Does ACF qTranslate have any unpatched vulnerabilities?

No. All known vulnerabilities in ACF qTranslate have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is ACF qTranslate compatible with WordPress 4.9.29?

According to WordPress.org data, ACF qTranslate 1.7.25 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is ACF qTranslate updated?

ACF qTranslate was last updated on Oct 26, 2018. Frequent updates are generally a positive security signal.

What is ACF qTranslate's security score?

ACF qTranslate has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

ACF qTranslate Security & Risk Analysis

wordpress.org/plugins/acf-qtranslate

Provides qTranslate compatible ACF field types for Text, Text Area, WYSIWYG, Image and File.

9K active installs v1.7.25 PHP + WP 3.5.0+ Updated Oct 26, 2018

acfadd-onadminadvanced-custom-fieldsqtranslate

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is ACF qTranslate Safe to Use in 2026?

Generally Safe

Score 85/100

ACF qTranslate has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago

Risk Assessment

The "acf-qtranslate" plugin v1.7.25 exhibits a concerning security posture primarily due to a significant attack surface exposed without proper authentication. The analysis reveals 6 AJAX handlers, all of which lack authentication checks. This means that any user, regardless of their role or permissions, can potentially trigger these AJAX actions, which could lead to unauthorized operations or information disclosure if these handlers are not meticulously secured internally. While the plugin demonstrates good practices in using prepared statements for SQL queries and avoids dangerous functions and file operations, the lack of authorization on its primary entry points is a critical weakness.

The code signals indicate a substantial percentage of improperly escaped output (85%), which is a high risk for Cross-Site Scripting (XSS) vulnerabilities. Any data processed or displayed by these AJAX handlers that is not properly escaped is susceptible to injection attacks. The absence of nonce checks further exacerbates this risk, as it leaves the AJAX endpoints vulnerable to Cross-Site Request Forgery (CSRF) attacks. The plugin's vulnerability history is clean, which is a positive sign, but this does not negate the risks identified in the static analysis. The current version's strengths lie in its safe database interaction and avoidance of known dangerous code patterns, but the weaknesses in input validation and authorization are significant and require immediate attention.

Key Concerns

AJAX handlers without auth checks
High percentage of unescaped output
Missing nonce checks on AJAX

Vulnerabilities

None known

ACF qTranslate Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

ACF qTranslate Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

13 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

15% escaped87 total outputs

Attack Surface

6 unprotected

ACF qTranslate Attack Surface

Entry Points6

Unprotected6

AJAX Handlers 6

authwp_ajax_acf/fields/file/get_filessrc\acf_4\fields\file.php:45

noprivwp_ajax_acf/fields/file/get_filessrc\acf_4\fields\file.php:46

authwp_ajax_acf/fields/image/get_imagessrc\acf_4\fields\image.php:45

noprivwp_ajax_acf/fields/image/get_imagessrc\acf_4\fields\image.php:46

authwp_ajax_acf/fields/qtranslate_post_object/querysrc\acf_5\fields\post_object.php:63

noprivwp_ajax_acf/fields/qtranslate_post_object/querysrc\acf_5\fields\post_object.php:64

WordPress Hooks 39

filteracf/format_value_for_apisrc\acf_4\acf.php:21

actionacf/register_fieldssrc\acf_4\acf.php:22

actionacf/input/admin_enqueue_scriptssrc\acf_4\acf.php:23

filterget_media_item_argssrc\acf_4\fields\file.php:40

filterwp_prepare_attachment_for_jssrc\acf_4\fields\file.php:41

filterget_media_item_argssrc\acf_4\fields\image.php:41

filterwp_prepare_attachment_for_jssrc\acf_4\fields\image.php:42

filteracf_the_contentsrc\acf_4\fields\wysiwyg.php:35

filteracf_the_contentsrc\acf_4\fields\wysiwyg.php:36

filteracf_the_contentsrc\acf_4\fields\wysiwyg.php:40

filteracf_the_contentsrc\acf_4\fields\wysiwyg.php:41

filteracf_the_contentsrc\acf_4\fields\wysiwyg.php:42

filteracf_the_contentsrc\acf_4\fields\wysiwyg.php:43

filteracf_the_contentsrc\acf_4\fields\wysiwyg.php:44

filteracf_the_contentsrc\acf_4\fields\wysiwyg.php:45

filteracf_the_contentsrc\acf_4\fields\wysiwyg.php:47

filteracf/fields/wysiwyg/toolbarssrc\acf_4\fields\wysiwyg.php:52

filtermce_external_pluginssrc\acf_4\fields\wysiwyg.php:53

filteracf_the_editor_contentsrc\acf_4\fields\wysiwyg.php:98

filteracf_the_editor_contentsrc\acf_4\fields\wysiwyg.php:102

filteracf/format_valuesrc\acf_5\acf.php:21

actionacf/include_fieldssrc\acf_5\acf.php:22

actionacf/input/admin_enqueue_scriptssrc\acf_5\acf.php:23

filterget_media_item_argssrc\acf_5\fields\file.php:68

filterget_media_item_argssrc\acf_5\fields\image.php:74

filterwp_prepare_attachment_for_jssrc\acf_5\fields\image.php:75

filteracf_the_editor_contentsrc\acf_5\fields\wysiwyg.php:147

filteracf_the_editor_contentsrc\acf_5\fields\wysiwyg.php:156

actionplugins_loadedsrc\plugin.php:17

actionafter_setup_themesrc\plugin.php:18

actionacf/input/admin_enqueue_scriptssrc\plugin.php:19

actionadmin_footersrc\plugin.php:20

actionadmin_menusrc\plugin.php:21

actionadmin_initsrc\plugin.php:22

filterqtranslate_load_admin_page_configsrc\plugin.php:24

actionadmin_headsrc\qtranslatex.php:31

filterqtranslate_custom_admin_jssrc\qtranslatex.php:32

filteracf_qtranslate_get_active_languagesrc\qtranslatex.php:33

actionacf/input/admin_enqueue_scriptssrc\qtranslatex.php:34

Maintenance & Trust

ACF qTranslate Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedOct 26, 2018

PHP min version

Downloads183K

Community Trust

Rating90/100

Number of ratings17

Active installs9K

Alternatives

ACF qTranslate Alternatives

ACF Single Relationship Add New

acf-single-relationship-add-new

Add a new related item while editing a post, without leaving the current post.

30 No CVEs

Admin Columns for ACF Fields

admin-columns-for-acf-fields

Allows you to enable columns for your ACF fields in post and taxonomy overviews (e.g. "All Posts") in the Wordpress admin backend.

9K No CVEs

Advanced Custom Fields: Typography Field

acf-typography-field

A Typography Add-on for the Advanced Custom Fields Plugin.

3K No CVEs

whatwedo ACF Cleaner

whatwedo-acf-cleaner

Cleanup old metadata created by Advanced Custom Fields.

800 No CVEs

Flexible Layout Preview Image for ACF

flexible-layout-preview-image-for-acf

100

Adds flexible layout preview images for Advanced Custom Fields (ACF) in the WordPress admin.

500 No CVEs

Developer Profile

ACF qTranslate Developer Profile

funkjedi

2 plugins · 9K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect ACF qTranslate

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/acf-qtranslate/assets/acf_4/main.js/wp-content/plugins/acf-qtranslate/assets/acf_5/main.js

Script Paths