WP-Safety

Converter for Media – Optimize images | Convert WebP & AVIF Security & Risk Analysis

wordpress.org/plugins/webp-converter-for-media

Speed up your website by using our WebP & AVIF Converter. Optimize images and serve WebP and AVIF images instead of standard formats!

500K active installs v6.5.5 PHP 7.1+ WP 4.9+ Updated Apr 2, 2026
compress-imagesconvert-webpimage-optimizationoptimize-imageswebp
93
A · Safe
CVEs total4
Unpatched0
Last CVEFeb 11, 2026
Plugin page Download
Safety Verdict

Is Converter for Media – Optimize images | Convert WebP & AVIF Safe to Use in 2026?

Generally Safe

Score 93/100

Converter for Media – Optimize images | Convert WebP & AVIF has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Feb 11, 2026Updated 1mo ago
Risk Assessment

The static analysis of the 'webp-converter-for-media' plugin v6.5.4 reveals a generally strong security posture. The plugin exhibits a low attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are not protected by authentication checks. Furthermore, it demonstrates good coding practices with 100% of SQL queries using prepared statements and a high percentage (95%) of output properly escaped. The absence of dangerous functions and critical or high-severity taint flows is also a positive indicator.

Key Concerns

  • Known High Severity Vulnerability
  • Medium Severity Vulnerabilities
  • Potential for URL Redirection
  • Potential for Cross-Site Request Forgery
  • Potential for SSRF
  • Missing Authorization vulnerabilities
  • Nonce checks present but limited
  • Capability checks present but limited
  • 32 File operations
  • 7 External HTTP requests
Vulnerabilities
4 published

Converter for Media – Optimize images | Convert WebP & AVIF Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2021
2021
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2026-1356medium · 4.8Server-Side Request Forgery (SSRF)

Converter for Media – Optimize images | Convert WebP & AVIF <= 6.5.1 - Unauthenticated Server-Side Request Forgery via src

Feb 11, 2026 Patched in 6.5.2 (1d)
CVE-2025-13750medium · 4.3Missing Authorization

Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint

Dec 16, 2025 Patched in 6.4.0 (1d)
CVE-2021-25074medium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

WebP Converter for Media <= 4.0.2 - Unauthenticated Open Redirect

Dec 27, 2021 Patched in 4.0.3 (757d)
CVE-2019-15834high · 8.8Cross-Site Request Forgery (CSRF)

WebP Converter for Media – Convert WebP and AVIF & Optimize Images <= 1.0.2 - Cross-Site Request Forgery

Jun 27, 2019 Patched in 1.0.3 (1671d)
Version History

Converter for Media – Optimize images | Convert WebP & AVIF Release Timeline

v6.5.5Current6 files changed
v6.5.47 files changed
v6.5.37 files changed
v6.5.210 files changed
v6.5.01 CVE25 files changed
CVE-2026-1356
v6.4.01 CVE13 files changed
CVE-2026-1356
v6.3.22 CVEs6 files changed
CVE-2026-1356 CVE-2025-13750
v6.3.12 CVEs7 files changed
CVE-2026-1356 CVE-2025-13750
v6.3.02 CVEs6 files changed
CVE-2026-1356 CVE-2025-13750
v6.2.42 CVEs11 files changed
CVE-2026-1356 CVE-2025-13750
v6.2.32 CVEs13 files changed
CVE-2026-1356 CVE-2025-13750
v6.2.22 CVEs8 files changed
CVE-2026-1356 CVE-2025-13750
v6.2.12 CVEs62 files changed
CVE-2026-1356 CVE-2025-13750
v6.2.02 CVEs83 files changed
CVE-2026-1356 CVE-2025-13750
v6.1.32 CVEs6 files changed
CVE-2026-1356 CVE-2025-13750
v6.1.22 CVEs8 files changed
CVE-2026-1356 CVE-2025-13750
v6.1.12 CVEs7 files changed
CVE-2026-1356 CVE-2025-13750
v6.1.02 CVEs18 files changed
CVE-2026-1356 CVE-2025-13750
v6.0.02 CVEs23 files changed
CVE-2026-1356 CVE-2025-13750
v5.13.12 CVEs
CVE-2026-1356 CVE-2025-13750
Code Analysis
Analyzed Mar 16, 2026

Converter for Media – Optimize images | Convert WebP & AVIF Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
29
613 escaped
Nonce Checks
3
Capability Checks
4
File Operations
32
External Requests
7
Bundled Libraries
0

Output Escaping

95% escaped642 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
<php> (templates\components\server\php.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Converter for Media – Optimize images | Convert WebP & AVIF Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 64
actionwebpc_convert_attachmentsrc\Action\ConvertAttachmentAction.php:27
actionwebpc_convert_pathssrc\Action\ConvertPathsAction.php:34
filterwp_delete_filesrc\Action\DeleteFileHandler.php:16
actionwebpc_delete_pathssrc\Action\DeletePathsAction.php:34
actioninitsrc\Action\UploadFileHandler.php:49
filterwp_update_attachment_metadatasrc\Action\UploadFileHandler.php:62
filterimage_make_intermediate_sizesrc\Action\UploadFileHandler.php:63
actionshutdownsrc\Action\UploadFileHandler.php:91
actionshutdownsrc\Action\UploadFileHandler.php:122
actioninitsrc\Conversion\Cron\CronEventGenerator.php:42
filtercron_schedulessrc\Conversion\Cron\CronSchedulesGenerator.php:18
actionadmin_initsrc\Conversion\Cron\CronStatusViewer.php:31
actionadmin_bar_menusrc\Conversion\Cron\CronStatusViewer.php:48
actioninitsrc\Conversion\Directory\DirectoryFactory.php:44
actionwebpc_settings_updatedsrc\Conversion\Directory\DirectoryFactory.php:45
actionwebpc_settings_updatedsrc\Conversion\Directory\DirectoryFactory.php:46
filterwebpc_dir_namesrc\Conversion\Directory\DirectoryIntegrator.php:35
filterwebpc_dir_pathsrc\Conversion\Directory\DirectoryIntegrator.php:36
filterwebpc_dir_urlsrc\Conversion\Directory\DirectoryIntegrator.php:37
actionrest_api_initsrc\Conversion\Endpoint\EndpointIntegrator.php:29
actioninitsrc\Conversion\ExcludedPathsOperator.php:59
filterwebpc_supported_source_directorysrc\Conversion\ExcludedPathsOperator.php:60
filterwebpc_server_errorssrc\Error\ErrorDetectorAggregator.php:73
filterwebpc_server_errors_messagessrc\Error\ErrorDetectorAggregator.php:74
filterwebpc_debug_image_urlsrc\Loader\HtaccessBypassingLoader.php:26
actioninitsrc\Loader\HtaccessBypassingLoader.php:33
filterwebpc_htaccess_rewrite_rootsrc\Loader\HtaccessLoader.php:37
filterwebpc_htaccess_rewrite_pathsrc\Loader\HtaccessLoader.php:38
filterwebpc_htaccess_rewrite_parentsrc\Loader\HtaccessLoader.php:39
filterwebpc_htaccess_rewrite_outputsrc\Loader\HtaccessLoader.php:40
filterwebpc_debug_image_urlsrc\Loader\HtaccessLoader.php:41
actionwebpc_settings_page_loadedsrc\Loader\LoaderIntegrator.php:29
actioninitsrc\Loader\LoaderIntegrator.php:30
filterwebpc_debug_image_urlsrc\Loader\PassthruLoader.php:46
actioninitsrc\Loader\PassthruLoader.php:53
actionadmin_initsrc\Notice\NoticeIntegrator.php:34
actionadmin_noticessrc\Notice\NoticeIntegrator.php:53
actionnetwork_admin_noticessrc\Notice\NoticeIntegrator.php:55
actionadmin_initsrc\Plugin\ActivationHandler.php:33
actioninitsrc\Service\BackupExcluder.php:28
filterai1wm_exclude_content_from_exportsrc\Service\BackupExcluder.php:41
filterupdraftplus_exclude_directorysrc\Service\BackupExcluder.php:42
filterbackwpup_content_exclude_dirssrc\Service\BackupExcluder.php:43
actionwebpc_settings_updatedsrc\Service\CacheIntegrator.php:27
actionwebpc_settings_updatedsrc\Service\CloudflareConfigurator.php:40
actionload-plugins.phpsrc\Service\DeactivationModalLoader.php:50
actionadmin_initsrc\Service\MediaStatusViewer.php:64
filterwebpc_attachment_statssrc\Service\MediaStatusViewer.php:65
filtermanage_media_columnssrc\Service\MediaStatusViewer.php:78
actionmanage_media_custom_columnsrc\Service\MediaStatusViewer.php:79
actionattachment_submitbox_misc_actionssrc\Service\MediaStatusViewer.php:80
filterwp_prepare_attachment_for_jssrc\Service\MediaStatusViewer.php:81
filterrest_authentication_errorssrc\Service\RestApiUnlocker.php:17
filteroption_mo_api_authentication_protectedrestapi_route_whitelistsrc\Service\RestApiUnlocker.php:18
filterjwt_auth_whitelistsrc\Service\RestApiUnlocker.php:22
filtersite_status_testssrc\Service\SiteHealthDetector.php:30
actioncli_initsrc\Service\WpCliManager.php:59
actionadmin_enqueue_scriptssrc\Settings\AdminAssetsLoader.php:29
actionadmin_enqueue_scriptssrc\Settings\AdminAssetsLoader.php:30
actionadmin_menusrc\Settings\Page\PageIntegrator.php:38
actionnetwork_admin_menusrc\Settings\Page\PageIntegrator.php:39
actionadmin_print_styles-plugins.phpvendor_prefixed\src\Service\AssetsPrinterService.php:26
actionadmin_print_footer_scripts-plugins.phpvendor_prefixed\src\Service\AssetsPrinterService.php:27
actionadmin_print_footer_scripts-plugins.phpvendor_prefixed\src\Service\TemplateGeneratorService.php:43
Maintenance & Trust

Converter for Media – Optimize images | Convert WebP & AVIF Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 2, 2026
PHP min version7.1
Downloads15.3M

Community Trust

Rating98/100
Number of ratings1,077
Active installs500K
Alternatives

Converter for Media – Optimize images | Convert WebP & AVIF Alternatives

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

imagify

A
100

Optimize images in 1‑click: compress, resize & convert to WebP/AVIF - free up to 20MB/month. Enjoy the easiest WordPress image optimizer to set up.

1.0M No CVEs
Smush – Image Optimization, Compression, Lazy Load, WebP & CDN

Smush – Image Optimization, Compression, Lazy Load, WebP & CDN

wp-smushit

A
93

Compress and optimize images, enable lazy load, serve WebP & AVIF, and speed up your site with a global image CDN.

1.0M 6 CVEs
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

shortpixel-image-optimiser

A
92

Optimize images & PDFs smartly. Create and compress next-gen WebP and AVIF formats. Smart crop and resize.

300K 8 CVEs
Squeeze – Image Optimization & Compression, WEBP Conversion

Squeeze – Image Optimization & Compression, WEBP Conversion

squeeze

A
89

Unlimited. Private. Instant. Squeeze compresses and converts your images directly in your browser — no external servers and no upload limits.

1K 4 CVEs
DropAvif Image Optimizer – Convert WebP & AVIF | Compress Images

DropAvif Image Optimizer – Convert WebP & AVIF | Compress Images

dropavif-media-optimizer

A
100

The Ultimate Image Optimization Suite for WordPress. WebP & AVIF conversion, Smart Format Selection, Watermarking, and Lazy Load. Zero server load.

50 No CVEs
Developer Profile

Converter for Media – Optimize images | Convert WebP & AVIF Developer Profile

Mateusz Gbiorczyk

3 plugins · 541K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
962 days
View full developer profile
Detection Fingerprints

How We Detect Converter for Media – Optimize images | Convert WebP & AVIF

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/webp-converter-for-media/assets/build/css/styles.css/wp-content/plugins/webp-converter-for-media/assets/build/js/scripts.js
Script Paths
assets/build/js/scripts.js
Version Parameters
webp-converter-for-media/assets/build/css/styles.css?ver=webp-converter-for-media/assets/build/js/scripts.js?ver=

HTML / DOM Fingerprints

REST Endpoints
/wp-json/webp-converter/v1
FAQ

Frequently Asked Questions about Converter for Media – Optimize images | Convert WebP & AVIF