WP-Safety

PWA for WP – Progressive Web Apps Made Simple Security & Risk Analysis

wordpress.org/plugins/pwa-for-wp

PWA plugin is bringing the power of the Progressive Web Apps to the WP & AMP to take the user experience to the next level.

20K active installs v1.7.84 PHP + WP 3.0+ Updated Feb 21, 2026
cachemanifestofflineprogressive-web-appspwa
95
A · Safe
CVEs total5
Unpatched0
Last CVESep 25, 2024
Plugin page Download
Safety Verdict

Is PWA for WP – Progressive Web Apps Made Simple Safe to Use in 2026?

Generally Safe

Score 95/100

PWA for WP – Progressive Web Apps Made Simple has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Sep 25, 2024Updated 1mo ago
Risk Assessment

The pwa-for-wp plugin v1.7.84 exhibits a mixed security posture. While it demonstrates good practices in some areas, such as using prepared statements for all SQL queries and implementing nonces and capability checks for most entry points, significant concerns remain. The presence of two AJAX handlers without proper authentication checks presents a direct attack vector for unauthorized actions. Furthermore, the taint analysis revealing one flow with unsanitized paths, although not critical or high severity in this instance, highlights potential for input validation weaknesses that could be exploited.

The vulnerability history of this plugin is a major red flag. With 5 known CVEs, including 2 high and 3 medium severity vulnerabilities, it indicates a recurring pattern of security flaws. The common vulnerability types like Missing Authorization and Cross-site Scripting suggest a lack of robust input validation and authorization controls in previous versions, which might still be present in subtle forms. The fact that the last vulnerability was very recent (September 2024) and that none are currently unpatched is positive, but the overall history points to a plugin that has historically struggled with secure development.

In conclusion, while the plugin has strengths like prepared SQL statements and a good number of security checks, the unauthenticated AJAX handlers and the concerning vulnerability history necessitate caution. The potential for exploitation of the unsanitized path flow, combined with the plugin's track record, elevates the overall risk. Organizations should carefully consider the implications of these findings and ensure robust security measures are in place.

Key Concerns

  • AJAX handlers without auth checks
  • Flow with unsanitized paths found
  • 2 High severity CVEs
  • 3 Medium severity CVEs
  • 66% output escaping (864 total)
Vulnerabilities
5

PWA for WP – Progressive Web Apps Made Simple Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
2 CVEs in 2021
2021
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

High
2
Medium
3

5 total CVEs

CVE-2024-47318medium · 4.3Missing Authorization

PWA for WP & AMP <= 1.7.72 - Missing Authorization

Sep 25, 2024 Patched in 1.7.73 (8d)
CVE-2024-7759medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PWA for WP – Progressive Web Apps Made Simple <= 1.7.71 - Authenticated (Admin+) Stored Cross-Site Scripting

Aug 20, 2024 Patched in 1.7.72 (284d)
CVE-2021-4354high · 8.8Unrestricted Upload of File with Dangerous Type

PWA for WP & AMP <= 1.7.32 - Arbitrary File Upload

Jul 1, 2021 Patched in 1.7.33 (936d)
CVE-2021-4366medium · 6.3Missing Authorization

PWA for WP & AMP < = 1.7.32 - Missing Authorization

Jul 1, 2021 Patched in 1.7.33 (936d)
WF-934545ff-8886-47c7-ad50-0e5ff513a26c-pwa-for-wphigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PWA for WP & AMP Plugin <= 1.0.8 - Cross-Site Scripting

Mar 25, 2019 Patched in 1.0.9 (1765d)
Code Analysis
Analyzed Mar 16, 2026

PWA for WP – Progressive Web Apps Made Simple Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
294
570 escaped
Nonce Checks
22
Capability Checks
25
File Operations
3
External Requests
9
Bundled Libraries
1

Bundled Libraries

Select2

Output Escaping

66% escaped864 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

8 flows1 with unsanitized paths
pwaforwp_load_service_worker_ajax (service-work\class-pwaforwp-service-worker.php:95)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

PWA for WP – Progressive Web Apps Made Simple Attack Surface

Entry Points25
Unprotected2

AJAX Handlers 25

authwp_ajax_goodbye_formadmin\class-pwaforwp-plugin-usage-tracker.php:108
authwp_ajax_pwafowp_enable_modules_upgreadadmin\class-pwaforwp-utility.php:9
authwp_ajax_pwafowp_enable_modules_activeadmin\class-pwaforwp-utility.php:10
authwp_ajax_pwaforwp_reset_all_settingsadmin\common-function.php:55
authwp_ajax_pwaforwp_review_notice_closeadmin\common-function.php:83
authwp_ajax_pwaforwp_review_notice_remindmeadmin\common-function.php:107
authwp_ajax_pwaforwp_send_query_messageadmin\settings.php:3242
authwp_ajax_pwaforwp_license_transientadmin\settings.php:3245
authwp_ajax_pwaforwp_license_transient_zto7admin\settings.php:3263
authwp_ajax_pwaforwp_license_status_checkadmin\settings.php:3485
authwp_ajax_pwaforwp_update_features_optionsadmin\settings.php:4212
authwp_ajax_pwaforwp_include_visibility_setting_callbackadmin\settings.php:4517
authwp_ajax_pwaforwp_include_visibility_condition_callbackadmin\settings.php:4622
authwp_ajax_pwaforwp_exclude_visibility_condition_callbackadmin\settings.php:4654
authwp_ajax_pwaforwp_subscribe_newsletteradmin\settings.php:4764
authwp_ajax_pwaforwp_splashscreen_uploaderadmin\settings.php:4811
authwp_ajax_pwaforwp_get_select2_dataadmin\settings.php:5133
authwp_ajax_pwaforwp_download_setup_filesservice-work\class-pwaforwp-file-creation-init.php:120
noprivwp_ajax_pwaforwp_store_tokenservice-work\class-pwaforwp-push-notification.php:16
authwp_ajax_pwaforwp_store_tokenservice-work\class-pwaforwp-push-notification.php:17
authwp_ajax_pwaforwp_send_notification_manuallyservice-work\class-pwaforwp-push-notification.php:18
authwp_ajax_pwaforwp_upload_fcm_jsonservice-work\class-pwaforwp-push-notification.php:19
authwp_ajax_pwaforwp_update_pre_caching_urlsservice-work\class-pwaforwp-service-worker.php:37
authwp_ajax_pwaforwp_sw_filesservice-work\class-pwaforwp-service-worker.php:75
noprivwp_ajax_pwaforwp_sw_filesservice-work\class-pwaforwp-service-worker.php:76
WordPress Hooks 97
actionplugins_loaded3rd-party\class-pwaforwp-gravitec.php:23
filterpwaforwp_sw_js_template3rd-party\class-pwaforwp-gravitec.php:34
filterpwaforwp_manifest3rd-party\class-pwaforwp-pushnami.php:13
filterpwaforwp_sw_name_modify3rd-party\class-pwaforwp-pushnami.php:14
actionwp3rd-party\class-pwaforwp-pushnami.php:15
actionwp_head3rd-party\class-pwaforwp-pushnami.php:112
actionplugins_loaded3rd-party\class-pwaforwp-webpushr.php:22
filterpwaforwp_sw_js_template3rd-party\class-pwaforwp-webpushr.php:32
actionamp_post_template_head3rd-party\class-pwaforwp-wpwa.php:15
filterweb_app_manifest3rd-party\class-pwaforwp-wpwa.php:16
actionwp_front_service_worker3rd-party\class-pwaforwp-wpwa.php:17
actionwp3rd-party\class-pwaforwp-wpwa.php:18
filterquery_vars3rd-party\class-pwaforwp-wpwa.php:22
actionparse_request3rd-party\class-pwaforwp-wpwa.php:23
actionwp3rd-party\class-pwaforwp-wpwa.php:24
actionwp_front_service_worker3rd-party\class-pwaforwp-wpwa.php:25
filterwp_print_scripts3rd-party\class-pwaforwp-wpwa.php:38
actionamp_post_template_footer3rd-party\class-pwaforwp-wpwa.php:47
filteramp_post_template_data3rd-party\class-pwaforwp-wpwa.php:48
filterwp_die_handler3rd-party\class-pwaforwp-wpwa.php:113
filterpwaforwp_sw_js_template3rd-party\onesignal.php:9
filterpwaforwp_manifest3rd-party\onesignal.php:64
filterpwaforwp_sw_name_modify3rd-party\onesignal.php:79
filterpwaforwp_localize_filteradmin\class-pwaforwp-newsletter.php:9
actionafter_switch_themeadmin\class-pwaforwp-plugin-usage-tracker.php:72
actionswitch_themeadmin\class-pwaforwp-plugin-usage-tracker.php:73
actionput_do_weekly_actionadmin\class-pwaforwp-plugin-usage-tracker.php:98
actionadmin_noticesadmin\class-pwaforwp-plugin-usage-tracker.php:103
actionadmin_noticesadmin\class-pwaforwp-plugin-usage-tracker.php:104
actionadmin_footer-plugins.phpadmin\class-pwaforwp-plugin-usage-tracker.php:107
actionwp_footeradmin\common-function.php:23
actionplugins_loadedadmin\common-function.php:60
actionwp_enqueue_scriptsadmin\common-function.php:285
filterpwaforwp_file_creation_pathadmin\common-function.php:787
filterpwaforwp_manifest_images_srcadmin\common-function.php:1017
filterpre_update_option_pwaforwp_settingsadmin\common-function.php:1361
filterpwaforwp_sw_register_templateadmin\common-function.php:1424
filterpwaforwp_whitelabel_titleadmin\common-function.php:1453
filterpwaforwp_whitelabel_logoadmin\common-function.php:1465
filterpwaforwp_whitelabel_longtextadmin\common-function.php:1477
actionadmin_menuadmin\settings.php:54
actionadmin_headadmin\settings.php:55
actionadmin_initadmin\settings.php:429
actionadmin_footeradmin\settings.php:434
actionadmin_print_footer_scriptsadmin\settings.php:435
actionadmin_print_stylesadmin\settings.php:436
actionadmin_print_stylesadmin\settings.php:438
actionadmin_enqueue_scriptsadmin\settings.php:3187
actionpwaforwp_loading_icon_librariesadmin\settings.php:3791
actionactivated_pluginadmin\settings.php:4508
actiondeactivated_pluginadmin\settings.php:4512
actionupdate_option_pwaforwp_settingsadmin\settings.php:4700
filterpre_update_option_pwaforwp_settingsadmin\settings.php:4887
actionadmin_enqueue_scriptsadmin\settings.php:5159
actionplugins_loadedpwa-for-wp.php:65
actionadmin_noticespwa-for-wp.php:159
filterplugin_row_metapwa-for-wp.php:245
actioninitpwa-for-wp.php:310
actionparse_requestpwa-for-wp.php:311
actionplugins_loadedpwa-for-wp.php:316
filterquery_varspwa-for-wp.php:318
actiontransition_post_statusservice-work\class-pwaforwp-push-notification.php:13
filterpwaforwp_manifestservice-work\class-pwaforwp-push-notification.php:14
actionwp_enqueue_scriptsservice-work\class-pwaforwp-push-notification.php:15
actionwpservice-work\class-pwaforwp-service-worker.php:22
actionwp_footerservice-work\class-pwaforwp-service-worker.php:24
actionpre_amp_render_postservice-work\class-pwaforwp-service-worker.php:28
actionwpservice-work\class-pwaforwp-service-worker.php:30
actionwpservice-work\class-pwaforwp-service-worker.php:32
actionpublish_postservice-work\class-pwaforwp-service-worker.php:35
actionpublish_pageservice-work\class-pwaforwp-service-worker.php:36
actioninitservice-work\class-pwaforwp-service-worker.php:39
actioninitservice-work\class-pwaforwp-service-worker.php:42
actionrest_api_initservice-work\class-pwaforwp-service-worker.php:49
actioninitservice-work\class-pwaforwp-service-worker.php:50
actionparse_queryservice-work\class-pwaforwp-service-worker.php:51
actionwp_loginservice-work\class-pwaforwp-service-worker.php:55
filtersite_icon_meta_tagsservice-work\class-pwaforwp-service-worker.php:60
actioninitservice-work\class-pwaforwp-service-worker.php:65
actionwp_footerservice-work\class-pwaforwp-service-worker.php:302
filteramp_post_template_dataservice-work\class-pwaforwp-service-worker.php:303
actionwp_headservice-work\class-pwaforwp-service-worker.php:304
actionwp_headservice-work\class-pwaforwp-service-worker.php:305
actionwp_enqueue_scriptsservice-work\class-pwaforwp-service-worker.php:312
actionwp_headservice-work\class-pwaforwp-service-worker.php:313
actionwp_headservice-work\class-pwaforwp-service-worker.php:314
actionamp_post_template_footerservice-work\class-pwaforwp-service-worker.php:441
filteramp_post_template_dataservice-work\class-pwaforwp-service-worker.php:442
actionamp_post_template_headservice-work\class-pwaforwp-service-worker.php:443
actionamp_post_template_headservice-work\class-pwaforwp-service-worker.php:444
actionwp_footerservice-work\class-pwaforwp-service-worker.php:449
filteramp_post_template_dataservice-work\class-pwaforwp-service-worker.php:450
actionwp_headservice-work\class-pwaforwp-service-worker.php:451
actionwp_headservice-work\class-pwaforwp-service-worker.php:452
actionamp_wp_template_footerservice-work\class-pwaforwp-service-worker.php:458
actionamp_wp_template_headservice-work\class-pwaforwp-service-worker.php:460
actionamp_wp_template_headservice-work\class-pwaforwp-service-worker.php:461

Scheduled Events 1

put_do_weekly_action
Maintenance & Trust

PWA for WP – Progressive Web Apps Made Simple Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 21, 2026
PHP min version
Downloads1.5M

Community Trust

Rating92/100
Number of ratings229
Active installs20K
Alternatives

PWA for WP – Progressive Web Apps Made Simple Alternatives

PWA

PWA

pwa

A
100

WordPress feature plugin to bring Progressive Web App (PWA) capabilities to Core

20K No CVEs
PWA — easy way to Progressive Web App

PWA — easy way to Progressive Web App

iworks-pwa

A
99

Your easy way to Progressive Web Application.

2K 1 CVE
Hyper PWA

Hyper PWA

hyper-pwa

A
92

Provide Manifest and Service Worker, convert WordPress into Progressive Web Apps (PWA).

300 No CVEs
SiteEase Progressive Web App

SiteEase Progressive Web App

iflair-pwa-app

A
100

SiteEase Progressive Web App converts your WordPress website into a Progressive Web App (PWA) with offline support, caching strategies, and installabl &hellip;

70 No CVEs
Smart PWA

Smart PWA

smart-pwa

A
85

Progressive Web Apps for Your Site.

10 No CVEs
Developer Profile

PWA for WP – Progressive Web Apps Made Simple Developer Profile

Magazine3

13 plugins · 739K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
327 days
View full developer profile
Detection Fingerprints

How We Detect PWA for WP – Progressive Web Apps Made Simple

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/pwa-for-wp/admin/js/pwa-for-wp-admin.js/wp-content/plugins/pwa-for-wp/admin/css/pwa-for-wp-admin.css/wp-content/plugins/pwa-for-wp/assets/css/pwa-for-wp.css/wp-content/plugins/pwa-for-wp/assets/js/pwa-for-wp.js/wp-content/plugins/pwa-for-wp/service-work/pwa-register-sw.js/wp-content/plugins/pwa-for-wp/service-work/pwa-amp-sw.js/wp-content/plugins/pwa-for-wp/service-work/pwa-amp-manifest.json
Script Paths
/wp-content/plugins/pwa-for-wp/admin/js/pwa-for-wp-admin.js/wp-content/plugins/pwa-for-wp/assets/js/pwa-for-wp.js/wp-content/plugins/pwa-for-wp/service-work/pwa-register-sw.js/wp-content/plugins/pwa-for-wp/service-work/pwa-amp-sw.js
Version Parameters
pwa-for-wp/admin/js/pwa-for-wp-admin.js?ver=pwa-for-wp/admin/css/pwa-for-wp-admin.css?ver=pwa-for-wp/assets/css/pwa-for-wp.css?ver=pwa-for-wp/assets/js/pwa-for-wp.js?ver=pwa-for-wp/service-work/pwa-register-sw.js?ver=pwa-for-wp/service-work/pwa-amp-sw.js?ver=

HTML / DOM Fingerprints

CSS Classes
pwa-for-wp-update-pre-caching-urls
Data Attributes
data-iframe-src
JS Globals
PWAFORWP_PLUGIN_VERSIONpwaforwp_settings
FAQ

Frequently Asked Questions about PWA for WP – Progressive Web Apps Made Simple