WP-Safety

WP Plugin Manager – Deactivate plugins per page Security & Risk Analysis

wordpress.org/plugins/wp-plugin-manager

"WP Plugin Manager" is a plugin that allows you to disable plugins on specific pages, posts, or devices for better performance.

3K active installs v1.4.11 PHP 7.4+ WP 5.0+ Updated Feb 26, 2026
disable-pluginsperformance-optimizationplugin-managerselective-loadingwordpress-speed
98
A · Safe
CVEs total2
Unpatched0
Last CVENov 13, 2025
Plugin page Download
Safety Verdict

Is WP Plugin Manager – Deactivate plugins per page Safe to Use in 2026?

Generally Safe

Score 98/100

WP Plugin Manager – Deactivate plugins per page has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Nov 13, 2025Updated 1mo ago
Risk Assessment

The wp-plugin-manager v1.4.11 plugin demonstrates several positive security practices, including a high percentage of properly escaped output and 100% usage of prepared statements for SQL queries, indicating a conscious effort to prevent common vulnerabilities. The absence of critical or high severity taint flows and a low number of total flows analyzed suggest that complex, deeply embedded vulnerabilities are unlikely. However, the plugin has a concerning history of two medium severity CVEs, both related to Cross-Site Request Forgery (CSRF). While currently unpatched CVEs are zero, this pattern suggests a recurring weakness that requires careful monitoring and prompt patching of future issues.

The static analysis reveals a notable concern: one AJAX handler lacks authentication checks. While the total attack surface is relatively small, this unprotected entry point is a significant risk, potentially allowing unauthorized actions if exploited. The plugin also has several file operations and external HTTP requests, which, while not inherently risky, can become vectors for attack if not properly secured and validated. The presence of some unsanitized paths in taint analysis, although not resulting in critical or high severity, warrants attention as it points to potential weaknesses in input handling.

In conclusion, wp-plugin-manager v1.4.11 has a generally good security foundation with strong practices in SQL and output handling. However, the unprotected AJAX endpoint, the history of CSRF vulnerabilities, and the presence of unsanitized paths are critical areas of concern that detract from its overall security posture. Vigilance in patching new vulnerabilities and immediate remediation of the unprotected AJAX handler are essential to mitigate the identified risks.

Key Concerns

  • AJAX handler without authentication check
  • 2 past medium severity CVEs (CSRF)
  • Taint flows with unsanitized paths
Vulnerabilities
2

WP Plugin Manager – Deactivate plugins per page Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-64271medium · 4.3Cross-Site Request Forgery (CSRF)

Plugin Manager <= 1.4.7 - Cross-Site Request Forgery

Nov 13, 2025 Patched in 1.4.8 (5d)
CVE-2023-1088medium · 4.3Cross-Site Request Forgery (CSRF)

WP Plugin Manager <= 1.1.7 - Cross-Site Request Forgery to Arbitrary Plugin Activation

Feb 28, 2023 Patched in 1.1.8 (329d)
Code Analysis
Analyzed Mar 16, 2026

WP Plugin Manager – Deactivate plugins per page Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
81 escaped
Nonce Checks
4
Capability Checks
20
File Operations
6
External Requests
6
Bundled Libraries
0

Output Escaping

95% escaped85 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
__construct (includes\class-diagnostic-data.php:81)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

WP Plugin Manager – Deactivate plugins per page Attack Surface

Entry Points13
Unprotected1

AJAX Handlers 2

authwp_ajax_htpm_diagnostic_dataincludes\class-diagnostic-data.php:97
authwp_ajax_htpm_noticesincludes\class.notices.php:52

REST API Routes 11

GET/wp-json/htpm/v1/plugins/settingsincludes\api\admin-dashboard-api.php:14
GET/wp-json/htpm/v1/pluginsincludes\api\admin-dashboard-api.php:23
GET/wp-json/htpm/v1/plugins/(?P<id>\d+)/settingsincludes\api\admin-dashboard-api.php:32
POST/wp-json/htpm/v1/plugins/(?P<id>\d+)/settingsincludes\api\admin-dashboard-api.php:41
GET/wp-json/htpm/v1/sidebar-contentincludes\api\admin-dashboard-api.php:50
GET/wp-json/htpm/v1/pagesincludes\api\admin-dashboard-api.php:59
GET/wp-json/htpm/v1/postsincludes\api\admin-dashboard-api.php:68
GET/wp-json/htpm/v1/post-typesincludes\api\admin-dashboard-api.php:77
GET/wp-json/htpm/v1/selected-post-typesincludes\api\admin-dashboard-api.php:85
GET/wp-json/htpm/v1/post-type-items/(?P<type>[a-zA-Z0-9_-]+)includes\api\admin-dashboard-api.php:94
POST/wp-json/htpm/v1/update-dashboard-settingsincludes\api\admin-dashboard-api.php:103
WordPress Hooks 31
actionrest_api_initincludes\api\admin-dashboard-api.php:163
actionrest_api_initincludes\api\changelog-api.php:35
actioninitincludes\class-diagnostic-data.php:107
actionadmin_headincludes\class-diagnostic-data.php:119
actionadmin_footerincludes\class-diagnostic-data.php:120
actionadmin_noticesincludes\class.notices.php:49
actionhtpm_admin_noticesincludes\class.notices.php:50
actionadmin_footerincludes\class.notices.php:51
actionadmin_enqueue_scriptsincludes\HTPM_Trial.php:70
actionadmin_initincludes\HTPM_Trial.php:71
actionadmin_print_scriptsincludes\HTPM_Trial.php:342
actionadmin_print_footer_scriptsincludes\HTPM_Trial.php:343
actionhtpm_admin_noticesincludes\HTPM_Trial.php:347
actionadmin_footerincludes\HTPM_Trial.php:351
actionadmin_footerincludes\HTPM_Trial.php:352
actionadmin_menuincludes\plugin-options-page.php:24
actionadmin_footerincludes\plugin-options-page.php:25
actionadmin_footerincludes\plugin-options-page.php:26
filteroption_active_pluginsmu-plugin\htpm-mu-plugin.php:35
actionin_admin_headerplugin-main.php:50
actioninitplugin-main.php:51
actionplugins_loadedplugin-main.php:52
actionupdate_option_active_pluginsplugin-main.php:55
actionadmin_enqueue_scriptsplugin-main.php:58
filteradmin_menuplugin-main.php:59
actioninitplugin-main.php:60
actionadmin_initplugin-main.php:61
actionadmin_initplugin-main.php:62
actionadmin_initplugin-main.php:63
actionrest_api_initplugin-main.php:148
filterscript_loader_tagplugin-main.php:165
Maintenance & Trust

WP Plugin Manager – Deactivate plugins per page Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 26, 2026
PHP min version7.4
Downloads124K

Community Trust

Rating86/100
Number of ratings24
Active installs3K
Alternatives

WP Plugin Manager – Deactivate plugins per page Alternatives

LWS Optimize – All-in-One Speed Booster & Cache Tools

LWS Optimize – All-in-One Speed Booster & Cache Tools

lws-optimize

A
99

All-in-one speed optimization: caching, WebP/AVIF, Critical CSS, lazy loading, CDN, and more. Instantly boost Core Web Vitals and site speed!

10K 2 CVEs
Plugin Organizer

Plugin Organizer

plugin-organizer

A
99

Change plugin order and selectively enable/disable plugins on each post/page.

10K 1 CVE
Plugin Load Filter

Plugin Load Filter

plugin-load-filter

A
100

Dynamically activate the selected plugins for each page. Response will be faster by filtering plugins.

8K No CVEs
WP safely disable directory browsing

WP safely disable directory browsing

wp-safely-disable-directory-browsing

A
85

This essential .htaccess rules plugin allow you to improve security of your wordpress blog.

300 No CVEs
DiveWP – Boost Site Performance with Clear, Actionable Steps

DiveWP – Boost Site Performance with Clear, Actionable Steps

divewp-boost-site-performance

A
100

Learn WP Best Practices Through Your Own Site! Get clear insights about Performance, Security, and Best Practices – explained in plain English.

200 No CVEs
Developer Profile

WP Plugin Manager – Deactivate plugins per page Developer Profile

HasThemes

14 plugins · 16K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
179 days
View full developer profile
Detection Fingerprints

How We Detect WP Plugin Manager – Deactivate plugins per page

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-plugin-manager/assets/css/admin-style.css/wp-content/plugins/wp-plugin-manager/assets/dist/css/style.css/wp-content/plugins/wp-plugin-manager/assets/dist/js/main.js
Version Parameters
wp-plugin-manager/assets/css/admin-style.css?ver=wp-plugin-manager/assets/dist/css/style.css?ver=wp-plugin-manager/assets/dist/js/main.js?ver=

HTML / DOM Fingerprints

JS Globals
wpPluginManagerSettingsHTPM_PLUGIN_VERSION
REST Endpoints
/wp-json/wp-plugin-manager/v1/plugins
FAQ

Frequently Asked Questions about WP Plugin Manager – Deactivate plugins per page