WP-Safety

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN Security & Risk Analysis

wordpress.org/plugins/wp-smushit

Optimize and compress images with lossless and lossy compression, lazy load, WebP & AVIF conversion, and global image CDN.

1.0M active installs v3.24.0 PHP 7.4+ WP 6.4+ Updated Feb 23, 2026
compress-imagesconvert-webpimage-optimizationoptimize-imageswebp
93
A · Safe
CVEs total6
Unpatched0
Last CVEMar 29, 2025
Plugin page Download
Safety Verdict

Is Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN Safe to Use in 2026?

Generally Safe

Score 93/100

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Mar 29, 2025Updated 1mo ago
Risk Assessment

The wp-smushit plugin exhibits a mixed security posture. On the positive side, the code demonstrates strong adherence to secure coding practices with a high percentage of SQL queries using prepared statements and properly escaped output. The presence of numerous nonce and capability checks also indicates a focus on preventing common WordPress attacks. However, there are notable areas of concern. The presence of a REST API route without permission callbacks presents a direct and unprotected entry point, which is a significant risk. Furthermore, the taint analysis reveals a flow with unsanitized paths, highlighting a potential for path traversal or similar vulnerabilities despite the low severity score. The plugin's vulnerability history is particularly worrying, with a significant number of past CVEs across various severity levels, including critical and high. The common vulnerability types mentioned, such as Missing Authorization, Deserialization, XSS, and Path Traversal, directly align with the potential risks identified in the static analysis. While there are currently no unpatched CVEs, the recurring nature of these vulnerability types suggests a persistent challenge in securing certain code areas. The overall conclusion is that while the plugin has implemented some good security practices, the identified vulnerabilities and the historical pattern of security issues necessitate careful monitoring and potentially further code review.

Key Concerns

  • REST API route without permission callbacks
  • Taint flow with unsanitized paths
  • Vulnerability history includes critical/high severity
  • Vulnerability history shows common dangerous patterns
  • Large attack surface with one unprotected entry point
Vulnerabilities
6

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
2 CVEs in 2018
2018
1 CVE in 2022
2022
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
3
Low
1

6 total CVEs

CVE-2025-22288low · 2.7Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Smush Image Compression and Optimization <= 3.17.0 - Authenticated (Admin+) Directory Traversal

Mar 29, 2025 Patched in 3.17.1 (12d)
CVE-2023-3352medium · 4.3Missing Authorization

Smush – Lazy Load Images, Optimize & Compress Images <= 3.16.4 - Missing Authorization to Resmush List Deletion

Jun 20, 2024 Patched in 3.16.5 (1d)
CVE-2022-1009medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smush – Lazy Load Images, Optimize & Compress Images <= 3.9.8 - Cross-Site Scripting

May 3, 2022 Patched in 3.9.9 (630d)
WF-15654ff3-2e61-44d2-ae3f-4a353db320cb-wp-smushithigh · 8.8Deserialization of Untrusted Data

Smush – Lazy Load Images, Optimize & Compress Images <= 3.0.0 - Authenticated PHAR Deserialization

Dec 10, 2018 Patched in 3.0.1 (1870d)
WF-53b5a052-6e84-4eb5-a7f4-4e32f757f4d6-wp-smushitcritical · 9.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smush – Lazy Load Images, Optimize & Compress Images <= 2.9.1 - Cross-Site Scripting

Dec 10, 2018 Patched in 3.0.0 (1870d)
CVE-2017-15079medium · 5.3Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Smush – Lazy Load Images, Optimize & Compress Images <= 2.7.5 - Directory Traversal

Sep 21, 2017 Patched in 2.7.6 (2315d)
Code Analysis
Analyzed Mar 16, 2026

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN Code Analysis

Dangerous Functions
0
Raw SQL Queries
16
65 prepared
Unescaped Output
19
776 escaped
Nonce Checks
55
Capability Checks
8
File Operations
36
External Requests
9
Bundled Libraries
1

Bundled Libraries

Guzzle

SQL Query Safety

80% prepared81 total queries

Output Escaping

98% escaped795 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

9 flows6 with unsanitized paths
process_request (core\modules\async\class-abstract-async.php:180)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN Attack Surface

Entry Points36
Unprotected1

AJAX Handlers 35

authwp_ajax_skip_smush_setupapp\class-ajax.php:51
authwp_ajax_smush_setupapp\class-ajax.php:53
authwp_ajax_smush_free_setupapp\class-ajax.php:54
authwp_ajax_dismiss_upgrade_noticeapp\class-ajax.php:60
authwp_ajax_dismiss_update_infoapp\class-ajax.php:62
authwp_ajax_dismiss_s3support_alertapp\class-ajax.php:64
authwp_ajax_hide_api_messageapp\class-ajax.php:66
authwp_ajax_smush_show_warningapp\class-ajax.php:67
authwp_ajax_smush_dismiss_noticeapp\class-ajax.php:69
authwp_ajax_dismiss_media_hub_connect_noticeapp\class-ajax.php:71
authwp_ajax_wp_smushit_manualapp\class-ajax.php:77
authwp_ajax_smush_resmush_imageapp\class-ajax.php:79
authwp_ajax_scan_for_resmushapp\class-ajax.php:81
authwp_ajax_get_statsapp\class-ajax.php:83
authwp_ajax_wp_smushit_bulkapp\class-ajax.php:89
authwp_ajax_get_dir_smush_statsapp\class-ajax.php:96
authwp_ajax_smush_toggle_lazy_loadapp\class-ajax.php:101
authwp_ajax_smush_remove_iconapp\class-ajax.php:102
authwp_ajax_smush_upload_configapp\class-ajax.php:107
authwp_ajax_smush_save_configapp\class-ajax.php:108
authwp_ajax_smush_apply_configapp\class-ajax.php:109
authwp_ajax_hide_new_featuresapp\class-ajax.php:115
authwp_ajax_wp_smush_review_prompts_remind_laterapp\class-ajax.php:120
authwp_ajax_smush_save_settingscore\class-settings.php:252
authwp_ajax_reset_settingscore\class-settings.php:254
authwp_ajax_get_image_countcore\modules\class-backup.php:47
authwp_ajax_restore_stepcore\modules\class-backup.php:48
authwp_ajax_smush_get_directory_listcore\modules\class-dir.php:80
authwp_ajax_image_listcore\modules\class-dir.php:83
authwp_ajax_directory_smush_startcore\modules\class-dir.php:90
authwp_ajax_directory_smush_check_stepcore\modules\class-dir.php:91
authwp_ajax_directory_smush_finishcore\modules\class-dir.php:92
authwp_ajax_directory_smush_cancelcore\modules\class-dir.php:93
authwp_ajax_smush_track_deactivatecore\modules\class-product-analytics-controller.php:79
authwp_ajax_smush_analytics_track_eventcore\modules\class-product-analytics-controller.php:80

REST API Routes 1

GET/wp-json/wp-smush/v1/preset_configs/core\class-rest.php:100
WordPress Hooks 146
actionadmin_enqueue_scriptsapp\class-abstract-page.php:139
actionadmin_noticesapp\class-abstract-page.php:142
actionnetwork_admin_noticesapp\class-abstract-page.php:143
actionwp_smush_header_noticesapp\class-abstract-page.php:144
actionwp_smush_header_noticesapp\class-abstract-page.php:146
actionwp_smush_render_setting_rowapp\class-abstract-page.php:148
filteradmin_body_classapp\class-abstract-page.php:150
filterremovable_query_argsapp\class-abstract-page.php:153
actionstats_ui_after_resize_savingsapp\class-abstract-summary-page.php:30
actionstats_ui_after_resize_savingsapp\class-abstract-summary-page.php:31
actionstats_ui_after_resize_savingsapp\class-abstract-summary-page.php:32
actionstats_ui_after_resize_savingsapp\class-abstract-summary-page.php:34
actionadmin_enqueue_scriptsapp\class-admin.php:83
actionadmin_menuapp\class-admin.php:85
actionnetwork_admin_menuapp\class-admin.php:86
actionadmin_initapp\class-admin.php:88
actionadmin_initapp\class-admin.php:90
filterplugin_row_metaapp\class-admin.php:98
actionadmin_noticesapp\class-admin.php:101
actionadmin_noticesapp\class-admin.php:102
actionsmush_check_for_conflictsapp\class-admin.php:103
actionactivated_pluginapp\class-admin.php:104
actiondeactivated_pluginapp\class-admin.php:105
actionadmin_footer-plugins.phpapp\class-admin.php:108
actionall_admin_noticesapp\class-admin.php:110
actionall_admin_noticesapp\class-media-library.php:63
filtermanage_media_columnsapp\class-media-library.php:68
filtermanage_upload_sortable_columnsapp\class-media-library.php:69
actionmanage_media_custom_columnapp\class-media-library.php:70
actionpre_get_postsapp\class-media-library.php:73
filterajax_query_attachments_argsapp\class-media-library.php:76
actionrestrict_manage_postsapp\class-media-library.php:78
filterwp_kses_allowed_htmlapp\class-media-library.php:81
actionadmin_enqueue_scriptsapp\class-media-library.php:83
filterwp_prepare_attachment_for_jsapp\class-media-library.php:85
filterbulk_actions-uploadapp\class-media-library.php:88
filterhandle_bulk_actions-uploadapp\class-media-library.php:89
actionall_admin_noticesapp\class-media-library.php:90
filterposts_where_requestapp\class-media-library.php:416
actionsmush_setting_column_tagapp\pages\class-bulk.php:40
actionsmush_setting_column_right_insideapp\pages\class-integrations.php:27
actionwp_smush_admin_after_tab_smush-lazy-preloadapp\pages\class-lazy-preload.php:31
actionwp_smush_admin_page_before_sidenavapp\pages\class-lazy-preload.php:32
actionsmush_setting_column_right_insideapp\pages\class-settings.php:43
actionwp_smush_render_general_setting_rowsapp\pages\class-settings.php:44
actionwp_smush_render_general_setting_rowsapp\pages\class-settings.php:45
actionsmush_setting_column_right_insideapp\pages\class-settings.php:46
actionwp_smush_render_general_setting_rowsapp\pages\class-settings.php:47
actionadmin_headapp\pages\class-upgrade.php:31
actionadmin_enqueue_scriptsapp\pages\class-upgrade.php:79
filteradmin_body_classapp\pages\class-upgrade.php:93
filterwdp_register_hub_actioncore\api\class-hub.php:52
actionadmin_initcore\class-core.php:160
actioninitcore\class-core.php:163
filterbig_image_size_thresholdcore\class-core.php:166
actionplugins_loadedcore\class-core.php:172
actionrest_api_initcore\class-core.php:178
actionrest_api_initcore\class-rest.php:34
actionrest_api_initcore\class-rest.php:37
actionswitch_blogcore\class-settings.php:242
actionswitch_blogcore\class-settings.php:243
filterwp_smush_settingscore\class-settings.php:256
actionwp_smush_image_resizedcore\class-stats.php:110
actionwp_smush_png_jpg_convertedcore\class-stats.php:118
actionadd_attachmentcore\class-stats.php:126
actiondelete_attachmentcore\class-stats.php:127
filterwp_smush_integration_show_submitcore\integrations\class-abstract-integration.php:62
filterwp_smush_media_imagecore\integrations\class-common.php:39
actionwr2x_retina_file_addedcore\integrations\class-common.php:42
actionwp_smush_remove_filterscore\integrations\class-common.php:45
actionwpml_updated_attached_filecore\integrations\class-common.php:49
actionwpml_after_duplicate_attachmentcore\integrations\class-common.php:50
actionwpml_after_copy_attached_file_postmetacore\integrations\class-common.php:51
filtersmush_skip_iframe_from_lazy_loadcore\integrations\class-common.php:54
filtersoliloquy_image_srccore\integrations\class-common.php:57
filtersmush_skip_image_from_lazy_loadcore\integrations\class-common.php:60
actiontemplate_redirectcore\integrations\class-common.php:63
filterwp_smush_cdn_before_process_srccore\integrations\class-common.php:66
actiongive_donation_form_topcore\integrations\class-common.php:69
filterwp_generate_attachment_metadatacore\integrations\class-common.php:72
filterwp_smush_should_transform_pagecore\integrations\class-common.php:75
filterwp_smush_should_skip_lazy_loadcore\integrations\class-common.php:379
filterwp_smush_should_skip_lazy_loadcore\integrations\class-common.php:433
filterwp_update_attachment_metadatacore\integrations\class-common.php:454
actionsmush_setting_column_right_insidecore\integrations\class-composer.php:43
filterimage_make_intermediate_sizecore\integrations\class-composer.php:46
filterwp_get_attachment_image_srccore\integrations\class-composer.php:49
actionsmush_setting_column_right_insidecore\integrations\class-gravity-forms.php:47
actiongform_after_submissioncore\integrations\class-gravity-forms.php:55
actionsmush_setting_column_right_insidecore\integrations\class-gutenberg.php:44
actionenqueue_block_editor_assetscore\integrations\class-gutenberg.php:50
actionwp_smush_clear_page_cachecore\integrations\class-hummingbird-integration.php:45
filterwp_smush_script_datacore\media-library\class-background-media-library-scanner.php:64
filterget_post_metadatacore\media-library\class-media-library-slice-data-fetcher.php:43
filteradd_post_metacore\media-library\class-media-library-slice-data-fetcher.php:44
filterupdate_post_metacore\media-library\class-media-library-slice-data-fetcher.php:45
actiondelete_post_metacore\media-library\class-media-library-slice-data-fetcher.php:46
actionadd_attachmentcore\media-library\class-media-library-watcher.php:23
actionadmin_initcore\media-library\class-media-library-watcher.php:24
filterwp_generate_attachment_metadatacore\media-library\class-media-library-watcher.php:28
actionshutdowncore\modules\async\class-abstract-async.php:150
filterwp_die_handlercore\modules\async\class-abstract-async.php:209
actioninitcore\modules\background\class-background-process.php:69
filtercron_schedulescore\modules\background\class-background-process.php:70
actioncurrent_screencore\modules\class-dir.php:96
filtersmush_setting_tabscore\modules\class-dir.php:117
actionwp_smush_header_noticescore\modules\class-dir.php:131
actioncurrent_screencore\modules\class-dir.php:134
actionadmin_footercore\modules\class-dir.php:137
actionwp_smush_settings_updatedcore\modules\class-product-analytics-controller.php:73
actionwp_smush_settings_updatedcore\modules\class-product-analytics-controller.php:74
actionwp_smush_settings_deletedcore\modules\class-product-analytics-controller.php:75
actionwp_smush_settings_updatedcore\modules\class-product-analytics-controller.php:76
actionwp_smush_settings_updatedcore\modules\class-product-analytics-controller.php:77
actionwp_smush_directory_smush_startcore\modules\class-product-analytics-controller.php:87
actionwp_smush_bulk_smush_startcore\modules\class-product-analytics-controller.php:88
actionwp_smush_config_appliedcore\modules\class-product-analytics-controller.php:89
actionwp_smush_plugin_activatedcore\modules\class-product-analytics-controller.php:101
actionwp_smush_bulk_smush_stuckcore\modules\class-product-analytics-controller.php:107
actionwp_smush_lazy_load_updatedcore\modules\class-product-analytics-controller.php:109
actionwp_smush_bulk_restore_completedcore\modules\class-product-analytics-controller.php:111
actionwpcore\modules\class-resize-detection.php:36
actionwp_enqueue_scriptscore\modules\class-resize-detection.php:39
filterwp_smush_updated_element_markupcore\modules\class-resize-detection.php:42
actionwp_footercore\modules\class-resize-detection.php:45
actionadmin_initcore\modules\class-resize.php:61
actionadmin_initcore\modules\class-resize.php:62
filterwp_image_editorscore\modules\class-resize.php:405
filterwp_generate_attachment_metadatacore\modules\class-smush.php:80
actionwp_async_wp_generate_attachment_metadatacore\modules\class-smush.php:86
actionwp_async_wp_save_image_editor_filecore\modules\class-smush.php:87
actionwp_smush_before_smush_filecore\modules\class-smush.php:93
actiontemplate_redirectcore\modules\helpers\class-parser.php:88
filtersafe_style_csscore\modules\helpers\class-view.php:39
filterwp_image_editorscore\resize\class-resize-optimization.php:406
filterwp_calculate_image_sizescore\srcset\class-srcset-helper.php:47
actionwp_headcore\wp-compat.php:44
actionadmin_noticeswp-smush.php:135
actionnetwork_admin_noticeswp-smush.php:136
actionplugins_loadedwp-smush.php:195
actionadmin_initwp-smush.php:274
actioncurrent_screenwp-smush.php:275
actionadmin_initwp-smush.php:277
actioninitwp-smush.php:280
actioninitwp-smush.php:282
actioninitwp-smush.php:284

Scheduled Events 1

smush_check_for_conflicts
Maintenance & Trust

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version7.4
Downloads64.8M

Community Trust

Rating96/100
Number of ratings6,033
Active installs1.0M
Alternatives

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN Alternatives

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

Imagify Image Optimization – Optimize Images | Compress Images | Convert WebP | Convert AVIF

imagify

A
100

Optimize images in 1-click: compress images, convert to WebP & AVIF, resize, and boost your site with the easiest WordPress image optimization plugin!

1.0M No CVEs
Converter for Media – Optimize images | Convert WebP & AVIF

Converter for Media – Optimize images | Convert WebP & AVIF

webp-converter-for-media

A
93

Speed up your website by using our WebP & AVIF Converter. Optimize images and serve WebP and AVIF images instead of standard formats!

500K 4 CVEs
ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF

shortpixel-image-optimiser

A
95

Optimize images & PDFs smartly. Create and compress next-gen WebP and AVIF formats. Smart crop and resize.

300K 6 CVEs
Squeeze – Image Optimization & Compression, WEBP Conversion

Squeeze – Image Optimization & Compression, WEBP Conversion

squeeze

A
92

Unlimited. Private. Instant. Squeeze compresses and converts your images directly in your browser — no external servers and no upload limits.

1K 3 CVEs
DropAvif Image Optimizer – Convert WebP & AVIF | Compress Images

DropAvif Image Optimizer – Convert WebP & AVIF | Compress Images

dropavif-media-optimizer

A
100

The Ultimate Image Optimization Suite for WordPress. WebP & AVIF conversion, Smart Format Selection, Watermarking, and Lazy Load. Zero server load.

30 No CVEs
Developer Profile

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN Developer Profile

WPMU DEV - Your All-in-One WordPress Platform

9 plugins · 2.4M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
396 days
View full developer profile
Detection Fingerprints

How We Detect Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-smushit/app/assets/css/smush-settings.css/wp-content/plugins/wp-smushit/app/assets/css/smush-dashboard.css/wp-content/plugins/wp-smushit/app/assets/css/smush-admin.css/wp-content/plugins/wp-smushit/app/assets/css/smush-media-library.css/wp-content/plugins/wp-smushit/app/assets/css/smush-lazy-load.css/wp-content/plugins/wp-smushit/app/assets/css/smush-upsell.css/wp-content/plugins/wp-smushit/app/assets/js/smush-admin.js/wp-content/plugins/wp-smushit/app/assets/js/smush-media-library.js+5 more
Script Paths
/wp-content/plugins/wp-smushit/app/assets/js/smush-admin.js/wp-content/plugins/wp-smushit/app/assets/js/smush-media-library.js/wp-content/plugins/wp-smushit/app/assets/js/smush-lazy-load.js/wp-content/plugins/wp-smushit/app/assets/js/smush-upsell.js/wp-content/plugins/wp-smushit/app/assets/js/smush-bulk.js
Version Parameters
wp-smushit/app/assets/css/smush-settings.css?ver=wp-smushit/app/assets/css/smush-dashboard.css?ver=wp-smushit/app/assets/css/smush-admin.css?ver=wp-smushit/app/assets/css/smush-media-library.css?ver=wp-smushit/app/assets/css/smush-lazy-load.css?ver=wp-smushit/app/assets/css/smush-upsell.css?ver=wp-smushit/app/assets/js/smush-admin.js?ver=wp-smushit/app/assets/js/smush-media-library.js?ver=wp-smushit/app/assets/js/smush-lazy-load.js?ver=wp-smushit/app/assets/js/smush-upsell.js?ver=wp-smushit/app/assets/js/smush-bulk.js?ver=

HTML / DOM Fingerprints

CSS Classes
smush-uismush-noticesmush-bulk-headersmush-bulk-tablesmush-settings-panelsmush-media-row-thumbnailsmush-media-row-titlesmush-media-row-filename+4 more
HTML Comments
<!-- Smush notices --><!-- Bulk Smush Settings --><!-- Optimize images with Smush -->
Data Attributes
data-smush-iddata-smush-action
JS Globals
SmushSmushAdminSmushMediaLibrarySmushLazyLoadSmushBulk
REST Endpoints
/wp-json/smush/v1/media/bulk-smush/wp-json/smush/v1/settings/save/wp-json/smush/v1/lazy-load/update-status
FAQ

Frequently Asked Questions about Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP & AVIF | Image CDN