Does Performance Lab have any unpatched vulnerabilities?

No. All known vulnerabilities in Performance Lab have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Performance Lab compatible with WordPress 7.0?

According to WordPress.org data, Performance Lab 4.1.0 has been tested up to WordPress 7.0. Check the plugin's changelog for the latest compatibility information.

Is Performance Lab compatible with PHP 7.2+?

Performance Lab requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Performance Lab updated?

Performance Lab was last updated on Feb 27, 2026. Frequent updates are generally a positive security signal.

What is Performance Lab's security score?

Performance Lab has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Performance Lab Security & Risk Analysis

wordpress.org/plugins/performance-lab

Performance plugin from the WordPress Performance Team, which is a collection of standalone performance features.

200K active installs v4.1.0 PHP 7.2+ WP 6.6+ Updated Feb 27, 2026

diagnosticsmeasurementoptimizationperformancesite-health

A · Safe

CVEs total1

Unpatched0

Last CVEMay 18, 2023

Plugin page Download

Safety Verdict

Is Performance Lab Safe to Use in 2026?

Generally Safe

Score 100/100

Performance Lab has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: May 18, 2023Updated 1mo ago

Risk Assessment

The performance-lab plugin v4.1.0 exhibits a generally strong security posture with good practices in place, particularly in its handling of SQL queries and output escaping. The plugin's use of prepared statements for all SQL queries is a significant strength, mitigating the risk of SQL injection. Furthermore, the high percentage of properly escaped output indicates a good effort to prevent cross-site scripting (XSS) vulnerabilities. The plugin also demonstrates a robust use of capability checks and nonces, which are crucial for securing administrative functions and preventing unauthorized actions. However, a notable concern is the presence of an unprotected AJAX handler, which exposes a potential entry point for attackers. While taint analysis revealed no immediate critical or high-severity issues, the lack of analysis coverage (0 flows analyzed) means potential vulnerabilities in this area could be missed. The vulnerability history, while showing no currently unpatched CVEs, does indicate a past medium-severity vulnerability, specifically CSRF. This suggests that while current code might be secure, past issues highlight areas that require ongoing vigilance and rigorous security reviews.

Key Concerns

Unprotected AJAX handler
Past medium severity vulnerability (CSRF)
Limited taint analysis coverage

Vulnerabilities

Performance Lab Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2022-47174medium · 4.3Cross-Site Request Forgery (CSRF)

Performance Lab <= 2.2.0 - Cross-Site Request Forgery via dismiss-wp-pointer

May 18, 2023 Patched in 2.3.0 (336d)

Code Analysis

Analyzed Mar 16, 2026

Performance Lab Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

126 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

95% escaped132 total outputs

Attack Surface

1 unprotected

Performance Lab Attack Surface

Entry Points2

Unprotected1

AJAX Handlers 2

authwp_ajax_dismiss-wp-pointerincludes\admin\load.php:352

authwp_ajax_health-check-enqueued-blocking-assets-testincludes\site-health\audit-enqueued-assets\hooks.php:34

WordPress Hooks 40

actionadmin_menuincludes\admin\load.php:36

actionadmin_enqueue_scriptsincludes\admin\load.php:47

actionadmin_noticesincludes\admin\load.php:50

actionadmin_headincludes\admin\load.php:53

actionadmin_enqueue_scriptsincludes\admin\load.php:301

actionadmin_action_perflab_install_activate_pluginincludes\admin\load.php:467

actionafter_plugin_row_metaincludes\admin\load.php:639

actionrest_api_initincludes\admin\rest-api.php:99

actionadmin_menuincludes\admin\server-timing.php:39

actionadmin_print_stylesincludes\admin\server-timing.php:59

actiontemplate_redirectincludes\server-timing\class-perflab-server-timing.php:247

filtertemplate_includeincludes\server-timing\class-perflab-server-timing.php:249

filtertemplate_includeincludes\server-timing\defaults.php:113

actionperflab_server_timing_send_headerincludes\server-timing\defaults.php:123

filtertemplate_includeincludes\server-timing\defaults.php:150

actionperflab_server_timing_send_headerincludes\server-timing\defaults.php:159

actionperflab_server_timing_send_headerincludes\server-timing\defaults.php:170

actionperflab_server_timing_send_headerincludes\server-timing\defaults.php:189

actionwp_loadedincludes\server-timing\defaults.php:243

actionallincludes\server-timing\defaults.php:291

actionmuplugins_loadedincludes\server-timing\defaults.php:342

filterrest_post_dispatchincludes\server-timing\hooks.php:42

actionwp_loadedincludes\server-timing\load.php:65

actioninitincludes\server-timing\load.php:181

filtersite_status_testsincludes\site-health\audit-autoloaded-options\hooks.php:35

actionadmin_action_perflab_aao_update_autoloadincludes\site-health\audit-autoloaded-options\hooks.php:43

actionadmin_initincludes\site-health\audit-autoloaded-options\hooks.php:45

actionadmin_noticesincludes\site-health\audit-autoloaded-options\hooks.php:120

filtersite_status_autoloaded_options_limit_descriptionincludes\site-health\audit-autoloaded-options\hooks.php:133

filteroption_perflab_aao_disabled_optionsincludes\site-health\audit-autoloaded-options\hooks.php:155

filtersite_status_testsincludes\site-health\audit-enqueued-assets\hooks.php:33

filtersite_status_testsincludes\site-health\avif-headers\hooks.php:30

filtersite_status_testsincludes\site-health\avif-support\hooks.php:30

filtersite_status_testsincludes\site-health\bfcache-compatibility-headers\hooks.php:31

filtersite_status_testsincludes\site-health\effective-asset-cache-headers\hooks.php:39

filtersite_status_testsincludes\site-health\webp-support\hooks.php:30

actionwp_headload.php:81

actionadmin_initload.php:263

actionadmin_page_access_deniedload.php:336

actionadmin_initload.php:348

Maintenance & Trust

Performance Lab Maintenance & Trust

Maintenance Signals

WordPress version tested7.0

Last updatedFeb 27, 2026

PHP min version7.2

Downloads3.5M

Community Trust

Rating86/100

Number of ratings50

Active installs200K

Alternatives

Performance Lab Alternatives

DiveWP – Boost Site Performance with Clear, Actionable Steps

divewp-boost-site-performance

100

Learn WP Best Practices Through Your Own Site! Get clear insights about Performance, Security, and Best Practices – explained in plain English.

200 No CVEs

BoltAudit – Plugin & Performance Analyzer

boltaudit

100

BoltAudit helps you identify bloated, unused, abandoned, and performance-heavy plugins—plus database bloat, autoloaded options, and runtime impact.

100 No CVEs

Health Monitor

health-monitor

100

Health Monitor is designed to help you keep your website running smoothly. It continuously checks your site’s performance, security, and overall healt …

20 No CVEs

SW Site Doctor

sw-site-doctor

100

Scan your WordPress site for security risks, speed issues, and migration problems. Free with PageSpeed integration.

0 No CVEs

Image Optimizer – Optimize Images and Convert to WebP or AVIF

image-optimization

Automatically resize, optimize, and convert images to WebP and AVIF. Compress images in bulk or on upload to boost your WordPress site performance.

1.0M 1 CVE

Developer Profile

Performance Lab Developer Profile

WordPress Performance Team

10 plugins · 700K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

336 days

View full developer profile

Detection Fingerprints

How We Detect Performance Lab

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/performance-lab/includes/site-health/load.php/wp-content/plugins/performance-lab/includes/server-timing/class-perflab-server-timing-metric.php/wp-content/plugins/performance-lab/includes/server-timing/class-perflab-server-timing.php/wp-content/plugins/performance-lab/includes/server-timing/load.php/wp-content/plugins/performance-lab/includes/server-timing/defaults.php

Generator Patterns

performance-lab %s; plugins: %s

HTML / DOM Fingerprints

JS Globals

PERFLAB_VERSIONPERFLAB_MAIN_FILEPERFLAB_PLUGIN_DIR_PATHPERFLAB_SCREENPERFLAB_OBJECT_CACHE_DROPIN_VERSIONPERFLAB_OBJECT_CACHE_DROPIN_LATEST_VERSION

FAQ