WP-Safety

Speed Analyzer Security & Risk Analysis

wordpress.org/plugins/speed-analyzer

Test and audit your website's speed directly inside the WordPress dashboard. TTFB, Request Count, Google PSI LCP/FCP, Autoload Options, and more.

100 active installs v1.18.1 PHP 7.0+ WP 5.0+ Updated Mar 11, 2026
pagespeedperformancespeedttfb
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Speed Analyzer Safe to Use in 2026?

Generally Safe

Score 100/100

Speed Analyzer has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "speed-analyzer" vv0.045 plugin presents a mixed security profile. On the positive side, it demonstrates good practices in several key areas. The absence of known CVEs and a clean vulnerability history indicate a potentially well-maintained codebase, or at least one that hasn't been a target for public exploitation. The high percentage of SQL queries using prepared statements and properly escaped output are strong indicators of a developer mindful of common web vulnerabilities like SQL injection and Cross-Site Scripting (XSS). The presence of nonce and capability checks, though not universally applied, also suggests an awareness of authentication and authorization principles. However, a significant concern arises from the attack surface analysis. With 13 AJAX handlers in total, 5 of them lack authentication checks. This creates direct entry points for unauthenticated users to interact with the plugin's functionality, which can be a significant security risk if these handlers perform sensitive operations or can be leveraged to disclose information.

The taint analysis, while limited in scope (9 flows analyzed), did identify 2 flows with unsanitized paths. Although these were not flagged as critical or high severity, unsanitized path flows can be precursors to directory traversal or file inclusion vulnerabilities, especially when combined with file operations. The plugin also performs 14 external HTTP requests, which could introduce risks if the target URLs are compromised or if the plugin fails to properly validate responses from these external sources.

In conclusion, while "speed-analyzer" vv0.045 benefits from a lack of known vulnerabilities and good practices in data handling (prepared statements, output escaping), the presence of unprotected AJAX handlers represents a notable weakness. The unsanitized path flows in taint analysis, although low severity, warrant attention. Future development should prioritize securing all AJAX endpoints and thoroughly reviewing any code handling file paths.

Key Concerns

  • Unprotected AJAX handlers
  • Taint flows with unsanitized paths
Vulnerabilities
None known

Speed Analyzer Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Speed Analyzer Release Timeline

v1.18.1Current
v1.18
v1.17.9
v1.17.8
v1.17.7
v1.17.6
v1.17.5
v1.17.3
v1.17.2
v1.17.1
v1.17
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16
v1.15.1
v1.15
Code Analysis
Analyzed Mar 16, 2026

Speed Analyzer Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
11 prepared
Unescaped Output
51
444 escaped
Nonce Checks
18
Capability Checks
21
File Operations
35
External Requests
14
Bundled Libraries
0

SQL Query Safety

79% prepared14 total queries

Output Escaping

90% escaped495 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

9 flows2 with unsanitized paths
wpsa_render_tool_page (wp-speed-analyzer.php:776)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

Speed Analyzer Attack Surface

Entry Points13
Unprotected5

AJAX Handlers 13

authwp_ajax_wpsa_performancediagnostics.php:165
authwp_ajax_wpsa_log_module5diagnostics.php:519
authwp_ajax_wpsa_log_module5_diagdiagnostics.php:816
authwp_ajax_wpsa_get_psi_screenshotdiagnostics.php:1120
authwp_ajax_wpsa_get_cwv_assessmentdiagnostics.php:1230
authwp_ajax_wpsa_load_testeditors.php:231
authwp_ajax_wpsa_psimodules.php:44
authwp_ajax_wpsa_log_module2modules.php:545
authwp_ajax_wpsa_log_module5_diagmodules.php:607
authwp_ajax_wpsa_schedule_batch_statusschedule.php:3830
authwp_ajax_wpsa_pdf_reportwp-speed-analyzer.php:47
authwp_ajax_wpsa_pdf_quotawp-speed-analyzer.php:109
authwp_ajax_wpsa_module7wp-speed-analyzer.php:130
WordPress Hooks 18
actionadmin_head-plugins.phpeditors.php:21
actionadmin_head-edit.phpeditors.php:65
actionadmin_footer-edit.phpeditors.php:193
filtermanage_pages_columnseditors.php:557
filtermanage_posts_columnseditors.php:558
actionmanage_pages_custom_columneditors.php:603
actionmanage_posts_custom_columneditors.php:604
actionadmin_inithelpers.php:14
actionadmin_noticeshelpers.php:19
actionadmin_enqueue_scriptsmodules.php:1107
filtercron_schedulesschedule.php:1734
actioninitschedule.php:1750
actionwpsa_run_scheduled_testsschedule.php:1775
actionadmin_post_wpsa_save_scheduleschedule.php:2743
actionadmin_menuwp-speed-analyzer.php:179
actionadmin_enqueue_scriptswp-speed-analyzer.php:190
actionadmin_post_wpsa_save_licensewp-speed-analyzer.php:357
actionadmin_post_wpsa_save_pdf_customwp-speed-analyzer.php:523
Maintenance & Trust

Speed Analyzer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version7.0
Downloads3K

Community Trust

Rating100/100
Number of ratings2
Active installs100
Alternatives

Speed Analyzer Alternatives

LiteSpeed Cache

LiteSpeed Cache

litespeed-cache

A
86

All-in-one unbeatable acceleration & PageSpeed improvement: caching, image/CSS/JS optimization...

7.0M 18 CVEs
WP Fastest Cache – WordPress Cache Plugin

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

B
76

The simplest and fastest WP Cache system

1.0M 35 CVEs
Autoptimize

Autoptimize

autoptimize

B
77

Autoptimize speeds up your website by optimizing JS, CSS, images (incl. lazy-load), HTML and Google Fonts, asyncing JS, removing emoji cruft and more.

900K 12 CVEs
W3 Total Cache

W3 Total Cache

w3-total-cache

B
75

Search Engine (SEO) & Performance Optimization (WPO) via caching. Integrated caching: CDN, Page, Minify, Object, Fragment, Database support.

900K 29 CVEs
Aruba HiSpeed Cache

Aruba HiSpeed Cache

aruba-hispeed-cache

A
95

Aruba HiSpeed Cache interfaces directly with an Aruba hosting platform's HiSpeed Cache service and automates its management.

100K 7 CVEs
Developer Profile

Speed Analyzer Developer Profile

Dalibor

2 plugins · 100 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Speed Analyzer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/speed-analyzer/admin-styles.css/wp-content/plugins/speed-analyzer/admin-scripts.js/wp-content/plugins/speed-analyzer/admin-widgets.js/wp-content/plugins/speed-analyzer/cwv-ui.js
Script Paths
/wp-content/plugins/speed-analyzer/admin-scripts.js/wp-content/plugins/speed-analyzer/admin-widgets.js/wp-content/plugins/speed-analyzer/cwv-ui.js
Version Parameters
speed-analyzer/admin-styles.css?ver=speed-analyzer/admin-scripts.js?ver=speed-analyzer/admin-widgets.js?ver=speed-analyzer/cwv-ui.js?ver=

HTML / DOM Fingerprints

JS Globals
wpsa_pdf_reportwpsa_pdf_quotawpsa_module7
REST Endpoints
/wp-json/wpsa/
FAQ

Frequently Asked Questions about Speed Analyzer