Does LWSCache have any unpatched vulnerabilities?

No. All known vulnerabilities in LWSCache have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is LWSCache compatible with WordPress 6.8.5?

According to WordPress.org data, LWSCache 2.9 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is LWSCache compatible with PHP 7.0+?

LWSCache requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is LWSCache updated?

LWSCache was last updated on Aug 28, 2025. Frequent updates are generally a positive security signal.

What is LWSCache's security score?

LWSCache has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

LWSCache Security & Risk Analysis

wordpress.org/plugins/lwscache

This plugin lets you manage and automatically purge your hosting's LWSCache whenever you edit your website's content

8K active installs v2.9 PHP 7.0+ WP 5.0+ Updated Aug 28, 2025

cachelwsnginx

A · Safe

CVEs total1

Unpatched0

Last CVEAug 28, 2025

Plugin page Download

Safety Verdict

Is LWSCache Safe to Use in 2026?

Generally Safe

Score 99/100

LWSCache has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Aug 28, 2025Updated 7mo ago

Risk Assessment

The "lwscache" v2.9 plugin demonstrates some positive security practices, including a high percentage of SQL queries using prepared statements and a good rate of output escaping. The absence of critical or high-severity taint flows and dangerous functions is also a positive sign. However, the plugin exhibits significant security concerns related to its attack surface, specifically the presence of two AJAX handlers that lack authentication checks. This creates a direct pathway for unauthenticated users to potentially interact with sensitive plugin functionalities, posing a notable risk.

The vulnerability history shows one past medium-severity CVE related to improper authorization, which aligns with the identified unprotected AJAX endpoints. While there are no currently unpatched vulnerabilities, the recurring theme of authorization issues suggests a persistent area of weakness that requires ongoing attention. The static analysis also indicates a substantial number of file operations and external HTTP requests, which, while not inherently insecure, can increase the complexity and potential for vulnerabilities if not handled with extreme care, especially in the context of the unprotected entry points.

In conclusion, while "lwscache" v2.9 has strengths in its handling of SQL and output, the presence of unprotected AJAX endpoints is a critical flaw that elevates its risk profile. The past authorization vulnerability further underscores this concern. Addressing the unprotected AJAX handlers should be the immediate priority to improve the plugin's security posture.

Key Concerns

Unprotected AJAX handlers found
Past medium severity CVE (Improper Authorization)

Vulnerabilities

LWSCache Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-8147medium · 4.3Improper Authorization

LWSCache <= 2.8.5 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation via lwscache_activatePlugin Function

Aug 28, 2025 Patched in 2.9 (1d)

Code Analysis

Analyzed Mar 16, 2026

LWSCache Code Analysis

Dangerous Functions

Raw SQL Queries

9 prepared

Unescaped Output

96 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

82% prepared11 total queries

Output Escaping

83% escaped115 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

<lws-cache-admin-display> (admin\partials\lws-cache-admin-display.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

LWSCache Attack Surface

Entry Points10

Unprotected2

AJAX Handlers 10

authwp_ajax_rt_get_feedsincludes\class-lws-cache.php:225

authwp_ajax_lwscache_reminder_ajaxlwscache.php:302

authwp_ajax_lwscache_deactivate_companion_rocketlwscache.php:312

authwp_ajax_lwscache_donotask_ajaxlwscache.php:320

authwp_ajax_lwscache_downloadPluginlwscache.php:397

authwp_ajax_lwscache_activatePluginlwscache.php:401

authwp_ajax_lwscache_change_cache_statelwscache.php:441

authwp_ajax_change_autopurgelwscache.php:472

authwp_ajax_lwscache_get_excluded_urllwscache.php:505

authwp_ajax_lwscache_save_excluded_urllwscache.php:515

WordPress Hooks 40

actionadmin_noticesadmin\class-lws-cache-admin.php:722

actionnetwork_admin_noticesadmin\class-lws-cache-admin.php:723

actionplugins_loadedincludes\class-lws-cache.php:166

actionadmin_enqueue_scriptsincludes\class-lws-cache.php:211

actionadmin_enqueue_scriptsincludes\class-lws-cache.php:212

actionnetwork_admin_menuincludes\class-lws-cache.php:215

actionadmin_menuincludes\class-lws-cache.php:218

actionadmin_bar_menuincludes\class-lws-cache.php:222

actionshutdownincludes\class-lws-cache.php:227

actionadd_initincludes\class-lws-cache.php:228

actionwp_insert_commentincludes\class-lws-cache.php:233

actiontransition_comment_statusincludes\class-lws-cache.php:234

actiontransition_post_statusincludes\class-lws-cache.php:235

actiondelete_postincludes\class-lws-cache.php:236

actionrt_wp_lws_cache_check_log_file_size_dailyincludes\class-lws-cache.php:237

actionedit_attachmentincludes\class-lws-cache.php:238

actionwp_initialize_siteincludes\class-lws-cache.php:239

actiontransition_post_statusincludes\class-lws-cache.php:240

actionedit_termincludes\class-lws-cache.php:241

actiondelete_termincludes\class-lws-cache.php:242

actioncheck_ajax_refererincludes\class-lws-cache.php:243

actionadmin_bar_initincludes\class-lws-cache.php:244

actionwp_insert_postincludes\class-lws-cache.php:247

actionedit_postincludes\class-lws-cache.php:248

actionsave_postincludes\class-lws-cache.php:249

actiondeleted_postincludes\class-lws-cache.php:251

actiontrashed_postincludes\class-lws-cache.php:252

actionspammed_postincludes\class-lws-cache.php:253

actionunspammed_postincludes\class-lws-cache.php:254

actionuntrashed_postincludes\class-lws-cache.php:255

actionrt_lws_cache_purge_allincludes\class-lws-cache.php:259

actionadmin_noticesincludes\class-lws-cache.php:323

actionnetwork_admin_noticesincludes\class-lws-cache.php:324

actioninitlwscache.php:140

filterrocket_htaccess_mod_expireslwscache.php:152

actionadmin_noticeslwscache.php:200

actionadmin_noticeslwscache.php:203

actionadmin_enqueue_scriptslwscache.php:329

actionadmin_noticeslwscache.php:334

actioninitlwscache.php:352

Scheduled Events 1

rt_wp_lws_cache_check_log_file_size_daily

Maintenance & Trust

LWSCache Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedAug 28, 2025

PHP min version7.0

Downloads150K

Community Trust

Rating100/100

Number of ratings6

Active installs8K

Alternatives

LWSCache Alternatives

Nginx Helper

nginx-helper

100

Cleans nginx's fastcgi/proxy cache or redis-cache whenever a post is edited/published. Also does a few more things.

100K No CVEs

Proxy Cache Purge

varnish-http-purge

100

Automatically empty proxy cached content when your site is modified.

40K No CVEs

Nginx Cache

nginx-cache

Purge the Nginx cache (FastCGI, Proxy, uWSGI) automatically when content changes or manually within WordPress.

10K No CVEs

Hestia Nginx Cache

hestia-nginx-cache

Purged the Nginx cache automatically after making website changes. Uses the new HestiaCP API, released in 1.6.0.

1K 1 CVE

Nginx Cache Controller

nginx-champuru

Provides some functions of controlling Nginx proxy server cache.

1K No CVEs

Developer Profile

LWSCache Developer Profile

Aurélien LWS

6 plugins · 79K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

222 days

View full developer profile

Detection Fingerprints

How We Detect LWSCache

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/lwscache/admin/icons/loading_black.svg

HTML / DOM Fingerprints

CSS Classes

lwscache_deactivate_button

Data Attributes

id="lwscache_deactivate_button"id="deactivate_wprocket_companion"

JS Globals

ajaxurl

FAQ