WP-Safety

StaticPress Security & Risk Analysis

wordpress.org/plugins/staticpress

Transform your WordPress into static websites and blogs.

600 active installs v0.4.5 PHP + WP 3.5+ Updated May 27, 2016
static
64
C · Use Caution
CVEs total1
Unpatched1
Last CVEMar 31, 2025
Plugin page Download
Safety Verdict

Is StaticPress Safe to Use in 2026?

Use With Caution

Score 64/100

StaticPress has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Mar 31, 2025Updated 9yr ago
Risk Assessment

The StaticPress plugin, at version 0.4.5, presents a concerning security posture due to several significant weaknesses. While it does not utilize dangerous functions or have known critical or high severity vulnerabilities in its history, the static analysis reveals a substantial attack surface with all three identified AJAX handlers lacking proper authorization checks. This means that any user, even unauthenticated ones, could potentially trigger these handlers, leading to unintended actions or data manipulation. Furthermore, the plugin has a history of medium severity vulnerabilities, with one currently unpatched, indicating a pattern of authorization issues. The plugin's SQL query preparation is adequate, and a majority of output escaping is handled, but the lack of capability checks and the presence of unauthenticated AJAX endpoints are critical flaws. The absence of any taint analysis results is a neutral observation in this context, as it doesn't negate the existing evident risks. Overall, the plugin's strengths in avoiding overtly dangerous functions are overshadowed by critical authorization bypass vulnerabilities in its entry points and a history of similar past issues.

Key Concerns

  • Unpatched CVE present
  • AJAX handlers without auth checks (3)
  • No capability checks found
  • Output escaping not fully implemented (58%)
  • SQL queries not fully prepared (41%)
Vulnerabilities
1

StaticPress Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-31528medium · 4.3Missing Authorization

StaticPress <= 0.4.5 - Missing Authorization

Mar 31, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

StaticPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
13
19 prepared
Unescaped Output
19
26 escaped
Nonce Checks
1
Capability Checks
0
File Operations
3
External Requests
1
Bundled Libraries
0

SQL Query Safety

59% prepared32 total queries

Output Escaping

58% escaped45 total outputs
Attack Surface
3 unprotected

StaticPress Attack Surface

Entry Points3
Unprotected3

AJAX Handlers 3

authwp_ajax_static_press_initincludes\class-static_press.php:36
authwp_ajax_static_press_fetchincludes\class-static_press.php:37
authwp_ajax_static_press_finalyzeincludes\class-static_press.php:38
WordPress Hooks 11
actionadmin_menuincludes\class-static_press_admin.php:44
filterplugin_action_linksincludes\class-static_press_admin.php:45
actionadmin_headincludes\class-static_press_admin.php:47
actionadmin_footerincludes\class-static_press_admin.php:246
filterStaticPress::get_urlplugin.php:46
filterStaticPress::static_urlplugin.php:47
filterStaticPress::put_contentplugin.php:48
filterStaticPress::put_contentplugin.php:49
filterStaticPress::put_contentplugin.php:50
filterStaticPress::put_contentplugin.php:51
filterhttps_local_ssl_verifyplugin.php:52
Maintenance & Trust

StaticPress Maintenance & Trust

Maintenance Signals

WordPress version tested4.5.33
Last updatedMay 27, 2016
PHP min version
Downloads33K

Community Trust

Rating82/100
Number of ratings16
Active installs600
Alternatives

StaticPress Alternatives

Simply Static – The Static Site Generator

Simply Static – The Static Site Generator

simply-static

A
99

Convert WordPress to static HTML. Boost performance 3-5x. Eliminate security vulnerabilities. Deploy anywhere.

30K 2 CVEs
MAS Static Content

MAS Static Content

mas-static-content

A
99

MAS Static Content is a free plugin that allows you to to create a custom post type static content and use it with shortcode.

10K 1 CVE
HTML Import 2

HTML Import 2

import-html-pages

A
85

Imports well-formed HTML files into WordPress pages.

6K No CVEs
Export WordPress Pages to Static HTML & PDF — Static Site Export

Export WordPress Pages to Static HTML & PDF — Static Site Export

export-wp-page-to-static-html

A
87

Export WordPress pages, posts, and custom post types to clean static HTML or PDF files in one click. Create fast, secure static versions of your WordP &hellip;

5K 5 CVEs
WPGatsby

WPGatsby

wp-gatsby

A
85

WPGatsby is a free open-source WordPress plugin that optimizes your WordPress site to work as a data source for Gatsby. This plugin must be used in c &hellip;

3K No CVEs
Developer Profile

StaticPress Developer Profile

wokamoto

7 plugins · 12K total installs

81
trust score
Avg Security Score
82/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect StaticPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/staticpress/css/staticpress-admin.css/wp-content/plugins/staticpress/css/staticpress-style.css/wp-content/plugins/staticpress/js/staticpress-admin.js
Generator Patterns
StaticPress
Script Paths
/wp-content/plugins/staticpress/js/staticpress-admin.js
Version Parameters
staticpress/css/staticpress-admin.css?ver=staticpress/css/staticpress-style.css?ver=staticpress/js/staticpress-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
staticpress-admin-cssstaticpress-style
HTML Comments
StaticPress is loading admin CSS
Data Attributes
data-staticpress-urldata-staticpress-dir
JS Globals
staticpress
FAQ

Frequently Asked Questions about StaticPress