WP-Safety

JCH Optimize Security & Risk Analysis

wordpress.org/plugins/jch-optimize

This plugin automatically performs several front end optimizations to your site to boost performance and increase PageSpeed scores.

4K active installs v5.1.4 PHP 8.0+ WP 6.5.0+ Updated Jan 16, 2026
cacheoptimizepagespeedperformanceseo
98
A · Safe
CVEs total3
Unpatched0
Last CVEMay 13, 2024
Plugin page Download
Safety Verdict

Is JCH Optimize Safe to Use in 2026?

Generally Safe

Score 98/100

JCH Optimize has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: May 13, 2024Updated 2mo ago
Risk Assessment

The jch-optimize plugin version 5.1.4 presents a mixed security posture. While it demonstrates good practices in SQL query handling with 100% prepared statements and includes nonce checks, significant concerns arise from its attack surface. All 10 identified AJAX handlers lack proper authorization checks, creating a substantial risk of unauthorized actions if these handlers can be triggered by unauthenticated users. Furthermore, a concerningly low percentage (5%) of output is properly escaped, increasing the likelihood of Cross-Site Scripting (XSS) vulnerabilities, especially when combined with the unprotected AJAX endpoints.

The vulnerability history reveals a pattern of medium-severity issues, including Path Traversal, Missing Authorization, and XSS. While there are currently no unpatched CVEs, the recurring nature of these vulnerability types, particularly Missing Authorization and XSS, suggests that the implementation of security controls, especially around input validation and authorization, needs substantial improvement. The presence of the Guzzle library, while not explicitly stated as outdated, warrants attention to ensure it's kept up-to-date to avoid potential vulnerabilities in bundled components.

In conclusion, the plugin has some strong security foundations, such as its SQL handling. However, the unprotected AJAX endpoints and poor output escaping are significant weaknesses that could be exploited. The historical trend of medium-severity vulnerabilities further emphasizes the need for a security review and remediation focused on authorization and output sanitization to mitigate the identified risks.

Key Concerns

  • 10 unprotected AJAX handlers
  • Low output escaping percentage (5%)
  • 3 medium CVEs in history
  • Missing authorization on AJAX handlers
  • Bundled library (Guzzle) without version info
Vulnerabilities
3

JCH Optimize Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2024-34808medium · 4.3Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

JCH Optimize <= 4.2.0 - Authenticated (Subscriber+) Directory Traversal

May 13, 2024 Patched in 4.2.1 (8d)
WF-2077bd81-52bd-4aa7-85f6-9abb02aec65b-jch-optimizemedium · 4.3Missing Authorization

JCH Optimize <= 4.0.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification

Aug 8, 2023 Patched in 4.0.1 (240d)
CVE-2023-25491medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

JCH Optimize <= 3.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Mar 2, 2023 Patched in 3.2.3 (327d)
Code Analysis
Analyzed Mar 16, 2026

JCH Optimize Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
314
16 escaped
Nonce Checks
11
Capability Checks
10
File Operations
3
External Requests
3
Bundled Libraries
1

Bundled Libraries

Guzzle

Output Escaping

5% escaped330 total outputs
Attack Surface
10 unprotected

JCH Optimize Attack Surface

Entry Points10
Unprotected10

AJAX Handlers 10

authwp_ajax_filetreesrc\Plugin\Loader.php:98
authwp_ajax_multiselectsrc\Plugin\Loader.php:99
authwp_ajax_optimizeimagessrc\Plugin\Loader.php:100
authwp_ajax_smartcombinesrc\Plugin\Loader.php:101
authwp_ajax_configuresettingssrc\Plugin\Loader.php:102
authwp_ajax_getcacheinfosrc\Plugin\Loader.php:103
authwp_ajax_onclickiconsrc\Plugin\Loader.php:104
authwp_ajax_jch_configure_js_table_bodysrc\Plugin\Loader.php:105
authwp_ajax_jch_configure_js_auto_savesrc\Plugin\Loader.php:106
authwp_ajax_jch_cf_verifysrc\Plugin\Loader.php:107
WordPress Hooks 20
actionadmin_noticesjch-optimize.php:46
actionadmin_noticesjch-optimize.php:98
actionjch_optimize_send_headerssrc\Platform\Utility.php:77
actionadmin_noticessrc\Platform\Utility.php:189
actionadmin_enqueue_scriptssrc\Plugin\Admin.php:103
actionadmin_initsrc\Plugin\Admin.php:109
actiontool_boxsrc\Plugin\Admin.php:136
actionadmin_noticessrc\Plugin\Admin.php:347
actionadmin_menusrc\Plugin\Loader.php:109
actionadmin_menusrc\Plugin\Loader.php:110
actionadmin_initsrc\Plugin\Loader.php:111
filterplugin_action_linkssrc\Plugin\Loader.php:112
actioninitsrc\Plugin\Loader.php:140
actionadmin_bar_menusrc\Plugin\Loader.php:145
actionplugins_loadedsrc\Plugin\Loader.php:150
actionactivated_pluginsrc\Plugin\Loader.php:155
actiondeactivated_pluginsrc\Plugin\Loader.php:156
filterjch_optimize_get_page_cache_idsrc\Plugin\Loader.php:163
actionupdate_option_jch-optimize_settingssrc\Plugin\Loader.php:169
filterpre_set_site_transient_update_pluginssrc\Plugin\Updater.php:59
Maintenance & Trust

JCH Optimize Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 16, 2026
PHP min version8.0
Downloads352K

Community Trust

Rating88/100
Number of ratings69
Active installs4K
Alternatives

JCH Optimize Alternatives

WPSpeed – WordPress Speed, Cache & Performance Optimization (Core Web Vitals, PageSpeed 100)

WPSpeed – WordPress Speed, Cache & Performance Optimization (Core Web Vitals, PageSpeed 100)

wpspeed

A
99

WordPress speed optimization plugin to boost PageSpeed, improve Core Web Vitals, reduce TTFB and enable static HTML caching for 100/100 performance.

1K 1 CVE
LiteSpeed Cache

LiteSpeed Cache

litespeed-cache

B
82

All-in-one unbeatable acceleration & PageSpeed improvement: caching, image/CSS/JS optimization...

7.0M 18 CVEs
WP Fastest Cache – WordPress Cache Plugin

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

B
76

The simplest and fastest WP Cache system

1.0M 35 CVEs
Aruba HiSpeed Cache

Aruba HiSpeed Cache

aruba-hispeed-cache

A
95

Aruba HiSpeed Cache interfaces directly with an Aruba hosting platform's HiSpeed Cache service and automates its management.

100K 6 CVEs
10Web Booster – Website speed optimization, Cache & Page Speed optimizer

10Web Booster – Website speed optimization, Cache & Page Speed optimizer

tenweb-speed-optimizer

A
86

Speed up your site with 10Web Booster. Pass Core Web Vitals by optimizing HTML / CSS / JavaScript, Image Optimization, Lazy Loading, Cache, Google Fon &hellip;

90K 5 CVEs
Developer Profile

JCH Optimize Developer Profile

codealfa

1 plugin · 4K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
192 days
View full developer profile
Detection Fingerprints

How We Detect JCH Optimize

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/jch-optimize/public/css/frontend-common.css/wp-content/plugins/jch-optimize/public/js/frontend-common.js
Script Paths
/wp-content/plugins/jch-optimize/public/js/frontend-common.js
Version Parameters
jch-optimize/public/css/frontend-common.css?ver=jch-optimize/public/js/frontend-common.js?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about JCH Optimize