WP-Safety

Mustang WPO – See Your Performance Clearly Security & Risk Analysis

wordpress.org/plugins/mustang-wpo

Mustang WPO (Web Performance Optimization) helps you audit, view, and manage your site's performance without leaving WordPress.

0 active installs v1.0.2 PHP 7.4+ WP 6.2+ Updated Unknown
optimizationpagespeedperformancespeedwpo
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Mustang WPO – See Your Performance Clearly Safe to Use in 2026?

Generally Safe

Score 100/100

Mustang WPO – See Your Performance Clearly has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The "mustang-wpo" plugin v1.0.2 exhibits a generally good security posture with strong adherence to best practices in several key areas. The code shows a high percentage of properly escaped outputs and exclusively uses prepared statements for SQL queries, significantly reducing the risk of SQL injection vulnerabilities. The presence of numerous nonce and capability checks further strengthens its defenses against common attack vectors. Furthermore, the plugin has no recorded vulnerabilities or CVEs, which is a positive indicator of its historical stability and developer attention to security.

However, there is a notable concern regarding its attack surface. Specifically, one of the nine REST API routes lacks a permission callback. This creates a potential entry point for unauthorized access or manipulation if not adequately secured by other means. While the static analysis did not reveal any exploitable taint flows or dangerous functions, this unprotected REST API route represents the most significant immediate risk. The plugin's overall security is good, but this single unprotected entry point warrants careful monitoring and remediation.

In conclusion, "mustang-wpo" v1.0.2 demonstrates commendable security practices, particularly in its handling of SQL and output escaping. The absence of historical vulnerabilities further bolsters confidence. The primary weakness lies in the single unprotected REST API route, which, while not a critical flaw in isolation, presents a clear area for potential exploitation that should be addressed to achieve a more robust security profile.

Key Concerns

  • REST API route without permission callback
Vulnerabilities
None known

Mustang WPO – See Your Performance Clearly Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Mustang WPO – See Your Performance Clearly Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
1
132 escaped
Nonce Checks
7
Capability Checks
10
File Operations
0
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared4 total queries

Output Escaping

99% escaped133 total outputs
Attack Surface
1 unprotected

Mustang WPO – See Your Performance Clearly Attack Surface

Entry Points9
Unprotected1

REST API Routes 9

POST/wp-json/mustwp/v1/auditincludes\class-mustwp-auditor.php:34
POST/wp-json/mustwp/v1/audit/batchincludes\class-mustwp-auditor.php:53
GET/wp-json/mustwp/v1/testincludes\class-mustwp-auditor.php:76
GET/wp-json/mustwp/v1/open-testincludes\class-mustwp-auditor.php:83
GET/wp-json/mustwp/v1/audit/summaryincludes\class-mustwp-auditor.php:98
POST/wp-json/mustwp/v1/posts/titlesincludes\class-mustwp-auditor.php:104
GET/wp-json/mustwp/v1/audit/progressincludes\class-mustwp-auditor.php:110
POST/wp-json/mustwp/v1/editor/auditincludes\class-mustwp-editor.php:246
GET/wp-json/mustwp/v1/editor/resultsincludes\class-mustwp-editor.php:266
WordPress Hooks 14
actionadmin_initincludes\class-mustwp-admin.php:34
actionadmin_enqueue_scriptsincludes\class-mustwp-admin.php:35
actionwp_dashboard_setupincludes\class-mustwp-dashboard.php:58
actionadmin_enqueue_scriptsincludes\class-mustwp-dashboard.php:59
actionenqueue_block_editor_assetsincludes\class-mustwp-editor.php:34
actionadmin_enqueue_scriptsincludes\class-mustwp-editor.php:35
actionrest_api_initincludes\class-mustwp-editor.php:36
actioninitincludes\class-mustwp-editor.php:37
actionadmin_menuincludes\class-mustwp-settings.php:34
actionadmin_initincludes\class-mustwp-settings.php:35
actionadmin_enqueue_scriptsincludes\class-mustwp-settings.php:36
filterheartbeat_receivedincludes\class-mustwp-settings.php:37
actioninitmustang-wpo.php:89
actionrest_api_initmustang-wpo.php:90
Maintenance & Trust

Mustang WPO – See Your Performance Clearly Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedUnknown
PHP min version7.4
Downloads183

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Mustang WPO – See Your Performance Clearly Alternatives

WP Meteor Website Speed Optimization Addon

WP Meteor Website Speed Optimization Addon

wp-meteor

A
98

2x-5x improvement in your Page Speed score. A completely new way of optimizing your page speed.

20K 3 CVEs
Core Web Vitals & PageSpeed Booster

Core Web Vitals & PageSpeed Booster

core-web-vitals-pagespeed-booster

B
76

Core Web Vitals (CWV) is the new ranking factor

1K 1 unpatched
F12 Profiler

F12 Profiler

f12-profiler

A
99

Comprehensive WordPress performance analysis with crawling, load time measurement, server diagnostics, and integrated optimization tools. Free.

500 1 CVE
Cloudflare Image Resizing – Optimize & Accelerate Your Images

Cloudflare Image Resizing – Optimize & Accelerate Your Images

cf-image-resizing

A
95

Optimize images on-the-fly using Cloudflare's Image Resizing service, improving performance and core web vitals.

200 1 CVE
Site Speed Test – SpeedGuard

Site Speed Test – SpeedGuard

speedguard

A
92

Tracks Core Web Vitals for you. Every single day, for free.

200 No CVEs
Developer Profile

Mustang WPO – See Your Performance Clearly Developer Profile

Tyron Bache

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Mustang WPO – See Your Performance Clearly

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mustang-wpo/assets/css/admin.css/wp-content/plugins/mustang-wpo/assets/js/admin.js/wp-content/plugins/mustang-wpo/assets/css/editor.css/wp-content/plugins/mustang-wpo/assets/js/editor.js/wp-content/plugins/mustang-wpo/assets/css/dashboard.css/wp-content/plugins/mustang-wpo/assets/js/dashboard.js/wp-content/plugins/mustang-wpo/assets/js/budgets.js
Script Paths
/wp-content/plugins/mustang-wpo/assets/js/admin.js/wp-content/plugins/mustang-wpo/assets/js/editor.js/wp-content/plugins/mustang-wpo/assets/js/dashboard.js/wp-content/plugins/mustang-wpo/assets/js/budgets.js
Version Parameters
mustang-wpo/assets/css/admin.css?ver=mustang-wpo/assets/js/admin.js?ver=mustang-wpo/assets/css/editor.css?ver=mustang-wpo/assets/js/editor.js?ver=mustang-wpo/assets/css/dashboard.css?ver=mustang-wpo/assets/js/dashboard.js?ver=mustang-wpo/assets/js/budgets.js?ver=

HTML / DOM Fingerprints

CSS Classes
mustwp-badgemustwp-badge-namustwp-badge-not-auditedmustwp-badge-loadingmustwp-pagespeed-value
HTML Comments
<!-- Performance data will be displayed here --><!-- Get status label for tooltip --><!-- Render NA badge for posts that are not published --><!-- Render badge for posts that have not been audited -->+2 more
Data Attributes
data-post-id
JS Globals
mustwp_budgets_data
REST Endpoints
/wp-json/mustang-wpo/v1/audit
FAQ

Frequently Asked Questions about Mustang WPO – See Your Performance Clearly