WP-Safety

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization Security & Risk Analysis

wordpress.org/plugins/shortpixel-adaptive-images

Start serving properly sized, smart cropped & optimized images, plus CSS, JS and fonts from our CDN with a click; Automatic AVIF & WebP support.

10K active installs v3.11.1 PHP 5.6.40+ WP 4.7+ Updated Feb 2, 2026
avifconvertimage-optimizationlazy-loadwebp
96
A · Safe
CVEs total8
Unpatched0
Last CVEAug 1, 2025
Plugin page Download
Safety Verdict

Is ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization Safe to Use in 2026?

Generally Safe

Score 96/100

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Aug 1, 2025Updated 2mo ago
Risk Assessment

The shortpixel-adaptive-images plugin v3.11.1 presents a mixed security posture. While it demonstrates good practices in SQL query handling and avoids bundled libraries, significant concerns arise from its attack surface and output escaping. The plugin exposes a large number of AJAX handlers (15 total) with a concerning 14 of them lacking proper authorization checks, creating a substantial entry point for unauthenticated attackers. Furthermore, only 9% of its extensive output is properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities, especially when combined with the unprotected AJAX endpoints. The taint analysis confirms this, revealing 3 high-severity flows, potentially exploitable through these unauthenticated routes. Despite having no currently unpatched CVEs, the plugin's history of 8 medium-severity vulnerabilities, including XSS, SSRF, CSRF, and authorization/access control issues, suggests a recurring pattern of security weaknesses. This history, coupled with the present code analysis findings, indicates that while the plugin authors are addressing past issues, fundamental security practices around input validation, authorization, and output escaping need significant improvement to mitigate current and future risks.

Key Concerns

  • Large attack surface without auth checks
  • High severity taint flows
  • Low output escaping rate
  • Use of unserialize
  • Missing nonce checks on AJAX
  • History of medium CVEs (8 total)
Vulnerabilities
8

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
2 CVEs in 2023
2023
3 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
8

8 total CVEs

CVE-2025-6626medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization <= 3.10.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via API URL

Aug 1, 2025 Patched in 3.10.5 (1d)
CVE-2025-30853medium · 4.3Missing Authorization

ShortPixel Adaptive Images <= 3.10.0 - Missing Authorization

Apr 1, 2025 Patched in 3.10.1 (8d)
CVE-2024-35172medium · 5.5Server-Side Request Forgery (SSRF)

ShortPixel Adaptive Images <= 3.8.3 - Authenticated (Admin+) Server-Side Request Forgery

May 10, 2024 Patched in 3.8.4 (6d)
CVE-2024-4689medium · 4.3Cross-Site Request Forgery (CSRF)

ShortPixel Adaptive Images <= 3.8.3 - Cross-Site Request Forgery

May 9, 2024 Patched in 3.8.4 (8d)
CVE-2024-31230medium · 5.3Missing Authorization

ShortPixel Adaptive Images <= 3.8.2 - Missing Authorization in activate_ai_handler and deactivate_ai_handler

Apr 2, 2024 Patched in 3.8.3 (5d)
CVE-2023-32512medium · 5.4Cross-Site Request Forgery (CSRF)

ShortPixel Adaptive Images <= 3.7.1 - Cross-Site Request Forgery via shortpixel_ai_handle_page_action

May 8, 2023 Patched in 3.7.2 (260d)
CVE-2023-0334medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ShortPixel Adaptive Images <= 3.6.1 - Reflected Cross-Site Scripting

Feb 2, 2023 Patched in 3.6.2 (355d)
CVE-2022-29417medium · 4.3Improper Access Control

ShortPixel Adaptive Images <= 3.3.1 - Subscriber+ Arbitrary Settings Update

Apr 25, 2022 Patched in 3.4.0 (637d)
Code Analysis
Analyzed Mar 16, 2026

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization Code Analysis

Dangerous Functions
3
Raw SQL Queries
0
3 prepared
Unescaped Output
348
35 escaped
Nonce Checks
4
Capability Checks
3
File Operations
23
External Requests
6
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = @unserialize($row->meta_value);includes\controllers\cli.class.php:32
unserialize$diviToolboxOptions = unserialize(get_option('dtb_toolbox', 'a:0:{}'));includes\controllers\short-pixel-ai.class.php:1486
unserialize$meta = unserialize($meta);includes\helpers\url-tools.class.php:419

SQL Query Safety

100% prepared3 total queries

Output Escaping

9% escaped383 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

7 flows6 with unsanitized paths
enqueue (includes\front\vanilla-js-loader.class.php:15)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
14 unprotected

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization Attack Surface

Entry Points15
Unprotected14

AJAX Handlers 15

authwp_ajax_shortpixel_ai_handle_feedback_actionincludes\controllers\feedback.class.php:309
authwp_ajax_shortpixel_ai_send_ratingincludes\controllers\feedback.class.php:311
authwp_ajax_shortpixel_ai_send_feedbackincludes\controllers\feedback.class.php:312
authwp_ajax_shortpixel_ai_handle_help_actionincludes\controllers\help.class.php:45
authwp_ajax_shortpixel_ai_handle_lqip_actionincludes\controllers\lqip.class.php:1016
noprivwp_ajax_shortpixel_ai_handle_lqip_actionincludes\controllers\lqip.class.php:1017
authwp_ajax_shortpixel_ai_handle_notice_actionincludes\controllers\notice.class.php:746
authwp_ajax_shortpixel_ai_handle_page_actionincludes\controllers\page.class.php:345
noprivwp_ajax_shortpixel_deactivate_aiincludes\controllers\short-pixel-ai.class.php:587
noprivwp_ajax_shortpixel_activate_aiincludes\controllers\short-pixel-ai.class.php:588
authwp_ajax_shortpixel_ai_add_selector_to_listincludes\controllers\short-pixel-ai.class.php:592
authwp_ajax_shortpixel_ai_remove_selector_from_listincludes\controllers\short-pixel-ai.class.php:593
authwp_ajax_shortpixel_deactivate_aiincludes\controllers\short-pixel-ai.class.php:594
authwp_ajax_shortpixel_activate_aiincludes\controllers\short-pixel-ai.class.php:595
authwp_ajax_spai_propose_upgradeincludes\controllers\short-pixel-ai.class.php:596
WordPress Hooks 56
actionadmin_footer-plugins.phpincludes\controllers\feedback.class.php:308
actioncurrent_screenincludes\controllers\help.class.php:44
filtercron_schedulesincludes\controllers\lqip.class.php:1011
actionwp_enqueue_scriptsincludes\controllers\lqip.class.php:1019
actionadmin_noticesincludes\controllers\notice.class.php:744
actionadmin_footerincludes\controllers\notice.class.php:745
actionadmin_noticesincludes\controllers\notice.class.php:747
actionadmin_initincludes\controllers\options.class.php:34
actioninitincludes\controllers\page.class.php:339
actionadmin_footerincludes\controllers\page.class.php:340
actionadmin_initincludes\controllers\page.class.php:341
actionadmin_menuincludes\controllers\page.class.php:342
actionadmin_bar_menuincludes\controllers\page.class.php:343
actionadmin_enqueue_scriptsincludes\controllers\page.class.php:344
actionwp_enqueue_scriptsincludes\controllers\page.class.php:348
actioninitincludes\controllers\short-pixel-ai.class.php:124
filterwp_calculate_image_srcsetincludes\controllers\short-pixel-ai.class.php:157
actionelementor/element/parse_cssincludes\controllers\short-pixel-ai.class.php:166
filterngg_pro_lightbox_images_queueincludes\controllers\short-pixel-ai.class.php:171
filterrocket_css_contentincludes\controllers\short-pixel-ai.class.php:178
filterwpfc_css_contentincludes\controllers\short-pixel-ai.class.php:184
filterw3tc_minify_css_contentincludes\controllers\short-pixel-ai.class.php:190
filterwpo_minify_get_cssincludes\controllers\short-pixel-ai.class.php:196
filterlitespeed_css_serveincludes\controllers\short-pixel-ai.class.php:203
filterlitespeed_optm_cssjsincludes\controllers\short-pixel-ai.class.php:204
filterswift_performance_critical_css_contentincludes\controllers\short-pixel-ai.class.php:243
filterswift_performance_css_contentincludes\controllers\short-pixel-ai.class.php:252
filterwpincludes\controllers\short-pixel-ai.class.php:263
filterdo_rocket_lazyloadincludes\controllers\short-pixel-ai.class.php:280
actionadmin_bar_menuincludes\controllers\short-pixel-ai.class.php:559
actionadmin_bar_menuincludes\controllers\short-pixel-ai.class.php:560
filterwp_lazy_loading_enabledincludes\controllers\short-pixel-ai.class.php:566
actionwp_enqueue_scriptsincludes\controllers\short-pixel-ai.class.php:575
actioninitincludes\controllers\short-pixel-ai.class.php:576
filterscript_loader_tagincludes\controllers\short-pixel-ai.class.php:583
actionadmin_enqueue_scriptsincludes\controllers\short-pixel-ai.class.php:619
actionadmin_enqueue_scriptsincludes\controllers\short-pixel-ai.class.php:620
actionswitch_themeincludes\controllers\short-pixel-ai.class.php:634
actionafter_switch_themeincludes\controllers\short-pixel-ai.class.php:642
actionafter_setup_themeincludes\controllers\short-pixel-ai.class.php:649
actionswift_performance_before_clear_all_cacheincludes\controllers\short-pixel-ai.class.php:660
actionw3tc_flush_allincludes\controllers\short-pixel-ai.class.php:663
actionwpfc_delete_cacheincludes\controllers\short-pixel-ai.class.php:666
actionwp_cache_clearedincludes\controllers\short-pixel-ai.class.php:669
actionlitespeed_purged_all_cssjsincludes\controllers\short-pixel-ai.class.php:672
actionbefore_rocket_clean_minifyincludes\controllers\short-pixel-ai.class.php:675
filterrocket_defer_inline_exclusionsincludes\front\jquery-js-loader.class.php:78
filterbody_classincludes\front\js-loader.class.php:66
actionwp_headincludes\front\js-loader.class.php:72
actionwp_headincludes\front\vanilla-js-loader.class.php:17
filterrocket_defer_inline_exclusionsincludes\front\vanilla-js-loader.class.php:147
filterrocket_delay_js_exclusionsincludes\front\vanilla-js-loader.class.php:148
filterrocket_cache_reject_uriincludes\helpers\cache-cleaner.class.php:212
filterswift_performance_is_cacheableincludes\helpers\cache-cleaner.class.php:222
filterbypass_cacheincludes\helpers\cache-cleaner.class.php:227
actionafter_setup_themeshort-pixel-ai.php:114
Maintenance & Trust

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 2, 2026
PHP min version5.6.40
Downloads1.5M

Community Trust

Rating96/100
Number of ratings143
Active installs10K
Alternatives

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization Alternatives

Image Optimizer – Optimize Images and Convert to WebP or AVIF

Image Optimizer – Optimize Images and Convert to WebP or AVIF

image-optimization

A
99

Automatically resize, optimize, and convert images to WebP and AVIF. Compress images in bulk or on upload to boost your WordPress site performance.

1.0M 1 CVE
Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

imagify

A
100

Optimize images in 1-click: compress images, convert to WebP & AVIF, resize, and boost your site with the easiest WordPress image optimization plugin!

1.0M No CVEs
Optimole – Optimize Images in Real Time

Optimole – Optimize Images in Real Time

optimole-wp

A
96

Automatically optimize images: bulk compression, lazy loading, WebP/AVIF conversion. With CloudFront image CDN to boost Core Web Vitals & conversions!

200K 3 CVEs
Pressidium Performance

Pressidium Performance

pressidium-performance

A
100

Speed up your WordPress site, improve Core Web Vitals and enhance user experience with one-click image optimization, CSS & JavaScript minification.

100 No CVEs
JPrompt's Pixengine – Image Converter & Optimizer

JPrompt's Pixengine – Image Converter & Optimizer

jprompts-pixengine

A
100

Automatically convert and optimize images to WebP and AVIF formats with intelligent resizing, lazy loading, and caching. Boost page speed by 40-70% wi &hellip;

0 No CVEs
Developer Profile

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization Developer Profile

ShortPixel

8 plugins · 1.2M total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
230 days
View full developer profile
Detection Fingerprints

How We Detect ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/shortpixel-adaptive-images/assets/css/spai-main.css/wp-content/plugins/shortpixel-adaptive-images/assets/js/spai-main.js/wp-content/plugins/shortpixel-adaptive-images/assets/js/spai-admin.js
Script Paths
/wp-content/plugins/shortpixel-adaptive-images/assets/js/spai-main.js/wp-content/plugins/shortpixel-adaptive-images/assets/js/spai-admin.js
Version Parameters
shortpixel-adaptive-images/assets/css/spai-main.css?ver=shortpixel-adaptive-images/assets/js/spai-main.js?ver=shortpixel-adaptive-images/assets/js/spai-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
spai-main
Data Attributes
data-spai-loaddata-spai-srcdata-spai-bg
JS Globals
ShortPixelAIspai_settings
REST Endpoints
/wp-json/spai/v1/optimize
FAQ

Frequently Asked Questions about ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization