Does PWA have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is PWA compatible with WordPress 6.8.5?

According to WordPress.org data, PWA 0.8.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is PWA compatible with PHP 7.2+?

PWA requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is PWA updated?

PWA was last updated on Apr 10, 2025. Frequent updates are generally a positive security signal.

What is PWA's security score?

PWA has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

PWA Security & Risk Analysis

wordpress.org/plugins/pwa

WordPress feature plugin to bring Progressive Web App (PWA) capabilities to Core

20K active installs v0.8.2 PHP 7.2+ WP 6.6+ Updated Apr 10, 2025

progressive-web-appspwaservice-workersweb-app-manifest

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is PWA Safe to Use in 2026?

Generally Safe

Score 92/100

PWA has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago

Risk Assessment

The "pwa" plugin version 0.8.2 exhibits several concerning security practices, primarily related to its unprotected AJAX handlers. While the plugin demonstrates good practices in SQL query sanitization and a high rate of output escaping, the presence of four AJAX handlers without any authentication or capability checks creates a significant attack surface. This means any unauthenticated user could potentially trigger these actions, leading to unintended consequences.

The lack of nonce checks on these AJAX handlers further exacerbates the risk, making them susceptible to Cross-Site Request Forgery (CSRF) attacks. The taint analysis showing zero flows, while seemingly positive, might be due to the limited scope of the analysis or the plugin's specific functionality. Coupled with no known vulnerability history, this could suggest either a well-maintained codebase or a lack of rigorous security auditing for potential vulnerabilities.

In conclusion, the plugin has strengths in its data handling and output sanitization. However, the significant number of unprotected AJAX endpoints represents a critical weakness that requires immediate attention. The absence of known vulnerabilities is a positive sign, but it should not overshadow the identified risks in the current codebase.

Key Concerns

Unprotected AJAX handlers (4)
Missing nonce checks on AJAX handlers
Low capability check coverage

Vulnerabilities

None known

PWA Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

PWA Release Timeline

v0.8.2Current

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.0

v0.4.0

v0.3.0

v0.2.0

v0.1.0

Code Analysis

Analyzed Mar 16, 2026

PWA Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

53 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

87% escaped61 total outputs

Attack Surface

4 unprotected

PWA Attack Surface

Entry Points4

Unprotected4

AJAX Handlers 4

authwp_ajax_wp_error_templatewp-admin\admin.php:18

noprivwp_ajax_wp_error_templatewp-admin\admin.php:19

authwp_ajax_wp_service_workerwp-includes\default-filters.php:16

noprivwp_ajax_wp_service_workerwp-includes\default-filters.php:17

WordPress Hooks 69

filterpre_wp_nav_menubundled-theme-support\twentyeleven\offline.php:10

filterget_search_formbundled-theme-support\twentyeleven\offline.php:13

filterhas_nav_menubundled-theme-support\twentyfifteen\offline.php:10

filterpre_wp_nav_menubundled-theme-support\twentyfifteen\offline.php:11

actionwp_enqueue_scriptsbundled-theme-support\twentyfifteen\offline.php:12

filtersidebars_widgetsbundled-theme-support\twentyfifteen\offline.php:21

filterpre_wp_nav_menubundled-theme-support\twentyfourteen\offline.php:10

filterget_search_formbundled-theme-support\twentyfourteen\offline.php:13

actionwp_enqueue_scriptsbundled-theme-support\twentyfourteen\offline.php:14

filterpre_wp_nav_menubundled-theme-support\twentynineteen\offline.php:10

filterbody_classbundled-theme-support\twentynineteen\offline.php:13

filtersidebars_widgetsbundled-theme-support\twentynineteen\offline.php:22

filterhas_nav_menubundled-theme-support\twentyseventeen\offline.php:10

filterpre_wp_nav_menubundled-theme-support\twentyseventeen\offline.php:11

filterhas_nav_menubundled-theme-support\twentysixteen\offline.php:10

filterpre_wp_nav_menubundled-theme-support\twentysixteen\offline.php:11

filterbody_classbundled-theme-support\twentysixteen\offline.php:14

filterpre_wp_nav_menubundled-theme-support\twentyten\offline.php:9

filterpre_wp_nav_menubundled-theme-support\twentythirteen\offline.php:10

filterhas_nav_menubundled-theme-support\twentythirteen\offline.php:11

filterget_search_formbundled-theme-support\twentythirteen\offline.php:14

filtersidebars_widgetsbundled-theme-support\twentythirteen\offline.php:17

actionwp_enqueue_scriptsbundled-theme-support\twentythirteen\offline.php:19

filterpre_wp_nav_menubundled-theme-support\twentytwelve\offline.php:10

filterpre_wp_nav_menubundled-theme-support\twentytwenty\offline.php:10

actionwp_enqueue_scriptsbundled-theme-support\twentytwenty\offline.php:11

filterget_search_formbundled-theme-support\twentytwenty\offline.php:20

filterbody_classbundled-theme-support\twentytwenty\offline.php:23

filterpre_wp_nav_menubundled-theme-support\twentytwentyone\offline.php:10

filterhas_nav_menubundled-theme-support\twentytwentyone\offline.php:11

filtersidebars_widgetsbundled-theme-support\twentytwentyone\offline.php:14

actionwp_front_service_workerintegrations\functions.php:97

actionwp_admin_service_workerintegrations\functions.php:100

actionwp_front_service_workerintegrations\functions.php:103

actionwp_admin_service_workerintegrations\functions.php:104

actionadmin_noticespwa.php:49

actionadmin_noticespwa.php:78

actionadmin_noticespwa.php:102

filtersite_status_testspwa.php:121

filterwp_doing_ajaxwp-admin\admin.php:14

actioninitwp-admin\options-reading-offline-browsing.php:25

actionadmin_initwp-admin\options-reading-offline-browsing.php:38

actionadmin_print_footer_scriptswp-admin\options-reading-offline-browsing.php:130

actioncustomize_registerwp-includes\class-wp-customize-manager.php:49

actioncustomize_controls_enqueue_scriptswp-includes\class-wp-customize-manager.php:81

actionparse_querywp-includes\class-wp-query.php:39

actionwp_front_service_workerwp-includes\class-wp-service-worker-scripts.php:68

actionwp_admin_service_workerwp-includes\class-wp-service-worker-scripts.php:69

actionwp_headwp-includes\class-wp-web-app-manifest.php:67

actionrest_api_initwp-includes\class-wp-web-app-manifest.php:68

filtersite_status_testswp-includes\class-wp-web-app-manifest.php:69

actionrest_api_initwp-includes\class-wp-web-app-manifest.php:71

actionadmin_initwp-includes\class-wp-web-app-manifest.php:72

actionadmin_initwp-includes\class-wp-web-app-manifest.php:73

actioninitwp-includes\class-wp.php:23

filterquery_varswp-includes\class-wp.php:38

filterpre_handle_404wp-includes\class-wp.php:57

actionparse_querywp-includes\default-filters.php:15

actionparse_querywp-includes\default-filters.php:18

actionerror_headwp-includes\default-filters.php:21

filterwp_robotswp-includes\default-filters.php:22

actionwp_headwp-includes\default-filters.php:24

actionerror_headwp-includes\default-filters.php:25

actionwp_default_service_workerswp-includes\deprecated.php:107

filterdocument_title_partswp-includes\general-template.php:164

filterbody_classwp-includes\post-template.php:34

filtertemplate_includewp-includes\template-loader.php:31

actionwp_footerwp-includes\template.php:248

actionerror_footerwp-includes\template.php:249

Maintenance & Trust

PWA Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedApr 10, 2025

PHP min version7.2

Downloads597K

Community Trust

Rating86/100

Number of ratings27

Active installs20K

Alternatives

PWA Alternatives

Super Progressive Web Apps

super-progressive-web-apps

SuperPWA helps you convert your WordPress website into a Progressive Web App instantly.

50K 2 CVEs

PWA for WP – Progressive Web Apps Made Simple

pwa-for-wp

PWA plugin is bringing the power of the Progressive Web Apps to the WP & AMP to take the user experience to the next level.

20K 5 CVEs

Hyper PWA

hyper-pwa

Provide Manifest and Service Worker, convert WordPress into Progressive Web Apps (PWA).

300 No CVEs

PWA for WordPress

pwa4wp

PWA for WordPress makes your WordPress site to PWA (Progressive Web App) and makes control of PWA data caches easy.

300 No CVEs

Public Woo Api

public-woo-api

Allows to fetch WooCommerce products, categories, tags, variations and reviews without authentication.

60 No CVEs

Developer Profile

PWA Developer Profile

Weston Ruter

26 plugins · 437K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

4499 days

View full developer profile

Detection Fingerprints

How We Detect PWA

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/pwa/wp-includes/js/workbox-v7.3.0/workbox-sw.js/wp-content/plugins/pwa/wp-includes/js/workbox-v7.3.0/workbox-window.prod.min.js

Script Paths

/wp-content/plugins/pwa/wp-includes/js/pwa-admin.js/wp-content/plugins/pwa/wp-includes/js/pwa-shell.js

Version Parameters

pwa/wp-includes/js/pwa-admin.js?ver=pwa/wp-includes/js/pwa-shell.js?ver=

HTML / DOM Fingerprints

JS Globals

PWApwa

FAQ