Does PWA for WordPress have any unpatched vulnerabilities?

No. All known vulnerabilities in PWA for WordPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is PWA for WordPress compatible with WordPress 5.1.22?

According to WordPress.org data, PWA for WordPress 1.2.0 has been tested up to WordPress 5.1.22. Check the plugin's changelog for the latest compatibility information.

Is PWA for WordPress compatible with PHP 5.4+?

PWA for WordPress requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is PWA for WordPress updated?

PWA for WordPress was last updated on Apr 23, 2019. Frequent updates are generally a positive security signal.

What is PWA for WordPress's security score?

PWA for WordPress has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

PWA for WordPress Security & Risk Analysis

wordpress.org/plugins/pwa4wp

PWA for WordPress makes your WordPress site to PWA (Progressive Web App) and makes control of PWA data caches easy.

300 active installs v1.2.0 PHP 5.4+ WP 4.4+ Updated Apr 23, 2019

mobileprogressive-web-appprogressive-web-appspwapwa4wp

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is PWA for WordPress Safe to Use in 2026?

Generally Safe

Score 85/100

PWA for WordPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6yr ago

Risk Assessment

The PWA4WP plugin, version 1.2.0, presents a mixed security posture. On the positive side, the static analysis reveals no known CVEs, a complete absence of external HTTP requests, and a lack of dangerous functions. All SQL queries are correctly prepared, and nonce checks are present for file operations, indicating some good development practices.

However, significant concerns arise from the code analysis. A very low percentage (4%) of output is properly escaped, meaning there's a high risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, all analyzed taint flows (4 out of 4) involve unsanitized paths, which is a critical indicator of potential path traversal or file manipulation vulnerabilities, despite no critical severity being explicitly flagged. The absence of capability checks on any of the detected entry points (even though the entry point count is zero) is also a notable weakness, as it means any potential future additions to the attack surface might be unprotected.

Given the lack of a vulnerability history, it's difficult to draw conclusions about past security patterns. However, the current analysis highlights a strong potential for XSS and path-related vulnerabilities due to poor output escaping and unsanitized path flows. While the plugin has a zero attack surface and no known CVEs, the identified code quality issues present a notable risk that should be addressed.

Key Concerns

Low output escaping percentage
Taint flows with unsanitized paths
No capability checks detected

Vulnerabilities

None known

PWA for WordPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

PWA for WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

4% escaped25 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths

pwa4wp_admin_init (admin\class-pwa4wp-admin.php:148)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

PWA for WordPress Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 7

actionadmin_enqueue_scriptsadmin\class-pwa4wp-admin.php:51

actionadmin_enqueue_scriptsadmin\class-pwa4wp-admin.php:52

actionadmin_menuadmin\class-pwa4wp-admin.php:53

actionadmin_initadmin\class-pwa4wp-admin.php:54

actionplugins_loadedincludes\class-pwa4wp.php:151

actionwp_enqueue_scriptspublic\class-pwa4wp-public.php:138

actionwp_headpublic\class-pwa4wp-public.php:139

Maintenance & Trust

PWA for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested5.1.22

Last updatedApr 23, 2019

PHP min version5.4

Downloads9K

Community Trust

Rating100/100

Number of ratings4

Active installs300

Alternatives

PWA for WordPress Alternatives

Progressive Web Apps

progressive-web-apps

Use a Progressive Web App implemented with React JS to enhance the experience of your mobile users.

10 No CVEs

Super Progressive Web Apps

super-progressive-web-apps

SuperPWA helps you convert your WordPress website into a Progressive Web App instantly.

50K 2 CVEs

PWA

pwa

100

WordPress feature plugin to bring Progressive Web App (PWA) capabilities to Core

20K No CVEs

PWA for WP – Progressive Web Apps Made Simple

pwa-for-wp

PWA plugin is bringing the power of the Progressive Web Apps to the WP & AMP to take the user experience to the next level.

20K 5 CVEs

Hyper PWA

hyper-pwa

Provide Manifest and Service Worker, convert WordPress into Progressive Web Apps (PWA).

300 No CVEs

Developer Profile

PWA for WordPress Developer Profile

Ryunosuke Shindo

1 plugin · 300 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect PWA for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/pwa4wp/css/pwa4wp-admin.css/wp-content/plugins/pwa4wp/js/pwa4wp-admin.js/wp-content/plugins/pwa4wp/js/media-uploader.js

Version Parameters

pwa4wp-admin.css?ver=pwa4wp-admin.js?ver=

HTML / DOM Fingerprints

FAQ