WP-Safety

URLsLab Security & Risk Analysis

wordpress.org/plugins/urlslab

Boost SEO and performance with minimal effort.

30 active installs v2.132.6 PHP 8.1+ WP 6.0+ Updated Feb 27, 2026
aicachegptperformanceseo
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is URLsLab Safe to Use in 2026?

Generally Safe

Score 100/100

URLsLab has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "urlslab" v2.132.6 plugin exhibits a generally good security posture, with a substantial majority of SQL queries and output operations being properly handled. The lack of known CVEs and the plugin's focus on prepared statements and capability checks are positive indicators. However, the static analysis reveals several areas for concern that temper an otherwise strong assessment. The presence of dangerous functions like `unserialize` and `exec` is a significant red flag, as these can lead to code execution if user-controlled input is not meticulously sanitized. Furthermore, the taint analysis indicates that all analyzed flows involve unsanitized paths, suggesting a potential for vulnerabilities even if no critical or high-severity issues were explicitly flagged in this scan. The complete absence of nonce checks is also concerning, especially given the existence of cron events, which could potentially be triggered by unauthenticated users if not properly secured. While the vulnerability history is clean, this does not negate the risks identified in the current code analysis.

Key Concerns

  • Dangerous functions `unserialize` and `exec` found
  • All taint flows have unsanitized paths
  • No nonce checks found
  • SQL queries not using prepared statements found
  • Output not properly escaped found
  • Bundled library Guzzle detected
Vulnerabilities
None known

URLsLab Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

URLsLab Release Timeline

v2.132.6Current
v2.132.4-beta.0
v2.130.22
v2.130.21
v2.130.20
v2.130.17
v2.130.15
v2.130.10
v2.130.9
v2.130.7
v2.130.6
v2.130.2
v2.130.1
v2.130.0
v2.129.5
v2.128.8
v2.128.7
v2.128.3
v2.121.5
v2.121.4
Code Analysis
Analyzed Mar 16, 2026

URLsLab Code Analysis

Dangerous Functions
3
Raw SQL Queries
29
475 prepared
Unescaped Output
16
192 escaped
Nonce Checks
0
Capability Checks
39
File Operations
64
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserializereturn unserialize( $file_content, array( 'allowed_classes' => $allowed_classes ) );includes\cache\driver\class-urlslab-cache-driver-file.php:51
execif ( $widget->get_option( Urlslab_Widget_General::SETTING_NAME_GEOIP_DOWNLOAD ) && strlen( $widget->includes\tool\class-urlslab-tool-geoip.php:20
exec$result = @exec( 'tar -zvxf ' . wp_upload_dir()['basedir'] . '/geoip.tar.gz -C ' . wp_upload_dir()['includes\tool\class-urlslab-tool-geoip.php:36

Bundled Libraries

Guzzle

SQL Query Safety

94% prepared504 total queries

Output Escaping

92% escaped208 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
<advanced-cache> (advanced-cache.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

URLsLab Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[urlslab-screenshot] includes\widget\class-urlslab-widget-urls.php:93
WordPress Hooks 102
actionenqueue_block_editor_assetsblocks\includes\class-urlslab-gutenberg-block.php:9
actionshutdownincludes\class-urlslab-activator.php:1975
actionenqueue_block_editor_assetsincludes\class-urlslab-admin.php:57
actionelementor/editor/before_enqueue_scriptsincludes\class-urlslab-admin.php:58
actionadmin_headincludes\class-urlslab-admin.php:59
filterscript_loader_tagincludes\class-urlslab-admin.php:60
filteradmin_body_classincludes\class-urlslab-admin.php:61
actioninitincludes\class-urlslab-blocks.php:26
filterblock_categories_allincludes\class-urlslab-blocks.php:41
actionelementor/elements/categories_registeredincludes\class-urlslab-blocks.php:52
actionelementor/widgets/widgets_registeredincludes\class-urlslab-blocks.php:53
actionwp_footerincludes\class-urlslab-public.php:75
filterscript_loader_tagincludes\class-urlslab-public.php:102
filterhttp_request_timeoutincludes\class-urlslab-url.php:455
filterhttp_request_redirection_countincludes\class-urlslab-url.php:456
filterhttp_headers_useragentincludes\class-urlslab-url.php:457
actionplugins_loadedincludes\class-urlslab.php:324
actionadmin_enqueue_scriptsincludes\class-urlslab.php:340
actionadmin_initincludes\class-urlslab.php:348
actionadmin_enqueue_scriptsincludes\class-urlslab.php:349
actionadmin_enqueue_scriptsincludes\class-urlslab.php:350
actionadmin_enqueue_scriptsincludes\class-urlslab.php:351
actionadmin_menuincludes\class-urlslab.php:352
actionadmin_bar_menuincludes\class-urlslab.php:353
actionwp_enqueue_scriptsincludes\class-urlslab.php:374
actionwp_enqueue_scriptsincludes\class-urlslab.php:375
actionwp_loadedincludes\class-urlslab.php:377
actionwp_before_load_templateincludes\class-urlslab.php:378
actiontemplate_redirectincludes\class-urlslab.php:379
actionshutdownincludes\class-urlslab.php:380
actioninitincludes\class-urlslab.php:390
filterquery_varsincludes\class-urlslab.php:391
filtercron_schedulesincludes\class-urlslab.php:396
actionurlslab_cron_hookincludes\class-urlslab.php:401
actionrest_api_initincludes\class-urlslab.php:413
filterhttp_responseincludes\driver\class-urlslab-driver.php:226
filterhttp_headers_useragentincludes\executor\class-urlslab-executor-download-url.php:30
filterhttp_request_redirection_countincludes\executor\class-urlslab-executor-download-url.php:31
actionset_404includes\widget\class-urlslab-widget-cache.php:57
actioninitincludes\widget\class-urlslab-widget-cache.php:58
actionwp_headersincludes\widget\class-urlslab-widget-cache.php:59
filterurlslab_raw_contentincludes\widget\class-urlslab-widget-cache.php:60
actionurlslab_body_contentincludes\widget\class-urlslab-widget-cache.php:61
actionwp_resource_hintsincludes\widget\class-urlslab-widget-cache.php:62
actiondeleted_postincludes\widget\class-urlslab-widget-cache.php:64
actionsave_postincludes\widget\class-urlslab-widget-cache.php:65
actiontrashed_postincludes\widget\class-urlslab-widget-cache.php:66
actioninitincludes\widget\class-urlslab-widget-content-generator.php:18
actionadmin_enqueue_scriptsincludes\widget\class-urlslab-widget-content-generator.php:25
filterurlslab_head_content_rawincludes\widget\class-urlslab-widget-custom-html.php:28
filterurlslab_raw_body_contentincludes\widget\class-urlslab-widget-custom-html.php:29
actionwp_headersincludes\widget\class-urlslab-widget-custom-html.php:30
actioninitincludes\widget\class-urlslab-widget-faq.php:46
filterthe_contentincludes\widget\class-urlslab-widget-faq.php:47
filterurlslab_raw_body_contentincludes\widget\class-urlslab-widget-faq.php:48
actioninitincludes\widget\class-urlslab-widget-general.php:49
filterurlslab_raw_content_beforeincludes\widget\class-urlslab-widget-html-optimizer.php:33
actionurlslab_body_contentincludes\widget\class-urlslab-widget-html-optimizer.php:34
actionurlslab_head_contentincludes\widget\class-urlslab-widget-html-optimizer.php:35
filterurlslab_raw_head_content_finalincludes\widget\class-urlslab-widget-html-optimizer.php:36
filterurlslab_raw_body_content_finalincludes\widget\class-urlslab-widget-html-optimizer.php:37
actiontemplate_redirectincludes\widget\class-urlslab-widget-html-optimizer.php:39
actiontemplate_redirectincludes\widget\class-urlslab-widget-html-optimizer.php:40
filteruser_trailingslashitincludes\widget\class-urlslab-widget-html-optimizer.php:41
filterredirect_canonicalincludes\widget\class-urlslab-widget-html-optimizer.php:42
actioninitincludes\widget\class-urlslab-widget-html-optimizer.php:45
filtertiny_mce_pluginsincludes\widget\class-urlslab-widget-html-optimizer.php:46
filterwp_resource_hintsincludes\widget\class-urlslab-widget-html-optimizer.php:47
actionwp_default_scriptsincludes\widget\class-urlslab-widget-html-optimizer.php:50
filterscript_loader_srcincludes\widget\class-urlslab-widget-html-optimizer.php:53
filterstyle_loader_srcincludes\widget\class-urlslab-widget-html-optimizer.php:54
actionurlslab_body_contentincludes\widget\class-urlslab-widget-lazy-loading.php:88
actionurlslab_body_contentincludes\widget\class-urlslab-widget-lazy-loading.php:89
actioninitincludes\widget\class-urlslab-widget-lazy-loading.php:90
actiontemplate_redirectincludes\widget\class-urlslab-widget-lazy-loading.php:92
filteruser_trailingslashitincludes\widget\class-urlslab-widget-lazy-loading.php:93
filterredirect_canonicalincludes\widget\class-urlslab-widget-lazy-loading.php:94
actionurlslab_body_contentincludes\widget\class-urlslab-widget-link-builder.php:59
actionwp_handle_uploadincludes\widget\class-urlslab-widget-media-offloader.php:67
actionurlslab_body_contentincludes\widget\class-urlslab-widget-media-offloader.php:68
actiontemplate_redirectincludes\widget\class-urlslab-widget-media-offloader.php:69
filteruser_trailingslashitincludes\widget\class-urlslab-widget-media-offloader.php:70
filterredirect_canonicalincludes\widget\class-urlslab-widget-media-offloader.php:71
filtertemplate_redirectincludes\widget\class-urlslab-widget-redirects.php:41
actioninitincludes\widget\class-urlslab-widget-related-resources.php:33
filterthe_contentincludes\widget\class-urlslab-widget-related-resources.php:34
filterurlslab_raw_content_beforeincludes\widget\class-urlslab-widget-search-replace.php:15
filterurlslab_search_replaceincludes\widget\class-urlslab-widget-search-replace.php:16
actionset_404includes\widget\class-urlslab-widget-security.php:220
actioninitincludes\widget\class-urlslab-widget-security.php:221
actionshutdownincludes\widget\class-urlslab-widget-security.php:222
filterurlslab_head_content_rawincludes\widget\class-urlslab-widget-security.php:223
filterwp_headersincludes\widget\class-urlslab-widget-security.php:224
filterurlslab_cache_hit_headersincludes\widget\class-urlslab-widget-security.php:225
actionpost_updatedincludes\widget\class-urlslab-widget-urls.php:82
actionurlslab_body_contentincludes\widget\class-urlslab-widget-urls.php:83
actioninitincludes\widget\class-urlslab-widget-urls.php:85
actionwidgets_initincludes\widget\class-urlslab-widget-urls.php:86
actionurlslab_head_contentincludes\widget\class-urlslab-widget-urls.php:88
actionurlslab_head_contentincludes\widget\class-urlslab-widget-urls.php:89
filterurlslab_head_content_rawincludes\widget\class-urlslab-widget-web-vitals.php:20
actionrest_api_initincludes\widget\class-urlslab-widget-web-vitals.php:21

Scheduled Events 1

urlslab_cron_hook
Maintenance & Trust

URLsLab Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedFeb 27, 2026
PHP min version8.1
Downloads5K

Community Trust

Rating100/100
Number of ratings2
Active installs30
Alternatives

URLsLab Alternatives

GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools

GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools

getgenie

A
95

GPT-4o powered AI content writer with 37+ templates, chatbot, AI image, NLP keyword research, SEO analysis for WordPress, Gutenberg & Elementor.

80K 4 CVEs
JCH Optimize

JCH Optimize

jch-optimize

A
99

This plugin automatically performs several front end optimizations to your site to boost performance and increase PageSpeed scores.

4K 4 CVEs
LLMs.txt Generator

LLMs.txt Generator

llms-txt-generator

A
92

Optimize your WordPress content for AI discovery and interaction through the llms.txt file, the robots.txt for AI engines.

1K No CVEs
WPSpeed – WordPress Speed, Cache & Performance Optimization (Core Web Vitals, PageSpeed 100)

WPSpeed – WordPress Speed, Cache & Performance Optimization (Core Web Vitals, PageSpeed 100)

wpspeed

A
99

WordPress speed optimization plugin to boost PageSpeed, improve Core Web Vitals, reduce TTFB and enable static HTML caching for 100/100 performance.

1K 1 CVE
RapidLoad AI – Optimize Web Vitals Automatically

RapidLoad AI – Optimize Web Vitals Automatically

unusedcss

A
93

Supercharge your website with RapidLoad AI, featuring cutting-edge AI to automate optimizing CSS, JavaScript, images, fonts, and caching.

700 20 CVEs
Developer Profile

URLsLab Developer Profile

URLsLab

1 plugin · 30 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect URLsLab

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/urlslab/public/build/js/urlslab-notifications.js/wp-content/plugins/urlslab/public/build/css/urlslab_notifications.css
Script Paths
/wp-content/plugins/urlslab/admin/dist/main-*.js
Version Parameters
urlslab/style.css?ver=urlslab-main?ver=urlslab-notifications?ver=urlslab-notifications?ver=

HTML / DOM Fingerprints

Data Attributes
urlslabData
JS Globals
urlslabData
FAQ

Frequently Asked Questions about URLsLab