WP-Safety

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF Security & Risk Analysis

wordpress.org/plugins/shortpixel-image-optimiser

Optimize images & PDFs smartly. Create and compress next-gen WebP and AVIF formats. Smart crop and resize.

300K active installs v6.4.3 PHP 7.4+ WP 4.8.0+ Updated Jan 29, 2026
compress-imagesconvert-webpimage-optimizationoptimize-imagesresize
95
A · Safe
CVEs total6
Unpatched0
Last CVEFeb 4, 2026
Plugin page Download
Safety Verdict

Is ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF Safe to Use in 2026?

Generally Safe

Score 95/100

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Feb 4, 2026Updated 2mo ago
Risk Assessment

The "shortpixel-image-optimiser" v6.4.3 plugin exhibits a mixed security posture. On the positive side, it demonstrates strong practices in SQL query handling, exclusively using prepared statements, and a good proportion of its output is properly escaped. The absence of dangerous functions and bundled libraries is also reassuring. However, a significant concern arises from its attack surface, with 5 out of 6 AJAX handlers lacking authentication checks. This creates a considerable risk of unauthorized actions being performed through these endpoints. The taint analysis, while not revealing critical or high severity issues, did identify flows with unsanitized paths, which warrants attention. The plugin's vulnerability history, with 6 known medium severity CVEs across various common types like Path Traversal and Missing Authorization, suggests a recurring pattern of security weaknesses that have been addressed in past versions. While there are no currently unpatched vulnerabilities, this history indicates potential for similar issues to arise if not carefully managed. The fact that the last vulnerability was in the future (2026-02-04) is likely a data anomaly and should be disregarded in the assessment.

Key Concerns

  • 5 AJAX handlers without authentication checks
  • 2 Taint flows with unsanitized paths
  • History of 6 medium severity CVEs
  • 8 Nonce checks for 6 entry points
Vulnerabilities
6

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
6

6 total CVEs

CVE-2026-1246medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ShortPixel Image Optimizer <= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter

Feb 4, 2026 Patched in 6.4.3 (1d)
CVE-2025-11378medium · 5.4Missing Authorization

ShortPixel Image Optimizer <= 6.3.4 - Authenticated (Contributor+) Settings Import/Export

Oct 17, 2025 Patched in 6.3.5 (1d)
CVE-2024-48044medium · 4.3Missing Authorization

ShortPixel Image Optimizer <= 5.6.3 - Missing Authorization

Oct 13, 2024 Patched in 5.6.4 (6d)
CVE-2024-48043medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ShortPixel Image Optimizer <= 5.6.3 - Authenticated (Editor+) SQL Injection

Oct 13, 2024 Patched in 5.6.4 (6d)
WF-9f23bf62-6008-4a9c-a7ae-a2e513699684-shortpixel-image-optimisermedium · 6.6Deserialization of Untrusted Data

ShortPixel Image Optimizer <= 5.4.1 - Authenticated(Editor+) PHP Object Injection

Sep 14, 2023 Patched in 5.4.2 (131d)
WF-7f9b86a3-c68a-443f-a2f3-5f31f3280a6f-shortpixel-image-optimisermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ShortPixel Image Optimizer <= 4.22.9 - Reflected Cross-Site Scripting

Jun 2, 2022 Patched in 4.22.10 (600d)
Code Analysis
Analyzed Mar 16, 2026

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
103 prepared
Unescaped Output
159
576 escaped
Nonce Checks
8
Capability Checks
6
File Operations
17
External Requests
13
Bundled Libraries
0

SQL Query Safety

100% prepared103 total queries

Output Escaping

78% escaped735 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
getItemView (class\Controller\AjaxController.php:103)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF Attack Surface

Entry Points6
Unprotected5

AJAX Handlers 6

authwp_ajax_shortpixel_deactivate_pluginclass\view\shortpixel-feedback.php:38
authwp_ajax_shortpixel_image_processingshortpixel-plugin.php:273
authwp_ajax_shortpixel_propose_upgradeshortpixel-plugin.php:279
authwp_ajax_shortpixel_check_quotashortpixel-plugin.php:280
authwp_ajax_shortpixel_ajaxRequestshortpixel-plugin.php:283
authwp_ajax_shortpixel_settingsRequestshortpixel-plugin.php:284
WordPress Hooks 59
filterposts_whereclass\Controller\AdminController.php:450
actionadmin_noticesclass\Controller\AdminNoticesController.php:53
actionadmin_footerclass\Controller\AdminNoticesController.php:54
actionadmin_noticesclass\Controller\AdminNoticesController.php:64
filtercron_schedulesclass\Controller\CronController.php:24
filterscript_loader_srcclass\Controller\Front\CDNController.php:245
filterstyle_loader_srcclass\Controller\Front\CDNController.php:249
actionshortpixel/image/after_restoreclass\Controller\Front\CDNController.php:772
actionshortpixel/image/optimisedclass\Controller\Front\CDNController.php:773
filterstatus_headerclass\Controller\Front\PageConverter.php:94
actioninitclass\Controller\Front\PictureController.php:25
actionadd_meta_boxes_attachmentclass\Controller\View\EditMediaViewController.php:37
filtermanage_media_columnsclass\Controller\View\ListMediaViewController.php:44
actionmanage_media_custom_columnclass\Controller\View\ListMediaViewController.php:45
actionrestrict_manage_postsclass\Controller\View\ListMediaViewController.php:49
actionloop_endclass\Controller\View\ListMediaViewController.php:51
actionplugins_loadedclass\Model\EnvironmentModel.php:62
actioncurrent_screenclass\Model\EnvironmentModel.php:63
filteras3cf_wait_for_generate_attachment_metadataclass\Model\Image\MediaLibraryModel.php:2246
actionshutdownclass\Model\SettingsModel.php:135
actionadmin_footer-plugins.phpclass\view\shortpixel-feedback.php:37
actionplugins_loadedshortpixel-plugin.php:49
actioninitshortpixel-plugin.php:85
actioninitshortpixel-plugin.php:86
actionadmin_initshortpixel-plugin.php:87
actionadmin_post_shortpixel_deactivate_conflict_pluginshortpixel-plugin.php:102
actionadmin_menushortpixel-plugin.php:174
actionadmin_enqueue_scriptsshortpixel-plugin.php:175
actionadmin_enqueue_scriptsshortpixel-plugin.php:176
actionadmin_enqueue_scriptsshortpixel-plugin.php:177
actionenqueue_block_assetsshortpixel-plugin.php:178
actionshortpixel-thumbnails-regeneratedshortpixel-plugin.php:182
actionrta/image/thumbnails_regeneratedshortpixel-plugin.php:183
actionrta/image/thumbnails_removedshortpixel-plugin.php:184
actionrta/image/scaled_image_regeneratedshortpixel-plugin.php:185
actionload-upload.phpshortpixel-plugin.php:189
actionload-post.phpshortpixel-plugin.php:190
actionwp_handle_replaceshortpixel-plugin.php:196
actionshortpixel/hook/processqueueshortpixel-plugin.php:199
actionshortpixel/hook/scancustomfoldersshortpixel-plugin.php:200
actionprint_media_templatesshortpixel-plugin.php:204
filterwp_get_attachment_urlshortpixel-plugin.php:207
filterrest_post_dispatchshortpixel-plugin.php:209
actionshortpixel-thumbnails-before-regenerateshortpixel-plugin.php:216
actionenable-media-replace-upload-doneshortpixel-plugin.php:218
filterwp_generate_attachment_metadatashortpixel-plugin.php:220
actionadd_attachmentshortpixel-plugin.php:221
filtermpp_generate_metadatashortpixel-plugin.php:224
filterwp_generate_attachment_metadatashortpixel-plugin.php:233
filtermpp_generate_metadatashortpixel-plugin.php:234
actiondelete_attachmentshortpixel-plugin.php:243
actionmime_typesshortpixel-plugin.php:244
actionwplr_sync_mediashortpixel-plugin.php:248
actionadmin_bar_menushortpixel-plugin.php:250
filterload_image_to_edit_pathshortpixel-plugin.php:253
filterwp_save_image_editor_fileshortpixel-plugin.php:254
filterpre_get_postsshortpixel-plugin.php:260
actionnetwork_admin_menushortpixel-plugin.php:265
actionadmin_noticeswp-shortpixel.php:22
Maintenance & Trust

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 29, 2026
PHP min version7.4
Downloads18.5M

Community Trust

Rating90/100
Number of ratings802
Active installs300K
Alternatives

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF Alternatives

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

imagify

A
100

Optimize images in 1-click: compress images, convert to WebP & AVIF, resize, and boost your site with the easiest WordPress image optimization plugin!

1.0M No CVEs
Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN

wp-smushit

A
93

Optimize and compress images with lossless and lossy compression, lazy load, WebP & AVIF conversion, and global image CDN.

1.0M 6 CVEs
Converter for Media – Optimize images | Convert WebP & AVIF

Converter for Media – Optimize images | Convert WebP & AVIF

webp-converter-for-media

A
93

Speed up your website by using our WebP & AVIF Converter. Optimize images and serve WebP and AVIF images instead of standard formats!

500K 4 CVEs
Squeeze – Image Optimization & Compression, WEBP Conversion

Squeeze – Image Optimization & Compression, WEBP Conversion

squeeze

A
92

Unlimited. Private. Instant. Squeeze compresses and converts your images directly in your browser — no external servers and no upload limits.

1K 3 CVEs
DropAvif Image Optimizer – Convert WebP & AVIF | Compress Images

DropAvif Image Optimizer – Convert WebP & AVIF | Compress Images

dropavif-media-optimizer

A
100

The Ultimate Image Optimization Suite for WordPress. WebP & AVIF conversion, Smart Format Selection, Watermarking, and Lazy Load. Zero server load.

30 No CVEs
Developer Profile

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF Developer Profile

ShortPixel

8 plugins · 1.2M total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
239 days
View full developer profile
Detection Fingerprints

How We Detect ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/shortpixel-image-optimiser/build/admin/css/admin.css/wp-content/plugins/shortpixel-image-optimiser/build/admin/js/admin.js/wp-content/plugins/shortpixel-image-optimiser/build/admin/css/admin-common.css/wp-content/plugins/shortpixel-image-optimiser/build/admin/js/admin-common.js/wp-content/plugins/shortpixel-image-optimiser/build/frontend/css/shortpixel-lazy-loader.css/wp-content/plugins/shortpixel-image-optimiser/build/frontend/js/shortpixel-lazy-loader.js/wp-content/plugins/shortpixel-image-optimiser/build/frontend/js/shortpixel-retina-js.js/wp-content/plugins/shortpixel-image-optimiser/build/frontend/js/shortpixel-front.js
Script Paths
/wp-content/plugins/shortpixel-image-optimiser/build/admin/js/admin.js/wp-content/plugins/shortpixel-image-optimiser/build/admin/js/admin-common.js/wp-content/plugins/shortpixel-image-optimiser/build/frontend/js/shortpixel-lazy-loader.js/wp-content/plugins/shortpixel-image-optimiser/build/frontend/js/shortpixel-retina-js.js/wp-content/plugins/shortpixel-image-optimiser/build/frontend/js/shortpixel-front.js
Version Parameters
shortpixel-image-optimiser/build/admin/css/admin.css?ver=shortpixel-image-optimiser/build/admin/js/admin.js?ver=shortpixel-image-optimiser/build/admin/css/admin-common.css?ver=shortpixel-image-optimiser/build/admin/js/admin-common.js?ver=shortpixel-image-optimiser/build/frontend/css/shortpixel-lazy-loader.css?ver=shortpixel-image-optimiser/build/frontend/js/shortpixel-lazy-loader.js?ver=shortpixel-image-optimiser/build/frontend/js/shortpixel-retina-js.js?ver=shortpixel-image-optimiser/build/frontend/js/shortpixel-front.js?ver=

HTML / DOM Fingerprints

CSS Classes
spio-admin-noticeshortpixel-admin-noticeshortpixel-settings-wrapshortpixel-dialogspio-dialog-bodyspio-dialog-headerspio-modal-buttonsspio-dialog-close+5 more
HTML Comments
<!-- Begin ShortPixel Admin Notice --><!-- ShortPixel Optimize --><!-- ShortPixel Lazy Loader -->
Data Attributes
data-spio-iddata-shortpixel-iddata-spio-original-srcdata-spio-original-srcsetdata-spio-lazy
JS Globals
shortPixelshortPixelAdminshortPixelLazyLoaderspio_ajax_object
REST Endpoints
/wp-json/shortpixel/v1/admin-notice/wp-json/shortpixel/v1/api-key-check/wp-json/shortpixel/v1/bulk-optimize/wp-json/shortpixel/v1/sync-library
FAQ

Frequently Asked Questions about ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF