Does Unplug have any unpatched vulnerabilities?

No. All known vulnerabilities in Unplug have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Unplug compatible with WordPress 6.8.5?

According to WordPress.org data, Unplug 1.3.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Unplug compatible with PHP 7.4+?

Unplug requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Unplug updated?

Unplug was last updated on Sep 3, 2025. Frequent updates are generally a positive security signal.

What is Unplug's security score?

Unplug has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Unplug Security & Risk Analysis

wordpress.org/plugins/unplug

Cut the plugin bloat. See which plugins are actually being used on your sites and which ones are just plugin bloat.

0 active installs v1.3.0 PHP 7.4+ WP 5.0+ Updated Sep 3, 2025

performanceplugin-analysisplugin-cleanupplugin-optimizationspeed-optimization

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Unplug Safe to Use in 2026?

Generally Safe

Score 100/100

Unplug has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7mo ago

Risk Assessment

The "unplug" v1.3.0 plugin exhibits a mixed security posture. On the positive side, the plugin demonstrates strong adherence to secure coding practices, with a very high percentage of SQL queries using prepared statements and output being properly escaped. The absence of dangerous functions and critical or high severity taint analysis flows further contributes to a generally robust codebase. Furthermore, the plugin has a clean vulnerability history, with no recorded CVEs, suggesting a commitment to security or simply a lack of prior discovery of vulnerabilities.

However, a significant concern arises from the substantial attack surface exposed through AJAX handlers, with 27 out of 31 handlers lacking authentication checks. This presents a considerable risk, as unauthorized users could potentially interact with these endpoints and trigger unintended actions. While the plugin has a low number of file operations and external HTTP requests, and uses nonces and capability checks reasonably well for its available code signals, the sheer volume of unprotected AJAX entry points is a major vulnerability in its current state. The plugin's strengths in secure coding practices are unfortunately undermined by this exposure.

In conclusion, while "unplug" v1.3.0 demonstrates excellent internal coding hygiene concerning SQL and output handling, its security is severely compromised by a large, unprotected AJAX attack surface. The lack of past vulnerabilities is a positive indicator but does not negate the immediate and substantial risk posed by the unprotected AJAX endpoints. Addressing these unprotected handlers should be the highest priority to improve the plugin's overall security.

Key Concerns

Unprotected AJAX handlers

Vulnerabilities

None known

Unplug Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Unplug Code Analysis

Dangerous Functions

Raw SQL Queries

91 prepared

Unescaped Output

296 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

96% prepared95 total queries

Output Escaping

98% escaped302 total outputs

Attack Surface

27 unprotected

Unplug Attack Surface

Entry Points32

Unprotected27

AJAX Handlers 31

authwp_ajax_unplug_run_location_testadmin\class-unplug-admin.php:54

noprivwp_ajax_unplug_run_location_testadmin\class-unplug-admin.php:55

authwp_ajax_unplug_refresh_pluginsadmin\class-unplug-admin.php:56

authwp_ajax_unplug_manual_cleanupincludes\class-unplug-cleanup.php:51

authwp_ajax_unplug_refresh_pluginsincludes\class-unplug.php:214

authwp_ajax_unplug_start_scanincludes\class-unplug.php:215

authwp_ajax_unplug_scan_progressincludes\class-unplug.php:216

authwp_ajax_unplug_export_csvincludes\class-unplug.php:217

authwp_ajax_unplug_generate_reportincludes\class-unplug.php:218

authwp_ajax_unplug_clear_location_dataincludes\class-unplug.php:219

authwp_ajax_unplug_export_location_dataincludes\class-unplug.php:220

authwp_ajax_unplug_get_confirmation_tokenincludes\class-unplug.php:221

authwp_ajax_unplug_get_plugin_inventoryincludes\class-unplug.php:222

authwp_ajax_unplug_detect_plugin_conflictsincludes\class-unplug.php:223

authwp_ajax_unplug_get_plugins_by_categoryincludes\class-unplug.php:224

authwp_ajax_unplug_analyze_conflict_patternsincludes\class-unplug.php:225

authwp_ajax_unplug_export_conflict_analysisincludes\class-unplug.php:226

authwp_ajax_unplug_get_warningsincludes\class-unplug.php:227

authwp_ajax_unplug_update_warning_statusincludes\class-unplug.php:228

authwp_ajax_unplug_dismiss_warningincludes\class-unplug.php:229

authwp_ajax_unplug_generate_warningsincludes\class-unplug.php:230

authwp_ajax_unplug_get_safe_mode_statusincludes\class-unplug.php:233

authwp_ajax_unplug_activate_safe_modeincludes\class-unplug.php:234

authwp_ajax_unplug_deactivate_safe_modeincludes\class-unplug.php:235

authwp_ajax_unplug_restore_from_backupincludes\class-unplug.php:236

authwp_ajax_unplug_get_backup_statesincludes\class-unplug.php:237

authwp_ajax_unplug_delete_backup_stateincludes\class-unplug.php:238

authwp_ajax_unplug_run_activity_testincludes\class-unplug.php:239

authwp_ajax_unplug_get_progressunplug.php:83

authwp_ajax_unplug_remove_queue_taskunplug.php:117

authwp_ajax_unplug_export_plugins_csvunplug.php:147

REST API Routes 1

GET/wp-json/unplug/v1/queue-progress/(?P<id>\d+)includes\class-unplug-rest-api.php:6

WordPress Hooks 43

actionsave_postincludes\class-unplug-activity-scan-engine.php:142

actiondelete_postincludes\class-unplug-activity-scan-engine.php:143

actionactivated_pluginincludes\class-unplug-activity-scan-engine.php:144

actiondeactivated_pluginincludes\class-unplug-activity-scan-engine.php:145

actionunplug_activity_scanincludes\class-unplug-activity-scan-engine.php:152

actionwp_enqueue_scriptsincludes\class-unplug-asset-detector.php:45

actionadmin_enqueue_scriptsincludes\class-unplug-asset-detector.php:46

actiontemplate_redirectincludes\class-unplug-asset-detector.php:49

actionadmin_initincludes\class-unplug-asset-detector.php:50

actioninitincludes\class-unplug-performance-impact.php:47

actionwp_headincludes\class-unplug-performance-impact.php:48

actionwp_footerincludes\class-unplug-performance-impact.php:49

actionwp_footerincludes\class-unplug-performance-impact.php:50

actionshutdownincludes\class-unplug-performance-impact.php:51

actionwp_enqueue_scriptsincludes\class-unplug-performance-impact.php:54

actionwp_enqueue_scriptsincludes\class-unplug-performance-impact.php:55

actionactivated_pluginincludes\class-unplug-plugin-inventory.php:162

actiondeactivated_pluginincludes\class-unplug-plugin-inventory.php:163

actiondelete_pluginincludes\class-unplug-plugin-inventory.php:164

actionunplug_update_plugin_inventoryincludes\class-unplug-plugin-inventory.php:171

actionadmin_initincludes\class-unplug-plugin-inventory.php:172

actionrest_api_initincludes\class-unplug-rest-api.php:5

filterplugin_action_linksincludes\class-unplug-safe-mode.php:683

actionadmin_initincludes\class-unplug-safe-mode.php:684

actionadmin_initincludes\class-unplug-safe-mode.php:689

actionadmin_noticesincludes\class-unplug-safe-mode.php:694

actionunplug_daily_cleanupincludes\class-unplug-safe-mode.php:699

actionplugins_loadedincludes\class-unplug.php:194

actionadmin_enqueue_scriptsincludes\class-unplug.php:207

actionadmin_enqueue_scriptsincludes\class-unplug.php:208

actionadmin_menuincludes\class-unplug.php:209

actionadmin_initincludes\class-unplug.php:210

actionadmin_noticesincludes\class-unplug.php:211

actionwp_enqueue_scriptsincludes\class-unplug.php:252

actionwp_enqueue_scriptsincludes\class-unplug.php:253

actionplugins_loadedincludes\class-unplug.php:265

actioninitincludes\class-unplug.php:277

actionadmin_initincludes\class-unplug.php:298

actioninitincludes\class-unplug.php:314

actionunplug_background_scanincludes\class-unplug.php:321

actionunplug_cleanup_scan_resultsincludes\class-unplug.php:328

actioninitincludes\class-unplug.php:340

actioninitincludes\class-unplug.php:343

Scheduled Events 4

unplug_activity_scan

unplug_update_plugin_inventory

unplug_background_scan

unplug_cleanup_scan_results

Maintenance & Trust

Unplug Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 3, 2025

PHP min version7.4

Downloads234

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Unplug Alternatives

Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages

freesoul-deactivate-plugins

Load plugins only where you need them. No bloat, no conflicts, more speed. Deactivate plugins where they don't add anything useful.

9K 2 CVEs

Lazy Load Control For Elementor – Remove the Lazy Load attribute from specific images in Elementor

lazy-load-control-for-elementor

100

Remove the Lazy Load attribute from specific images in Elementor.

4K No CVEs

WP Performance

wp-performance

WP Performance is a cache & performance plugin which makes optimizing your site really easy.

200 No CVEs

Asset Preloader: preload the assets only on the pages where you need it

asset-preloader

100

Decide which assets you want to preload depending on the page.

40 No CVEs

Preload Everything

preload-everything

100

Fasten Your Website Loading Speed By Preloading Internal Pages Ahead Of The Time For Your Visitors.

10 No CVEs

Developer Profile

Unplug Developer Profile

Mulberry Tech

1 plugin · 0 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Unplug

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/unplug/admin/css/unplug-admin-main.css/wp-content/plugins/unplug/admin/js/unplug-admin-main.js/wp-content/plugins/unplug/public/css/unplug-public-main.css/wp-content/plugins/unplug/public/js/unplug-public-main.js

Script Paths

/wp-content/plugins/unplug/admin/js/unplug-admin-main.js/wp-content/plugins/unplug/public/js/unplug-public-main.js

Version Parameters

unplug/admin/css/unplug-admin-main.css?ver=unplug/admin/js/unplug-admin-main.js?ver=unplug/public/css/unplug-public-main.css?ver=unplug/public/js/unplug-public-main.js?ver=

HTML / DOM Fingerprints

CSS Classes

unplug-admin-sectionunplug-spinnerunplug-progress-barunplug-log-outputunplug-modalunplug-scan-results

HTML Comments

+1 more

Data Attributes

data-unplug-task-iddata-unplug-noncedata-unplug-action

JS Globals

unplug_ajax_object

REST Endpoints

/wp-json/unplug/v1/scan/wp-json/unplug/v1/settings

FAQ