Does WP Clean have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Clean have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Clean compatible with WordPress 6.2.9?

According to WordPress.org data, WP Clean 2.0 has been tested up to WordPress 6.2.9. Check the plugin's changelog for the latest compatibility information.

How often is WP Clean updated?

WP Clean was last updated on May 25, 2023. Frequent updates are generally a positive security signal.

What is WP Clean's security score?

WP Clean has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Clean Security & Risk Analysis

wordpress.org/plugins/wp-clean

Плагин WP-Clean предоставляет большое количество функций для оптимизации, безопасности и удаления лишних файлов (кода) в WordPress.

30 active installs v2.0 PHP + WP 3.0+ Updated May 25, 2023

cleandisableenableheadmeta

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WP Clean Safe to Use in 2026?

Generally Safe

Score 85/100

WP Clean has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago

Risk Assessment

The "wp-clean" v2.0 plugin exhibits a mixed security posture. While it boasts zero known CVEs and a clean vulnerability history, indicating a potentially mature and stable codebase, the static analysis reveals significant concerns. The presence of five instances of `create_function`, a deprecated and insecure PHP function, is a major red flag. This function can be easily exploited to execute arbitrary code if any user-controllable input is passed to it without proper sanitization.

Furthermore, the taint analysis identified two flows with unsanitized paths, which, combined with the use of `create_function`, presents a plausible pathway for code injection vulnerabilities. The absence of nonce checks and capability checks on any entry points is also concerning, as it means that any user, regardless of their role or authentication status, could potentially trigger plugin actions if an entry point were discovered. The 67% output escaping rate, while not terrible, still leaves room for potential cross-site scripting (XSS) vulnerabilities in unescaped outputs.

Despite the lack of recorded vulnerabilities, the identified code signals and taint flows indicate inherent risks that have not yet been exploited or discovered. The plugin would benefit from refactoring to remove `create_function`, implementing robust input validation and sanitization, and adding nonce and capability checks to all potential entry points to improve its overall security. The absence of external HTTP requests and raw SQL queries using prepared statements are positive aspects.

Key Concerns

Use of deprecated and dangerous create_function
Taint flows with unsanitized paths
Missing nonce checks on all entry points
Missing capability checks on all entry points
Unescaped output (33% of total)

Vulnerabilities

None known

WP Clean Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WP Clean Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

173 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

create_functionadd_filter('get_search_form', create_function('$a', "return null;"));condition\search.php:23

create_functionadd_filter('login_errors', create_function('$a', "return 'Извините, что-то пошло не так..';"));condition\security.php:271

create_functionadd_filter('pre_site_transient_update_core',create_function('$a', "return null;"));condition\update.php:66

create_functionadd_filter('pre_site_transient_update_themes',create_function('$a', "return null;"));condition\update.php:82

create_functionadd_filter('pre_site_transient_update_plugins', create_function( '$a', "return null;"));condition\update.php:98

Output Escaping

67% escaped258 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

wpclean_security_redirect_http_to_https (condition\security.php:4)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP Clean Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 108

actionparse_querycondition\archives_pages.php:10

actionparse_querycondition\archives_pages.php:29

actionparse_querycondition\archives_pages.php:48

actionparse_querycondition\archives_pages.php:67

actionparse_querycondition\archives_pages.php:86

actionparse_querycondition\archives_pages.php:105

actionbefore_delete_postcondition\attachments.php:10

actiontemplate_redirectcondition\attachments.php:29

filtercomment_form_default_fieldscondition\comments.php:10

filtercomment_classcondition\comments.php:28

filtercomment_reply_linkcondition\comments.php:56

filterpre_comment_contentcondition\comments.php:76

filterget_comment_author_linkcondition\comments.php:91

filterjson_enabledcondition\header.php:11

filterjson_jsonp_enabledcondition\header.php:12

filterrest_enabledcondition\header.php:15

filterrest_jsonp_enabledcondition\header.php:16

actiontemplate_redirectcondition\header.php:43

filteremoji_svg_urlcondition\header.php:69

filterwp_default_scriptscondition\header.php:98

filterwp_calculate_image_srcset_metacondition\images.php:10

filterupload_mimescondition\images.php:24

actionadmin_headcondition\interface.php:10

actionscreen_options_show_screencondition\interface.php:27

actionwp_before_admin_bar_rendercondition\interface.php:43

filteradmin_footer_textcondition\interface.php:66

filterupdate_footercondition\interface.php:82

actionwp_dashboard_setupcondition\interface.php:120

actionwp_dashboard_setupcondition\interface.php:136

actionwp_headcondition\pagination.php:10

filternavigation_markup_templatecondition\pagination.php:28

filteruse_block_editor_for_post_typecondition\posts.php:10

actionwp_print_scriptscondition\posts.php:24

actionadmin_headcondition\profile.php:12

filtershow_admin_barcondition\profile.php:30

actiondo_feedcondition\rss.php:11

actiondo_feed_rsscondition\rss.php:16

actiondo_feed_rss2condition\rss.php:20

actiondo_feed_rss2_commentscondition\rss.php:24

actiondo_feed_atomcondition\rss.php:42

actiondo_feed_atom_commentscondition\rss.php:46

actiondo_feed_rdfcondition\rss.php:63

actionparse_querycondition\search.php:11

filterget_search_formcondition\search.php:23

filterpre_get_postscondition\search.php:40

actioninitcondition\security.php:11

actiontemplate_redirectcondition\security.php:39

filterthe_generatorcondition\security.php:59

filterstyle_loader_srccondition\security.php:74

filterscript_loader_srccondition\security.php:91

actionpre_pingcondition\security.php:109

filterwp_headerscondition\security.php:160

filtertemplate_redirectcondition\security.php:166

filterxmlrpc_methodscondition\security.php:174

filterxmlrpc_enabledcondition\security.php:180

filterlogin_errorscondition\security.php:271

filtergettextcondition\security.php:287

filtershow_password_fieldscondition\security.php:292

filterallow_password_resetcondition\security.php:293

actionlogin_initcondition\security.php:320

filterauto_update_corecondition\update.php:10

filterauto_update_themecondition\update.php:24

filterauto_update_plugincondition\update.php:38

filterauto_update_translationcondition\update.php:52

filterpre_site_transient_update_corecondition\update.php:66

filterpre_site_transient_update_themescondition\update.php:82

filterpre_site_transient_update_pluginscondition\update.php:98

filtergutenberg_use_widgets_block_editorcondition\widgets.php:11

filteruse_widgets_block_editorcondition\widgets.php:13

actionwidgets_initcondition\widgets.php:27

actionwidgets_initcondition\widgets.php:37

actionwidgets_initcondition\widgets.php:44

actionwidgets_initcondition\widgets.php:54

actionwidgets_initcondition\widgets.php:61

actionwidgets_initcondition\widgets.php:71

actionwidgets_initcondition\widgets.php:78

actionwidgets_initcondition\widgets.php:88

actionwidgets_initcondition\widgets.php:95

actionwidgets_initcondition\widgets.php:105

actionwidgets_initcondition\widgets.php:113

actionwidgets_initcondition\widgets.php:117

actionwidgets_initcondition\widgets.php:128

actionwidgets_initcondition\widgets.php:135

actionwidgets_initcondition\widgets.php:145

actionwidgets_initcondition\widgets.php:152

actionwidgets_initcondition\widgets.php:162

actionwidgets_initcondition\widgets.php:169

actionwidgets_initcondition\widgets.php:179

actionwidgets_initcondition\widgets.php:186

actionwidgets_initcondition\widgets.php:196

actionwidgets_initcondition\widgets.php:203

actionwidgets_initcondition\widgets.php:213

actionwidgets_initcondition\widgets.php:220

actionwidgets_initcondition\widgets.php:230

actionwidgets_initcondition\widgets.php:237

actionwidgets_initcondition\widgets.php:247

actionwidgets_initcondition\widgets.php:254

actionwidgets_initcondition\widgets.php:264

actionwidgets_initcondition\widgets.php:271

actionwidgets_initcondition\widgets.php:281

actionwidgets_initcondition\widgets.php:288

actionwidgets_initcondition\widgets.php:298

actionwidgets_initcondition\widgets.php:305

actionwidgets_initcondition\widgets.php:315

actionwidgets_initcondition\widgets.php:322

actionadmin_enqueue_scriptswp-clean.php:151

actionadmin_menuwp-clean.php:156

actionadmin_initwp-clean.php:227

Maintenance & Trust

WP Clean Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9

Last updatedMay 25, 2023

PHP min version

Downloads7K

Community Trust

Rating0/100

Number of ratings0

Active installs30

Alternatives

WP Clean Alternatives

wp_head() cleaner

wp-head-cleaner

100

Remove unused tags from wp_head() output.

2K No CVEs

Remove WordPress Overhead

remove-wp-overhead

Remove overhead from the HTML, speed up your website and disable widgets you don't use

1K No CVEs

Native WP Cleaner

native-wp-cleaner

Disable native widgets, clean head tag from RSS, RSD, WLW Manifest links, disable XML-RPC, cleanup admin panel from columns, metaboxes, menu items.

70 No CVEs

Head Trimmer

head-trimmer

100

Customizable plugin to selectively remove WordPress version information, feeds, shortlinks, xmlrpc, emoji support and other miscellaneous extras from …

20 No CVEs

Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance

advanced-database-cleaner

Clean database by deleting orphaned data such as 'revisions', 'expired transients', optimize database and more...

100K 8 CVEs

Developer Profile

WP Clean Developer Profile

Artem Sannikov

7 plugins · 140 total installs

trust score

Avg Security Score

91/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP Clean

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-clean/css/wpclean-style.css

Version Parameters

wpclean-style-plugin

HTML / DOM Fingerprints

HTML Comments

Copyright 2016 Artem Sannikov (email : info@artemsannikov.ru)This program is free software; you can redistribute it and/or modifyit under the terms of the GNU General Public License, version 2, aspublished by the Free Software Foundation.+53 more

FAQ