Contact Form 7 Translate Messages Extension Security & Risk Analysis

wordpress.org/plugins/cf7-translate-messages-extension

Translate default Contact Form 7 messages without changing WordPress profile language.

1K active installs v1.0 PHP 5.6+ WP 4.9+ Updated Mar 11, 2019
contactcontact-formmessagestranslate
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Contact Form 7 Translate Messages Extension Safe to Use in 2026?

Generally Safe

Score 85/100

Contact Form 7 Translate Messages Extension has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The plugin "cf7-translate-messages-extension" v1.0 exhibits a generally good security posture based on the provided static analysis. It has a remarkably small attack surface, with no apparent AJAX handlers, REST API routes, shortcodes, or cron events, and no external HTTP requests or file operations. All SQL queries are reported as using prepared statements, which is a strong indicator of defense against SQL injection. The absence of known CVEs and historical vulnerabilities further strengthens this positive outlook, suggesting a commitment to security maintenance.

However, a significant concern arises from the "Output escaping" signal, which indicates that none of the three identified output operations were properly escaped. This presents a high risk for Cross-Site Scripting (XSS) vulnerabilities, where malicious scripts could be injected into the WordPress admin or frontend if user-supplied data is directly outputted without sanitization. While the plugin has one capability check, the lack of nonce checks on potential entry points (even though none are listed) and the zero taint flows analyzed could mask potential issues. Therefore, despite its minimal attack surface and good SQL practices, the unescaped output is a critical weakness that needs immediate attention.

In conclusion, the plugin's strengths lie in its lack of common attack vectors and secure SQL practices. The absence of historical vulnerabilities is also a positive sign. However, the unescaped output is a glaring vulnerability that severely undermines its overall security. Without addressing this, the plugin remains susceptible to XSS attacks. Further analysis would be beneficial to understand the context of the output operations and assess the actual impact.

Key Concerns

  • Unescaped output found
Vulnerabilities
None known

Contact Form 7 Translate Messages Extension Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Contact Form 7 Translate Messages Extension Release Timeline

v1.0Current
Code Analysis
Analyzed Mar 16, 2026

Contact Form 7 Translate Messages Extension Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
3
0 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped3 total outputs
Attack Surface

Contact Form 7 Translate Messages Extension Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 4
actionadmin_initcontact-form-7-translate-messages-extension.php:40
actionadmin_noticescontact-form-7-translate-messages-extension.php:43
actionadmin_enqueue_scriptscontact-form-7-translate-messages-extension.php:61
filterwpcf7_editor_panelscontact-form-7-translate-messages-extension.php:71
Maintenance & Trust

Contact Form 7 Translate Messages Extension Maintenance & Trust

Maintenance Signals

WordPress version tested5.1.22
Last updatedMar 11, 2019
PHP min version5.6
Downloads6K

Community Trust

Rating100/100
Number of ratings9
Active installs1K
Developer Profile

Contact Form 7 Translate Messages Extension Developer Profile

straint

1 plugin · 1K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Contact Form 7 Translate Messages Extension

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cf7-translate-messages-extension/images/ajax-loader.gif
Script Paths
/wp-content/plugins/cf7-translate-messages-extension/js/cftmsg_functions.js
Version Parameters
cf7-translate-messages-extension/js/cftmsg_functions.js?ver=

HTML / DOM Fingerprints

CSS Classes
lang-wrappersingle-languseful-linkslang-wrapper-framelang-wrapper-loadinglang-wrapper-translatinglang-wrapper-translated
Data Attributes
data-urldata-lang
FAQ

Frequently Asked Questions about Contact Form 7 Translate Messages Extension