WP-Safety

WP EXtra – One Click Optimize Security & Risk Analysis

wordpress.org/plugins/wp-extra

Optimize your site instantly with one-click activation. WP Extra offers easy fixes and features for WordPress.

7K active installs v8.6.5 PHP 7.4+ WP 6.8+ Updated Oct 31, 2025
extrafunctionsoptimizationssecuritytweaks
98
A · Safe
CVEs total4
Unpatched0
Last CVENov 16, 2023
Plugin page Download
Safety Verdict

Is WP EXtra – One Click Optimize Safe to Use in 2026?

Generally Safe

Score 98/100

WP EXtra – One Click Optimize has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Nov 16, 2023Updated 5mo ago
Risk Assessment

The "wp-extra" v8.6.5 plugin presents a mixed security posture. While it shows some positive signs like a decent number of capability checks and a relatively low number of external HTTP requests, several concerning aspects are evident from the static analysis. The presence of two unprotected AJAX handlers significantly increases the attack surface, making it vulnerable to unauthorized actions if exploited. Furthermore, the use of the `unserialize` function is a critical red flag, as it can lead to Remote Code Execution if used with untrusted input. The taint analysis, while not showing critical or high severity flows, identified four flows with unsanitized paths, which warrants further investigation for potential local file inclusion or path traversal vulnerabilities.

The vulnerability history of "wp-extra" is also a significant concern. With a total of four known CVEs, including one high severity vulnerability, the plugin has a track record of security issues. The common types of vulnerabilities (CSRF, Missing Authorization) align with some of the static analysis findings, particularly the unprotected AJAX handlers. While there are no currently unpatched vulnerabilities, the past issues suggest a need for ongoing vigilance and prompt updates. In conclusion, "wp-extra" v8.6.5 has potential strengths in its implementation but is significantly weakened by its exposed attack surface, the dangerous use of `unserialize`, and its history of past vulnerabilities. Users should exercise caution and ensure they have robust security practices in place when using this plugin.

Key Concerns

  • Unprotected AJAX handlers
  • Use of unserialize()
  • Flows with unsanitized paths
  • High severity vulnerability in history
  • Medium severity vulnerabilities in history
  • SQL queries not using prepared statements
  • Low percentage of properly escaped output
Vulnerabilities
4

WP EXtra – One Click Optimize Security Vulnerabilities

CVEs by Year

4 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2023-47825medium · 4.3Cross-Site Request Forgery (CSRF)

WP EXtra <= 6.4 - Cross-Site Request Forgery ToolImport

Nov 16, 2023 Patched in 6.5 (68d)
CVE-2023-5314medium · 4.3Missing Authorization

WP EXtra <= 6.2 - Missing Authorization to Arbitrary Email Sending

Oct 25, 2023 Patched in 6.3 (90d)
CVE-2023-5311high · 8.8Missing Authorization

WP EXtra <= 6.2 - Missing Authorization to .htaccess File Modification

Oct 24, 2023 Patched in 6.3 (91d)
CVE-2023-46212medium · 4.3Missing Authorization

WP EXtra <= 6.2 - Missing Authorization to Export Settings

Oct 19, 2023 Patched in 6.3 (96d)
Code Analysis
Analyzed Mar 16, 2026

WP EXtra – One Click Optimize Code Analysis

Dangerous Functions
1
Raw SQL Queries
2
2 prepared
Unescaped Output
72
63 escaped
Nonce Checks
4
Capability Checks
11
File Operations
6
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$settings_json = unserialize(base64_decode($data));src\WPSettings\Restore.php:29

Bundled Libraries

TinyMCE

SQL Query Safety

50% prepared4 total queries

Output Escaping

47% escaped135 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths
duplicate_as_draft (src\Modules\Backend\Duplicate.php:30)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WP EXtra – One Click Optimize Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 2

authwp_ajax_get_signature_contentsrc\Modules\Common\Posts.php:219
noprivwp_ajax_get_signature_contentsrc\Modules\Common\Posts.php:220

Shortcodes 2

[signature] src\Modules\Common\Posts.php:90
[redirect] src\Modules\Common\Posts.php:258
WordPress Hooks 167
filterplugin_row_metasrc\Core.php:8
actionplugins_loadedsrc\Language.php:7
filterupdate_footersrc\Modules\Backend\Control.php:23
filteradmin_footer_textsrc\Modules\Backend\Control.php:27
actionadmin_initsrc\Modules\Backend\Control.php:39
filterwp_is_application_passwords_availablesrc\Modules\Backend\Control.php:57
actionadmin_noticessrc\Modules\Backend\Control.php:62
actionadmin_noticessrc\Modules\Backend\Control.php:81
actionwp_dashboard_setupsrc\Modules\Backend\Dashboards.php:21
actionadmin_enqueue_scriptssrc\Modules\Backend\Dashboards.php:22
filterwpforms_admin_dashboardwidgetsrc\Modules\Backend\Dashboards.php:24
actionwp_dashboard_setupsrc\Modules\Backend\Dashboards.php:46
filteradmin_headsrc\Modules\Backend\Dashboards.php:88
filterscreen_options_show_screensrc\Modules\Backend\Dashboards.php:97
actionadmin_action_duplicate_as_draftsrc\Modules\Backend\Duplicate.php:19
filterpost_row_actionssrc\Modules\Backend\Duplicate.php:20
filterpage_row_actionssrc\Modules\Backend\Duplicate.php:21
actionadmin_headsrc\Modules\Backend\Duplicate.php:25
actionadmin_post_duplicate-termsrc\Modules\Backend\Duplicate.php:26
actionadmin_noticessrc\Modules\Backend\Duplicate.php:27
actionadd_attachmentsrc\Modules\Backend\Media.php:25
actionwp_handle_uploadsrc\Modules\Backend\Media.php:29
filterwp_handle_upload_prefiltersrc\Modules\Backend\Media.php:33
filterintermediate_image_sizes_advancedsrc\Modules\Backend\Media.php:37
filterbig_image_size_thresholdsrc\Modules\Backend\Media.php:42
filterwp_image_maybe_exif_rotatesrc\Modules\Backend\Media.php:45
actionsave_postsrc\Modules\Backend\Media.php:50
actionsave_postsrc\Modules\Backend\Media.php:54
filterwp_check_filetype_and_extsrc\Modules\Backend\Media.php:58
filtermime_typessrc\Modules\Backend\Media.php:59
filterfile_is_displayable_imagesrc\Modules\Backend\Media.php:60
actionwidgets_initsrc\Modules\Backend\Widgets.php:9
actioninitsrc\Modules\Common\Comments.php:20
filterpreprocess_commentsrc\Modules\Common\Comments.php:22
actionwidgets_initsrc\Modules\Common\Comments.php:27
actiontemplate_redirectsrc\Modules\Common\Comments.php:28
actiontemplate_redirectsrc\Modules\Common\Comments.php:29
actionadmin_initsrc\Modules\Common\Comments.php:30
actionwp_loadedsrc\Modules\Common\Comments.php:31
filtercomments_opensrc\Modules\Common\Comments.php:35
filtermanage_media_columnssrc\Modules\Common\Comments.php:36
filtershow_recent_comments_widget_stylesrc\Modules\Common\Comments.php:66
filtercomments_arraysrc\Modules\Common\Comments.php:92
filtercomments_opensrc\Modules\Common\Comments.php:93
filterpings_opensrc\Modules\Common\Comments.php:94
actionadmin_menusrc\Modules\Common\Comments.php:97
actionadmin_print_styles-index.phpsrc\Modules\Common\Comments.php:98
actionadmin_print_styles-profile.phpsrc\Modules\Common\Comments.php:99
actionwp_dashboard_setupsrc\Modules\Common\Comments.php:100
filterpre_option_default_pingback_flagsrc\Modules\Common\Comments.php:101
filtercomments_templatesrc\Modules\Common\Comments.php:104
filterfeed_links_show_comments_feedsrc\Modules\Common\Comments.php:106
actioninitsrc\Modules\Common\Permalinks.php:20
filteruser_trailingslashitsrc\Modules\Common\Permalinks.php:21
filterthe_contentsrc\Modules\Common\Permalinks.php:24
actiontemplate_redirectsrc\Modules\Common\Permalinks.php:27
actiontemplate_redirectsrc\Modules\Common\Permalinks.php:74
actionshutdownsrc\Modules\Common\Permalinks.php:76
actionadmin_bar_menusrc\Modules\Common\Permission.php:11
filtermanage_users_columnssrc\Modules\Common\Permission.php:36
filtermanage_users_custom_columnsrc\Modules\Common\Permission.php:37
filtermanage_users_sortable_columnssrc\Modules\Common\Permission.php:38
filtermanage_users_columnssrc\Modules\Common\Permission.php:62
filtermanage_users_custom_columnsrc\Modules\Common\Permission.php:63
filtermanage_users_sortable_columnssrc\Modules\Common\Permission.php:64
actionwp_loginsrc\Modules\Common\Permission.php:65
actionadmin_bar_menusrc\Modules\Common\Permission.php:115
actionadmin_enqueue_scriptssrc\Modules\Common\Permission.php:128
actionwp_enqueue_scriptssrc\Modules\Common\Permission.php:132
actionafter_setup_themesrc\Modules\Common\Permission.php:134
filtershow_admin_barsrc\Modules\Common\Permission.php:161
actionadmin_menusrc\Modules\Common\Permission.php:174
actionpre_current_active_pluginssrc\Modules\Common\Permission.php:191
actioncurrent_screensrc\Modules\Common\Posts.php:30
filterpage_row_actionssrc\Modules\Common\Posts.php:31
filterpost_row_actionssrc\Modules\Common\Posts.php:32
filteruse_block_editor_for_post_typesrc\Modules\Common\Posts.php:34
filterredirect_post_locationsrc\Modules\Common\Posts.php:36
filteruse_block_editor_for_post_typesrc\Modules\Common\Posts.php:42
actionadmin_headsrc\Modules\Common\Posts.php:83
filtermce_external_pluginssrc\Modules\Common\Posts.php:85
filtermce_buttonssrc\Modules\Common\Posts.php:86
filtermce_buttons_2src\Modules\Common\Posts.php:87
filtermce_buttons_2src\Modules\Common\Posts.php:88
filterthe_contentsrc\Modules\Common\Posts.php:92
filterthe_contentsrc\Modules\Common\Posts.php:95
actionadmin_enqueue_scriptssrc\Modules\Common\Posts.php:99
filtergutenberg_use_widgets_block_editorsrc\Modules\Common\Posts.php:228
filteruse_widgets_block_editorsrc\Modules\Common\Posts.php:229
actionadmin_enqueue_scriptssrc\Modules\Common\Posts.php:233
actionadmin_initsrc\Modules\Common\Posts.php:244
actionflatsome_after_404src\Modules\Common\Posts.php:260
actiontemplate_redirectsrc\Modules\Common\Posts.php:289
actionadd_meta_boxessrc\Modules\Common\Posts.php:303
actionenqueue_block_editor_assetssrc\Modules\Common\Posts.php:304
filterget_post_metadatasrc\Modules\Common\Posts.php:339
actionbefore_delete_postsrc\Modules\Common\Posts.php:383
actiondeleted_postsrc\Modules\Common\Posts.php:384
actionadmin_footersrc\Modules\Common\Posts.php:452
actioninitsrc\Modules\Common\Security.php:32
filterembed_oembed_discoversrc\Modules\Common\Security.php:38
filtertiny_mce_pluginssrc\Modules\Common\Security.php:43
filterrewrite_rules_arraysrc\Modules\Common\Security.php:44
filterxmlrpc_enabledsrc\Modules\Common\Security.php:61
filterpings_opensrc\Modules\Common\Security.php:62
filterpre_update_option_enable_xmlrpcsrc\Modules\Common\Security.php:63
filterpre_option_enable_xmlrpcsrc\Modules\Common\Security.php:64
filterwp_headerssrc\Modules\Common\Security.php:65
actioninitsrc\Modules\Common\Security.php:66
filterwp_default_scriptssrc\Modules\Common\Security.php:88
filterthe_generatorsrc\Modules\Common\Security.php:100
actiontemplate_redirectsrc\Modules\Common\Security.php:121
actionpre_pingsrc\Modules\Common\Security.php:148
filterrest_authentication_errorssrc\Modules\Common\Security.php:161
actioninitsrc\Modules\Common\Security.php:206
filterheartbeat_settingssrc\Modules\Common\Security.php:252
filterallowed_block_typessrc\Modules\Common\Security.php:263
filterwp_mail_fromsrc\Modules\Common\SMTP.php:13
filterwp_mail_from_namesrc\Modules\Common\SMTP.php:23
actionphpmailer_initsrc\Modules\Common\SMTP.php:31
actionregister_postsrc\Modules\Common\SMTP.php:34
actionwp_enqueue_scriptssrc\Modules\Common\SMTP.php:81
filteradmin_email_check_intervalsrc\Modules\Common\SMTP.php:93
filtersend_core_update_notification_emailsrc\Modules\Common\SMTP.php:96
filterauto_plugin_update_send_emailsrc\Modules\Common\SMTP.php:97
filterauto_theme_update_send_emailsrc\Modules\Common\SMTP.php:98
filterwp_send_new_user_notification_to_adminsrc\Modules\Common\SMTP.php:101
filtersend_password_change_emailsrc\Modules\Common\SMTP.php:105
filterwoocommerce_disable_password_change_notificationsrc\Modules\Common\SMTP.php:106
actionlogin_enqueue_scriptssrc\Modules\Frontend\Branding.php:13
filterlogin_titlesrc\Modules\Frontend\Branding.php:101
filtersite_urlsrc\Modules\Frontend\Branding.php:110
actionplugins_loadedsrc\Modules\Frontend\Branding.php:111
actionwp_loadedsrc\Modules\Frontend\Branding.php:112
filterwp_redirectsrc\Modules\Frontend\Branding.php:113
actionwp_enqueue_scriptssrc\Modules\Frontend\Branding.php:214
actionwp_headsrc\Modules\Frontend\Code.php:23
actionwp_body_opensrc\Modules\Frontend\Code.php:32
actionwp_footersrc\Modules\Frontend\Code.php:41
actionwp_headsrc\Modules\Frontend\Code.php:49
actionwp_headsrc\Modules\Frontend\Code.php:53
actionwp_headsrc\Modules\Frontend\Code.php:57
actionwp_enqueue_scriptssrc\Modules\Frontend\Cookie.php:9
actionwp_footersrc\Modules\Frontend\Cookie.php:10
actioninitsrc\Modules\Frontend\Cookie.php:11
actioninitsrc\Modules\Frontend\Optimize.php:24
actioninitsrc\Modules\Frontend\Optimize.php:35
filtertiny_mce_pluginssrc\Modules\Frontend\Optimize.php:46
filterwp_resource_hintssrc\Modules\Frontend\Optimize.php:47
filteremoji_svg_urlsrc\Modules\Frontend\Optimize.php:49
actionwp_enqueue_scriptssrc\Modules\Frontend\Optimize.php:70
actionwp_enqueue_scriptssrc\Modules\Frontend\Optimize.php:81
filterstyle_loader_tagsrc\Modules\Frontend\Optimize.php:92
filterscript_loader_tagsrc\Modules\Frontend\Optimize.php:109
actionwp_enqueue_scriptssrc\Modules\Frontend\Optimize.php:111
filterscript_loader_srcsrc\Modules\Frontend\Optimize.php:134
filterstyle_loader_srcsrc\Modules\Frontend\Optimize.php:135
filterwp_settings_option_type_mapsrc\Settings.php:13
actionadmin_menusrc\Settings.php:22
actionadmin_initsrc\WPSettings\Export.php:15
actionadmin_noticessrc\WPSettings\Export.php:96
actionwp_settings_before_render_settings_pagesrc\WPSettings\Import.php:13
actionwp_settings_before_render_settings_pagesrc\WPSettings\Module.php:14
actionadmin_initsrc\WPSettings\Restore.php:15
actionadmin_noticessrc\WPSettings\Restore.php:34
actionadmin_noticessrc\WPSettings\Restore.php:38
actionwp_settings_before_render_settings_pagesrc\WPSettings\Widget.php:14
Maintenance & Trust

WP EXtra – One Click Optimize Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 31, 2025
PHP min version7.4
Downloads104K

Community Trust

Rating98/100
Number of ratings40
Active installs7K
Alternatives

WP EXtra – One Click Optimize Alternatives

Admin and Site Enhancements (ASE)

Admin and Site Enhancements (ASE)

admin-site-enhancements

A
92

Duplicate post, post order, image resize, email via SMTP, admin menu editor, custom css / code, disable gutenberg and much more in a single plugin.

200K 7 CVEs
WP Tweaks

WP Tweaks

wp-tweaks

A
100

Several opinionated WordPress tweaks focused in security and performance.

200 No CVEs
Tweakr – Utility Toolkit

Tweakr – Utility Toolkit

tweakr

A
85

Supercharges your Blog with production grade Tweaks, Features and Utilities

30 No CVEs
Admin Optimizer

Admin Optimizer

admin-optimizer

A
100

SMTP Email, Two-factor Authentication, Custom Post Status, SVG File upload, Custom Login URL, Limit Login Attempts, Lock Modified Date, Database clean &hellip;

10 No CVEs
TweakMaster

TweakMaster

tweakmaster

A
100

A collection of performance, privacy, security, and other tweaks. Minimalistic lightweight plugin.

0 No CVEs
Developer Profile

WP EXtra – One Click Optimize Developer Profile

COP

2 plugins · 8K total installs

69
trust score
Avg Security Score
86/100
Avg Patch Time
92 days
View full developer profile
Detection Fingerprints

How We Detect WP EXtra – One Click Optimize

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-extra/assets/css/backend.css/wp-content/plugins/wp-extra/assets/css/frontend.css/wp-content/plugins/wp-extra/assets/js/admin.js/wp-content/plugins/wp-extra/assets/js/frontend.js/wp-content/plugins/wp-extra/assets/js/tinymce-plugin.js/wp-content/plugins/wp-extra/assets/js/elementor-widget.js
Script Paths
/wp-content/plugins/wp-extra/assets/js/admin.js/wp-content/plugins/wp-extra/assets/js/frontend.js/wp-content/plugins/wp-extra/assets/js/tinymce-plugin.js/wp-content/plugins/wp-extra/assets/js/elementor-widget.js
Version Parameters
wp-extra/assets/css/backend.css?ver=wp-extra/assets/css/frontend.css?ver=wp-extra/assets/js/admin.js?ver=wp-extra/assets/js/frontend.js?ver=wp-extra/assets/js/tinymce-plugin.js?ver=wp-extra/assets/js/elementor-widget.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-extra-admin-bar-menuwp-extra-user-registration-datewp-extra-user-last-login
HTML Comments
WP EXtra Admin Bar MenuWP EXtra User Registration Date ColumnWP EXtra User Last Login Column
Data Attributes
data-wp-extra-settingsdata-wp-extra-nonce
JS Globals
wpExtraAdminwpExtraFrontendWPEX
REST Endpoints
/wp-json/wp-extra/v1/settings/wp-json/wp-extra/v1/permissions
Shortcode Output
[wp_extra_display_user_info][wp_extra_recent_posts][wp_extra_social_icons]
FAQ

Frequently Asked Questions about WP EXtra – One Click Optimize