Does WebP Express have any unpatched vulnerabilities?

No. All known vulnerabilities in WebP Express have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WebP Express compatible with WordPress 6.9.4?

According to WordPress.org data, WebP Express 0.25.14 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WebP Express compatible with PHP 5.6+?

WebP Express requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WebP Express updated?

WebP Express was last updated on Jan 14, 2026. Frequent updates are generally a positive security signal.

What is WebP Express's security score?

WebP Express has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WebP Express Security & Risk Analysis

wordpress.org/plugins/webp-express

Serve autogenerated WebP images instead of jpeg/png to browsers that supports WebP.

300K active installs v0.25.14 PHP 5.6+ WP 4.0+ Updated Jan 14, 2026

imagesperformancewebp

A · Safe

CVEs total3

Unpatched0

Last CVEDec 3, 2025

Plugin page Download

Safety Verdict

Is WebP Express Safe to Use in 2026?

Generally Safe

Score 95/100

WebP Express has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Dec 3, 2025Updated 2mo ago

Risk Assessment

The static analysis of WebP Express v0.25.14 reveals a strong adherence to secure coding practices, with no identified dangerous functions, all SQL queries using prepared statements, and complete output escaping. The absence of any file operations, external HTTP requests, or apparent vulnerabilities in taint analysis further suggests a robust internal codebase. However, the plugin's vulnerability history presents a significant concern. With a total of three known CVEs, including one high and two medium severity vulnerabilities, the plugin has a track record of security flaws. The types of past vulnerabilities, such as Exposure of Sensitive Information, Cross-site Scripting, and Path Traversal, are critical to address as they represent serious security risks. While there are currently no unpatched vulnerabilities reported, the consistent discovery of such issues indicates a potential for recurring security weaknesses that require ongoing vigilance and prompt patching by users.

Key Concerns

Past high severity vulnerability (1)
Past medium severity vulnerabilities (2)
History of critical vulnerability types (XSS, Path Traversal)
No capability checks observed
No nonce checks observed

Vulnerabilities

WebP Express Security Vulnerabilities

CVEs by Year

1 CVE in 2018

2018

1 CVE in 2019

2019

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2025-11379medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WebP Express <= 0.25.9 - Unauthenticated Information Exposure

Dec 3, 2025 Patched in 0.25.11 (34d)

CVE-2019-15837medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WebP Express <= 0.14.10 - Authenticated Stored Cross-Site Scripting

Jun 26, 2019 Patched in 0.14.11 (1672d)

CVE-2019-15330high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WebP Express < 0.14.11 - Arbitrary File Read

Dec 11, 2018 Patched in 0.14.11 (1869d)

Code Analysis

Analyzed Mar 16, 2026

WebP Express Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Attack Surface

WebP Express Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 7

actioninitwebp-express.php:55

filterwp_handle_uploadwebp-express.php:64

filterimage_make_intermediate_sizewebp-express.php:65

filterwp_delete_filewebp-express.php:66

actionwebp_express_task_bulk_update_dummy_fileswebp-express.php:71

actionwebp_express_task_regenerate_configwebp-express.php:72

actionwebp_express_task_regenerate_config_and_htaccesswebp-express.php:73

Maintenance & Trust

WebP Express Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 14, 2026

PHP min version5.6

Downloads4.1M

Community Trust

Rating88/100

Number of ratings160

Active installs300K

Alternatives

WebP Express Alternatives

Modern Image Formats

webp-uploads

100

Converts images to more modern formats such as WebP or AVIF during upload.

100K No CVEs

WebP Express Plus

webp-express-plus

Exclusion of necessary images from processing by the "WebP Express" plugin

800 No CVEs

Auto WebP Converter & Logger

auto-webp-converter-logger

100

Boost site speed by automatically converting uploads to WebP. Features smart memory protection, detailed logging, and zero API dependencies.

100 No CVEs

Stintlief WebP Converter

stintlief-webp-converter

100

Automatically convert uploaded images to optimized WebP format with safe fallbacks, optional backups, and easy restoration.

10 No CVEs

CodePros Image Optimizer

codepros-image-optimizer

100

Convert and optimize your WordPress images to WebP format for faster page loads and better performance.

0 No CVEs

Developer Profile

WebP Express Developer Profile

rosell.dk

1 plugin · 300K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

1192 days

View full developer profile

Detection Fingerprints

How We Detect WebP Express

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/webp-express/dist/webp-express.js/wp-content/plugins/webp-express/dist/webp-express.css

Script Paths

/wp-content/plugins/webp-express/dist/webp-express.js

Version Parameters

webp-express/dist/webp-express.css?ver=webp-express/dist/webp-express.js?ver=

HTML / DOM Fingerprints

Data Attributes

data-webp-express

JS Globals

window.webp_express

FAQ