WP-Safety

WP Compress – Instant Performance & Speed Optimization Security & Risk Analysis

wordpress.org/plugins/wp-compress-image-optimizer

Everything you need for a faster website – smart optimization, advanced caching, adaptive images, WebP creation, script improvements, optional CDN del …

10K active installs v7.00.08 PHP 7.4+ WP 6.5+ Updated Apr 15, 2026
cacheimage-optimizationperformancespeedwpcompress
82
B · Generally Safe
CVEs total13
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is WP Compress – Instant Performance & Speed Optimization Safe to Use in 2026?

Mostly Safe

Score 82/100

WP Compress – Instant Performance & Speed Optimization is generally safe to use. 13 past CVEs were resolved.

13 known CVEsLast CVE: Feb 17, 2026Updated 1mo ago
Risk Assessment

The "wp-compress-image-optimizer" plugin exhibits a mixed security posture, with some strengths countered by significant concerns. On the positive side, the plugin demonstrates good practices in handling SQL queries, with a very high percentage using prepared statements, and a substantial number of nonce and capability checks. The static analysis also indicates a small attack surface and no unprotected entry points, which are positive signs.

However, several critical areas raise alarm bells. The presence of a `unserialize` function without explicit information on its sanitization is a notable risk, as unserialization vulnerabilities are notoriously dangerous. The taint analysis revealing two high-severity flows with unsanitized paths is a direct indication of potential security flaws that could be exploited for malicious purposes, possibly involving path traversal or unauthorized file access.

The plugin's vulnerability history is particularly concerning. With 13 known CVEs, including a past critical vulnerability, and a pattern of common vulnerability types such as SSRF, XSS, and path traversal, it suggests a recurring struggle with robust security implementations. While there are currently no unpatched vulnerabilities, the history indicates a tendency for security weaknesses to emerge, requiring constant vigilance and timely patching. The overall conclusion is that while the plugin has some strong security foundations, the identified code signals and historical vulnerability patterns necessitate caution and a thorough review of its current implementation for potential risks.

Key Concerns

  • High severity taint flows found
  • Dangerous function 'unserialize' detected
  • High historical CVE count
  • Past critical vulnerability history
  • Large number of file operations
  • Significant number of external HTTP requests
  • 25% of outputs not properly escaped
Vulnerabilities
13 published

WP Compress – Instant Performance & Speed Optimization Security Vulnerabilities

CVEs by Year

6 CVEs in 2024
2024
6 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
3
Medium
9

13 total CVEs

CVE-2026-25370medium · 5.3Missing Authorization

Compress <= 6.60.28 - Missing Authorization

Feb 17, 2026 Patched in 6.60.29 (8d)
CVE-2025-57899medium · 5.3Missing Authorization

WP Compress <= 6.50.54 - Missing Authorization

Sep 22, 2025 Patched in 6.50.55 (9d)
CVE-2025-47479high · 7.3Improper Authentication

WP Compress <= 6.30.30 - Unauthenticated Broken Authentication

Jul 3, 2025 Patched in 6.30.31 (6d)
CVE-2025-47546medium · 4.3Cross-Site Request Forgery (CSRF)

WP Compress <= 6.30.30 - Cross-Site Request Forgery

May 7, 2025 Patched in 6.30.31 (7d)
CVE-2025-2110high · 8.8Missing Authorization

WP Compress <= 6.30.15 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions

Mar 25, 2025 Patched in 6.30.16 (1d)
CVE-2025-2109medium · 5.8Server-Side Request Forgery (SSRF)

WP Compress <= 6.30.15 - Unauthenticated Server-Side Request Forgery via init Function

Mar 24, 2025 Patched in 6.30.16 (1d)
CVE-2024-12047medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Compress – Instant Performance & Speed Optimization <= 6.30.03 - Reflected Cross-Site Scripting via custom_server Parameter

Jan 3, 2025 Patched in 6.30.04 (1d)
CVE-2024-47384medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Compress – Image Optimizer [All-In-One] <= 6.20.13 - Reflected Cross-Site Scripting

Sep 30, 2024 Patched in 6.21.01 (11d)
CVE-2024-4445medium · 6.5Missing Authorization

WP Compress – Image Optimizer [All-In-One] <= 6.20.01 - Missing Authorization

May 13, 2024 Patched in 6.20.02 (1d)
CVE-2023-6812medium · 4.3URL Redirection to Untrusted Site ('Open Redirect')

WP Compress – Image Optimizer [All-In-One] <= 6.20.01 - Open Redirect via css

May 13, 2024 Patched in 6.20.02 (78d)
CVE-2024-32106medium · 4.3Cross-Site Request Forgery (CSRF)

WP Compress – Image Optimizer [All-In-One] <= 6.10.35 - Cross-Site Request Forgery

Apr 11, 2024 Patched in 6.11.01 (6d)
CVE-2024-1934high · 7.5Missing Authorization

WP Compress – Image Optimizer <= 6.11.08 - Missing Authorization to Unauthenticated CDN Modification

Mar 21, 2024 Patched in 6.11.11 (133d)
CVE-2023-6699critical · 9.1Path Traversal: '../filedir'

WP Compress – Image Optimizer [All-In-One] <= 6.10.33 - Unauthenticated Directory Traversal via css

Jan 3, 2024 Patched in 6.10.34 (209d)
Version History

WP Compress – Instant Performance & Speed Optimization Release Timeline

v7.00.08Current
v7.00.07
v7.00.06
v7.00.04
v7.00.03
v7.00.01
v6.60.47
v6.60.46
v6.60.45
v6.60.44
v6.60.43
v6.60.42
v6.60.41
v6.60.40
v6.60.39
v6.60.38
v6.60.37
v6.60.36
v6.60.35
v6.60.34
Code Analysis
Analyzed Mar 16, 2026

WP Compress – Instant Performance & Speed Optimization Code Analysis

Dangerous Functions
1
Raw SQL Queries
2
86 prepared
Unescaped Output
669
227 escaped
Nonce Checks
76
Capability Checks
101
File Operations
225
External Requests
127
Bundled Libraries
0

Dangerous Functions Found

unserialize$value = unserialize(untrailingslashit($heartbeat_item->option_value));classes\ajax.class.php:2501

SQL Query Safety

98% prepared88 total queries

Output Escaping

25% escaped896 total outputs
Data Flows · Security
29 unsanitized

Data Flow Analysis

25 flows29 with unsanitized paths
dnsPrefetch (addons\cdn\cdn-rewrite.php:518)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Compress – Instant Performance & Speed Optimization Attack Surface

Entry Points1
Unprotected0

REST API Routes 1

GET/wp-json/wpc/v1/fetchaddons\legacy\compress.php:250
WordPress Hooks 133
filterget_site_icon_urladdons\cdn\cdn-rewrite.php:236
actiontemplate_redirectaddons\cdn\cdn-rewrite.php:1804
filterscript_loader_tagaddons\cdn\cdn-rewrite.php:1982
filterstyle_loader_tagaddons\cdn\cdn-rewrite.php:2321
filterstyle_loader_srcaddons\cdn\cdn-rewrite.php:2349
filterstyle_loader_srcaddons\cdn\cdn-rewrite.php:2350
filterstyle_loader_srcaddons\cdn\cdn-rewrite.php:2360
filterstyle_loader_tagaddons\cdn\cdn-rewrite.php:2361
filterscript_loader_tagaddons\cdn\cdn-rewrite.php:2366
actionwp_headaddons\cdn\cdn-rewrite.php:2372
filterwoocommerce_available_variationaddons\cdn\cdn-rewrite.php:2375
filterstyle_loader_srcaddons\cdn\cdn-rewrite.php:2385
filterstyle_loader_tagaddons\cdn\cdn-rewrite.php:2386
filterscript_loader_srcaddons\cdn\cdn-rewrite.php:2390
actionwp_headaddons\cdn\cdn-rewrite.php:2395
filteremoji_svg_urladdons\cdn\rewriteLogic.php:395
filtertiny_mce_pluginsaddons\cdn\rewriteLogic.php:396
actiondelete_attachmentaddons\legacy\compress.php:66
filterwp_generate_attachment_metadataaddons\legacy\compress.php:73
filterjpeg_qualityaddons\legacy\compress.php:2160
filterwp_get_attachment_urladdons\offloading\offloading.class.php:19
filterwp_get_attachment_image_srcaddons\offloading\offloading.class.php:20
actionsave_postclasses\cache.class.php:202
actionsave_postclasses\cache.class.php:203
actionsave_postclasses\cache.class.php:204
actiontransition_post_statusclasses\cache.class.php:208
actionpublish_postclasses\cache.class.php:217
actionwp_trash_postclasses\cache.class.php:218
actiondelete_postclasses\cache.class.php:219
actioncomment_postclasses\cache.class.php:221
actionedit_commentclasses\cache.class.php:222
actiontransition_comment_statusclasses\cache.class.php:223
actiondeleted_commentclasses\cache.class.php:224
actiontrashed_commentclasses\cache.class.php:225
actionuntrashed_commentclasses\cache.class.php:226
actionspammed_commentclasses\cache.class.php:227
actionunspammed_commentclasses\cache.class.php:228
actionsend_headersclasses\comms.class.php:12
actionwp_enqueue_scriptsclasses\enqueues.class.php:110
actionadmin_enqueue_scriptsclasses\enqueues.class.php:115
actionadmin_enqueue_scriptsclasses\enqueues.class.php:116
actionadmin_enqueue_scriptsclasses\enqueues.class.php:118
actionadmin_enqueue_scriptsclasses\enqueues.class.php:120
actionadmin_enqueue_scriptsclasses\enqueues.class.php:122
actionadmin_enqueue_scriptsclasses\enqueues.class.php:125
actionadmin_enqueue_scriptsclasses\enqueues.class.php:128
actionadmin_enqueue_scriptsclasses\enqueues.class.php:132
actionwp_print_scriptsclasses\enqueues.class.php:137
actionwp_footerclasses\enqueues.class.php:138
filterscript_loader_tagclasses\enqueues.class.php:152
actionwp_enqueue_scriptsclasses\enqueues.class.php:162
actionwp_footerclasses\enqueues.class.php:503
actionadmin_noticesclasses\htaccess.class.php:133
actionsend_headersclasses\mainwp.class.php:10
actionsend_headersclasses\mainwp.class.php:11
filtermedia_row_actionsclasses\media_library_live.class.php:75
actionadd_meta_boxes_attachmentclasses\media_library_live.class.php:83
filtermanage_media_columnsclasses\media_library_live.class.php:87
actionmanage_media_custom_columnclasses\media_library_live.class.php:88
actionadmin_footerclasses\media_library_live.class.php:89
filterwps_ic_debug_log_linkclasses\media_library_live.class.php:90
actionpre_get_postsclasses\media_library_live.class.php:91
actionrestrict_manage_postsclasses\media_library_live.class.php:96
filterajax_query_attachments_argsclasses\media_library_live.class.php:99
actionadmin_noticesclasses\media_library_live.class.php:103
actionpre_current_active_pluginsclasses\media_library_live.class.php:105
filterbulk_actions-uploadclasses\media_library_live.class.php:442
filterhandle_bulk_actions-uploadclasses\media_library_live.class.php:446
filterbulk_actions-uploadclasses\media_library_live.class.php:451
filterhandle_bulk_actions-uploadclasses\media_library_live.class.php:455
actionadmin_print_scriptsclasses\menu.class.php:35
actionpre_current_active_pluginsclasses\menu.class.php:36
actionadmin_menuclasses\menu.class.php:38
actionnetwork_admin_menuclasses\menu.class.php:40
actionadmin_bar_menuclasses\menu.class.php:41
actionplugin_action_links_wp-compress-image-optimizer/wp-compress.phpclasses\menu.class.php:45
actionadmin_bar_menuclasses\menu.class.php:46
actionadmin_bar_menuclasses\menu.class.php:48
actionwp_initialize_siteclasses\mu.class.php:20
actionadmin_enqueue_scriptsclasses\notices.class.php:16
actionadmin_noticesclasses\notices.class.php:48
actionall_admin_noticesclasses\notices.class.php:52
filterrest_endpointsclasses\oEmbed.class.php:20
filteroembed_response_dataclasses\oEmbed.class.php:21
filterembed_oembed_discoverclasses\oEmbed.class.php:22
filtertiny_mce_pluginsclasses\oEmbed.class.php:29
filterrewrite_rules_arrayclasses\oEmbed.class.php:30
actionwp_default_scriptsclasses\oEmbed.class.php:31
actionwp_footerclasses\preload.class.php:93
actionwp_footerclasses\preload.class.php:115
actionwp_headclasses\preload.class.php:146
actionwp_footerclasses\preload.class.php:178
actionwp_footerclasses\preload.class.php:210
filterposts_searchclasses\preload_warmup.class.php:290
actioninitclasses\preload_warmup.class.php:1501
actionrunCronPreloadclasses\preload_warmup.class.php:1502
filterwp_headersclasses\visitor_mode.class.php:7
actionadmin_noticeswp-compress-core.php:1265
filterall_pluginswp-compress-core.php:1437
actioncurrent_screenwp-compress-core.php:1897
actionadmin_footerwp-compress-core.php:2009
actionadmin_footerwp-compress-core.php:2010
actionelementor/document/after_savewp-compress-core.php:2027
actionadmin_footerwp-compress-core.php:2031
filterbig_image_size_thresholdwp-compress-core.php:2036
actionwpwp-compress-core.php:2188
actionwp_enqueue_scriptswp-compress-core.php:2210
actionwp_enqueue_scriptswp-compress-core.php:2217
actioninitwp-compress-core.php:2457
actionplugins_loadedwp-compress-core.php:2477
actioninitwp-compress-core.php:2478
actionwpwp-compress-core.php:2479
actiontemplate_redirectwp-compress-core.php:2482
filterupgrader_post_installwp-compress-core.php:2486
filterupgrader_post_installwp-compress-core.php:2487
actionupgrader_process_completewp-compress-core.php:2490
actionupgrader_process_completewp-compress-core.php:2491
actionactivate_pluginwp-compress-core.php:2494
actionactivate_pluginwp-compress-core.php:2495
actionactivated_pluginwp-compress-core.php:2496
actiondeactivate_pluginwp-compress-core.php:2499
actionplugins_loadedwp-compress-core.php:2502
actionplugins_loadedwp-compress-core.php:2503
actionrest_api_initwp-compress-core.php:2511
actionadmin_action_deactivate_and_disconnectwp-compress-core.php:2519
actionplugins_loadedwp-compress-cron.php:26
actiontransition_post_statuswp-compress-cron.php:29
actionwps_ic_scheduled_purge_hookwp-compress-cron.php:31
actionsave_postwp-compress-cron.php:33
actionwps_ic_check_key_hookwp-compress-cron.php:50
actionet_core_page_resource_auto_clearwp-compress-cron.php:56
actionadmin_initwp-compress.php:21
actionadmin_initwp-compress.php:27

Scheduled Events 5

run_precache_cron_job
run_precache_cron_job
runCronPreload
wps_ic_scheduled_purge_hook
wps_ic_check_key_hook
Maintenance & Trust

WP Compress – Instant Performance & Speed Optimization Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 15, 2026
PHP min version7.4
Downloads1.1M

Community Trust

Rating90/100
Number of ratings152
Active installs10K
Alternatives

WP Compress – Instant Performance & Speed Optimization Alternatives

WP Fastest Cache – WordPress Cache Plugin

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

B
76

The simplest and fastest WP Cache system

1.0M 35 CVEs
Jetpack Boost – Website Speed, Performance and Critical CSS

Jetpack Boost – Website Speed, Performance and Critical CSS

jetpack-boost

A
99

Speed up your WordPress site with one-click optimizations like Page Cache, Critical CSS, and Image CDN to improve Core Web Vitals.

200K 2 CVEs
Aruba HiSpeed Cache

Aruba HiSpeed Cache

aruba-hispeed-cache

A
95

Aruba HiSpeed Cache interfaces directly with an Aruba hosting platform's HiSpeed Cache service and automates its management.

100K 7 CVEs
NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization

NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization

nitropack

A
89

Boost site speed and performance with an all-in-one cache and speed optimization plugin. Pass Core Web Vitals with CDN, image optimization, lazy loadi &hellip;

100K 7 CVEs
10Web Booster – Website speed optimization, Cache & Page Speed optimizer

10Web Booster – Website speed optimization, Cache & Page Speed optimizer

tenweb-speed-optimizer

A
86

Speed up your site with 10Web Booster. Pass Core Web Vitals by optimizing HTML / CSS / JavaScript, Image Optimization, Lazy Loading, Cache, Google Fon &hellip;

90K 5 CVEs
Developer Profile

WP Compress – Instant Performance & Speed Optimization Developer Profile

AresIT

1 plugin · 10K total installs

75
trust score
Avg Security Score
82/100
Avg Patch Time
36 days
View full developer profile
Detection Fingerprints

How We Detect WP Compress – Instant Performance & Speed Optimization

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-compress-image-optimizer/js/frontend.js/wp-content/plugins/wp-compress-image-optimizer/css/frontend.css/wp-content/plugins/wp-compress-image-optimizer/js/admin.js/wp-content/plugins/wp-compress-image-optimizer/js/v4/admin.js/wp-content/plugins/wp-compress-image-optimizer/js/v3/admin.js/wp-content/plugins/wp-compress-image-optimizer/js/v2/admin.js/wp-content/plugins/wp-compress-image-optimizer/js/bulk.js
Version Parameters
wp-compress-image-optimizer/js/frontend.js?ver=wp-compress-image-optimizer/css/frontend.css?ver=wp-compress-image-optimizer/js/admin.js?ver=wp-compress-image-optimizer/js/v4/admin.js?ver=wp-compress-image-optimizer/js/v3/admin.js?ver=wp-compress-image-optimizer/js/v2/admin.js?ver=wp-compress-image-optimizer/js/bulk.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-compress-notice
HTML Comments
<!-- Script to load CSS -->
Data Attributes
data-wpc-delay-exclude
JS Globals
wps_ic_frontend_params
Shortcode Output
<script type="wpc-delay-placeholder"></script>
FAQ

Frequently Asked Questions about WP Compress – Instant Performance & Speed Optimization