAX handlers, REST API routes, and shortcodes significantly limits the attack surface. The code also demonstrates good practices in SQL query handling, with all queries using prepared statements, and a high percentage of output being properly escaped. The presence of a nonce check is a positive indicator for potential cross-site request forgery (CSRF) prevention, although its effectiveness would depend on its implementation context.

Despite these strengths, there are areas of concern. The taint analysis revealed two flows with unsanitized paths. While these are not classified as critical or high severity, unsanitized paths can potentially lead to vulnerabilities if they are accessible or processed in a way that allows for path traversal or other file system manipulation. The plugin also bundles Select2, and the security of this bundled library would depend on its version and whether it has known vulnerabilities.

The plugin's vulnerability history is clean, with no recorded CVEs. This is a positive sign, suggesting a history of secure development. However, the absence of past vulnerabilities does not guarantee future security. The focus should remain on addressing the identified taint analysis findings and ensuring the security of bundled libraries.

Key Concerns

Flows with unsanitized paths found
Bundled library (Select2) may have unknown vulns

Vulnerabilities

None known

Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

229 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

Output Escaping

92% escaped248 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

tab (admin\plugins.php:59)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 21

actioninitadmin\class-http2-push-content-general-option.php:32

filterpre_update_option_http2_push_general_listadmin\class-http2-push-content-general-option.php:40

filterpre_update_option_http2_async_js_listadmin\class-http2-push-content-js-option.php:39

actionadmin_menuadmin\class-http2-push-content-menu.php:12

filterpre_update_option_http2_async_css_listadmin\class-http2-push-content-style-option.php:39

filterinstall_plugins_nonmenu_tabsadmin\plugins.php:40

actionadmin_noticeshttp2-push-content.php:45

actionbefore_woocommerce_inithttp2-push-content.php:67

actionplugins_loadedincludes\class-http2-push-content.php:162

actionadmin_enqueue_scriptsincludes\class-http2-push-content.php:177

actionadmin_enqueue_scriptsincludes\class-http2-push-content.php:178

actionwp_enqueue_scriptsincludes\class-http2-push-content.php:193

actionwp_enqueue_scriptsincludes\class-http2-push-content.php:194

actionadmin_noticesincludes\review.php:107

actionwp_headpublic\class-http2-push-content-public.php:88

filterscript_loader_srcpublic\class-http2-push-content-public.php:91

filterstyle_loader_srcpublic\class-http2-push-content-public.php:95

actioninitpublic\class-http2-push-content-public.php:98

filterstyle_loader_tagpublic\class-http2-push-content-public.php:100

filterscript_loader_tagpublic\class-http2-push-content-public.php:101

actionwp_footerpublic\class-http2-push-content-public.php:103

Maintenance & Trust

Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 23, 2026

PHP min version7.4

Downloads356K

Community Trust

Rating94/100

Number of ratings64

Active installs7K

Alternatives

Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS Alternatives

CSS JS Manager, Async JavaScript, Defer Render Blocking CSS

css-js-manager

100

CSS JS Manager, Async JavaScript, Defer Render Blocking CSS, Remove javascript, Remove CSS, Defer Render Blocking CSS, Both CSS and JS can be loaded A …

1K 1 CVE

Asset CleanUp: Page Speed Booster

wp-asset-clean-up

Make your website load FASTER by stopping specific styles (.CSS) & scripts (.JS) from loading. It works best with a page caching plugin / service.

100K 6 CVEs

PageSpeed Ninja – Cache, Minify, Defer CSS JavaScript, Critical CSS, Optimize Images, Convert WebP

psn-pagespeed-ninja

Boost page speed: cache, compress, optimize images to WebP, minify CSS/JS, defer loading, lazy load, generate critical CSS, improve Core Web Vitals

6K No CVEs

HTTP/2 Server Push

http2-server-push

Enables HTTP/2 server push for local JavaScript and CSS resources.

1K No CVEs

A faster website! (aka defer.js)

shins-pageload-magic

100

🚀 Unleash the power of cutting edge WordPress optimization tech. 💯 SEO-Optimized and 🎯 Effortlessly User-Friendly!

300 No CVEs

Developer Profile

Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS Developer Profile

PI Web Solution

30 plugins · 93K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

235 days

View full developer profile

Detection Fingerprints

How We Detect Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/http2-push-content/includes/js/http2-push-content-admin.js/wp-content/plugins/http2-push-content/includes/css/bootstrap.css/wp-content/plugins/http2-push-content/includes/css/http2-push-content-admin.css

Script Paths

/wp-content/plugins/http2-push-content/includes/js/http2-push-content-admin.js

Version Parameters

http2-push-content/includes/js/http2-push-content-admin.js?ver=http2-push-content/includes/css/bootstrap.css?ver=http2-push-content/includes/css/http2-push-content-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

bg-darkbg-lightml-2

JS Globals

HTTP2_PUSH_CONTENT

FAQ