Does WP Optimizer have any unpatched vulnerabilities?

Yes — WP Optimizer currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP Optimizer compatible with WordPress 6.9.4?

According to WordPress.org data, WP Optimizer 2.5.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WP Optimizer compatible with PHP 7.4+?

WP Optimizer requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Optimizer updated?

WP Optimizer was last updated on Mar 12, 2026. Frequent updates are generally a positive security signal.

What is WP Optimizer's security score?

WP Optimizer has a WP-Safety security score of 78/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Optimizer Security & Risk Analysis

wordpress.org/plugins/wp-optimizer

WordPress performance optimization plugin with cache, minify, image optimization, database cleanup, security hardening and server tuning.

100 active installs v2.5.0 PHP 7.4+ WP 5.0.0+ Updated Mar 12, 2026

cacheimage-optimizationminifyperformancewordpress-optimization

B · Generally Safe

CVEs total1

Unpatched1

Last CVEJun 27, 2025

Plugin page Download

Safety Verdict

Is WP Optimizer Safe to Use in 2026?

Mostly Safe

Score 78/100

WP Optimizer is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Jun 27, 2025Updated 22d ago

Risk Assessment

The "wp-optimizer" v2.5.0 plugin exhibits a concerning security posture, with significant risks stemming from its attack surface and code analysis. The presence of one unprotected AJAX handler is a critical vulnerability, as it represents a direct entry point for attackers to potentially exploit the plugin without any authentication or authorization. This, combined with the use of dangerous functions like `unserialize`, `shell_exec`, and `exec`, amplifies the potential impact of any successful exploit.

Taint analysis further highlights these concerns, revealing a critical severity flow and two high severity flows with unsanitized paths. This indicates that user-supplied data can potentially be manipulated to execute arbitrary code or compromise the system. While the plugin does utilize prepared statements for a majority of its SQL queries and has some capability checks, these are overshadowed by the critical flaws in its entry points and data sanitization.

The vulnerability history, while currently showing only one medium severity CVE, is a warning sign. The fact that this vulnerability is listed as unpatched, even if medium, suggests potential ongoing weaknesses in the development and patching process. Coupled with a past CVE of CSRF, it points to a pattern of issues that require consistent attention. In conclusion, while "wp-optimizer" v2.5.0 has some positive aspects like a good percentage of prepared statements, the identified unprotected AJAX handler, critical taint flows, and dangerous function usage present a substantial security risk that needs immediate remediation.

Key Concerns

Unprotected AJAX handler
Critical severity taint flow
High severity taint flows (x2)
Dangerous functions (unserialize, shell_exec, exec)
Unpatched medium severity CVE
Low percentage of properly escaped output
Low number of nonce checks relative to attack surface

Vulnerabilities

WP Optimizer Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-53314medium · 4.3Cross-Site Request Forgery (CSRF)

WP Optimizer <= 2.3.6 - Cross-Site Request Forgery

Jun 27, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

WP Optimizer Code Analysis

Dangerous Functions

Raw SQL Queries

189 prepared

Unescaped Output

298

217 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$action_args = empty($args['options']) ? '' : unserialize(base64_decode($args['options']));modules\database.class.php:289

shell_exec$gone_ok = @shell_exec($cmd);modules\supporters\database\DBSupport.class.php:736

shell_execif (is_null(shell_exec('hash mysqldump 2>&1'))) {modules\supporters\database\DBSupport.class.php:767

unserialize$settings = unserialize(base64_decode($import_settings) ?: '');vendors\wps-framework\Settings.class.php:278

unserialize$data = unserialize(file_get_contents($path) ?: '');vendors\wps-framework\Storage.class.php:151

exec$uptime = @exec('uptime');vendors\wps-framework\UtilEnv.php:476

exec@exec('wmic cpu get loadpercentage /value', $output);vendors\wps-framework\UtilEnv.php:486

shell_execif (!@shell_exec('echo WP Backup'))vendors\wps-framework\UtilEnv.php:735

SQL Query Safety

74% prepared255 total queries

Output Escaping

42% escaped515 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

16 flows6 with unsanitized paths

wps_log (vendors\wps-framework\functions\wp.php:454)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

WP Optimizer Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_wpsvendors\wps-framework\Ajax.class.php:25

WordPress Hooks 108

actionadmin_menuadmin\PagesHandler.class.php:23

actionadmin_enqueue_scriptsadmin\PagesHandler.class.php:24

actionadmin_noticesadmin\PagesHandler.class.php:26

actionwpopt_enqueue_panel_scriptsadmin\PagesHandler.class.php:86

filterplugin_row_metaadmin\PluginInit.class.php:49

actionwp_login_failedmodules\activitylog.class.php:405

actionwp_loginmodules\activitylog.class.php:415

actionprofile_updatemodules\activitylog.class.php:423

actionuser_registermodules\activitylog.class.php:432

actiondelete_usermodules\activitylog.class.php:440

actionadd_attachmentmodules\activitylog.class.php:453

actionedit_attachmentmodules\activitylog.class.php:461

actiondelete_attachmentmodules\activitylog.class.php:469

actionupdated_optionmodules\activitylog.class.php:480

actionactivated_pluginmodules\activitylog.class.php:493

actiondeactivated_pluginmodules\activitylog.class.php:499

actionupgrader_process_completemodules\activitylog.class.php:505

actionsave_postmodules\activitylog.class.php:510

actionbefore_delete_postmodules\activitylog.class.php:517

actioncreated_termmodules\activitylog.class.php:527

actionedited_termmodules\activitylog.class.php:540

actiondelete_termmodules\activitylog.class.php:553

actiontemplate_redirectmodules\activitylog.class.php:566

actioninitmodules\activitylog.class.php:577

actionclean_site_cachemodules\cache.class.php:147

actionclean_network_cachemodules\cache.class.php:148

actionclean_post_cachemodules\cache.class.php:150

actionclean_page_cachemodules\cache.class.php:151

actionclean_attachment_cachemodules\cache.class.php:152

actionclean_comment_cachemodules\cache.class.php:153

actionclean_term_cachemodules\cache.class.php:155

actionclean_object_term_cachemodules\cache.class.php:156

actionclean_taxonomy_cachemodules\cache.class.php:157

actionclean_user_cachemodules\cache.class.php:159

actionwpmodules\performance_monitor.class.php:49

actionshutdownmodules\performance_monitor.class.php:55

filterset-screen-optionmodules\supporters\activity-log\ActivityLog_Table.class.php:57

filterposts_pre_querymodules\supporters\cache\querycache.class.php:87

filterposts_resultsmodules\supporters\cache\querycache.class.php:90

filterfound_postsmodules\supporters\cache\querycache.class.php:93

filterthe_postsmodules\supporters\cache\querycache.class.php:96

actionparse_querymodules\supporters\cache\staticcache.class.php:106

filterset-screen-optionmodules\supporters\media\Media_Table.class.php:56

actionwp_dashboard_setupmodules\widget.class.php:32

actionadmin_headmodules\widget.class.php:62

filtershow_admin_barmodules\wp_customizer.class.php:28

actionadmin_initmodules\wp_customizer.class.php:33

actioninitmodules\wp_customizer.class.php:76

filteruse_block_editor_for_postmodules\wp_customizer.class.php:91

filteruse_block_editor_for_post_typemodules\wp_customizer.class.php:92

actionwp_enqueue_scriptsmodules\wp_customizer.class.php:94

filteruse_widgets_block_editormodules\wp_customizer.class.php:119

filterwp_sitemaps_enabledmodules\wp_customizer.class.php:143

actionadmin_enqueue_scriptsmodules\wp_customizer.class.php:153

filtertiny_mce_pluginsmodules\wp_customizer.class.php:177

filterpings_openmodules\wp_customizer.class.php:192

actionpre_pingmodules\wp_customizer.class.php:200

filterxmlrpc_enabledmodules\wp_customizer.class.php:222

filtershow_admin_barmodules\wp_customizer.class.php:227

actionwp_dashboard_setupmodules\wp_customizer.class.php:247

actionwp_default_scriptsmodules\wp_customizer.class.php:270

actionwp_before_admin_bar_rendermodules\wp_customizer.class.php:284

filtercomments_openmodules\wp_customizer.class.php:293

filterpings_openmodules\wp_customizer.class.php:294

filtercomments_arraymodules\wp_customizer.class.php:297

actionadmin_initmodules\wp_customizer.class.php:299

actionadmin_menumodules\wp_customizer.class.php:314

filterrest_authentication_errorsmodules\wp_customizer.class.php:335

filterembed_oembed_discovermodules\wp_customizer.class.php:350

filterphpmailer_initmodules\wp_mail.class.php:144

filterwp_mailmodules\wp_mail.class.php:148

filterthe_generatormodules\wp_security.class.php:111

actiontemplate_redirectmodules\wp_security.class.php:114

filterstyle_loader_srcmodules\wp_security.class.php:119

filterscript_loader_srcmodules\wp_security.class.php:120

filterpre_option_update_coremodules\wp_updates.class.php:39

filterwp_auto_update_coremodules\wp_updates.class.php:41

filterauto_update_coremodules\wp_updates.class.php:42

filterallow_minor_auto_core_updatesmodules\wp_updates.class.php:43

filterallow_major_auto_core_updatesmodules\wp_updates.class.php:44

filterallow_dev_auto_core_updatesmodules\wp_updates.class.php:45

actionadmin_menumodules\wp_updates.class.php:55

filterauto_update_pluginmodules\wp_updates.class.php:72

filterauto_update_thememodules\wp_updates.class.php:84

filterautomatic_updater_disabledmodules\wp_updates.class.php:97

filterauto_update_translationmodules\wp_updates.class.php:105

filterallow_minor_auto_core_updatesmodules\wp_updates.class.php:107

filterallow_major_auto_core_updatesmodules\wp_updates.class.php:108

filterallow_dev_auto_core_updatesmodules\wp_updates.class.php:109

filterauto_update_coremodules\wp_updates.class.php:111

filterwp_auto_update_coremodules\wp_updates.class.php:112

filterauto_update_pluginmodules\wp_updates.class.php:113

filterauto_update_thememodules\wp_updates.class.php:114

filterauto_core_update_send_emailmodules\wp_updates.class.php:118

filterauto_core_update_send_emailmodules\wp_updates.class.php:119

filterautomatic_updates_send_debug_email modules\wp_updates.class.php:120

filtersend_core_update_notification_emailmodules\wp_updates.class.php:121

filtercron_requestvendors\wps-framework\CronActions.class.php:241

filtercron_schedulesvendors\wps-framework\CronActions.class.php:371

actionadmin_enqueue_scriptsvendors\wps-framework\loader.php:52

actioninitvendors\wps-framework\loader.php:55

actionadmin_enqueue_scriptsvendors\wps-framework\Module.class.php:112

actionadmin_noticesvendors\wps-framework\Module.class.php:125

actionadmin_initvendors\wps-framework\Module.class.php:127

actioninitvendors\wps-framework\Module.class.php:130

actionadmin_initvendors\wps-framework\Settings.class.php:23

actionshutdownvendors\wps-framework\Settings.class.php:256

actionshutdownvendors\wps-framework\Storage.class.php:199

Maintenance & Trust

WP Optimizer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 12, 2026

PHP min version7.4

Downloads18K

Community Trust

Rating60/100

Number of ratings2

Active installs100

Alternatives

WP Optimizer Alternatives

Performance Optimisation

performance-optimisation

A plugin to enhance website performance by managing cache, minifying JavaScript, CSS, and optimizing images.

0 No CVEs

WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance

wp-optimize

Get caching and more with this powerful cache plugin. Cache, optimize images, clean your database and minify for maximum performance.

1.0M 3 CVEs

Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN

hummingbird-performance

Optimize PageSpeed Performance & Core Web Vitals, Advanced Cache, Minify CSS & JavaScript, Inline Critical CSS, Defer CSS & JS, Smush & Lazy Load, CDN

80K 6 CVEs

Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer

clearfy

Optimize and tweak WordPress by disable unused features. Improve performance, SEO and security using Clearfy — super easy, fast and zero code.

50K 6 CVEs

WP Compress – Instant Performance & Speed Optimization

wp-compress-image-optimizer

Everything you need for a faster website – smart optimization, advanced caching, adaptive images, WebP creation, script improvements, optional CDN del …

10K 13 CVEs

Developer Profile

WP Optimizer Developer Profile

sh1zen

3 plugins · 140 total installs

trust score

Avg Security Score

89/100

Avg Patch Time

59 days

View full developer profile

Detection Fingerprints

How We Detect WP Optimizer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-optimizer/assets/style.min.css/wp-content/plugins/wp-optimizer/assets/style.css

HTML / DOM Fingerprints

CSS Classes

wpopt-herowpopt-hero-subtitlewpopt-actionswpopt-btnwpopt-faq-shellwpopt-faq-listwpopt-faq-itemwpopt-faq-question-wrapper+2 more

Data Attributes

data-nonce="wpopt-ajax-nonce"

JS Globals

wpopt_ajax_nonce

FAQ