WP-Safety

Falang multilanguage for WordPress Security & Risk Analysis

wordpress.org/plugins/falang

Falang is the easiest multilanguage plugin you can use to translate a WordPress site.

1K active installs v1.4.0 PHP 5.6+ WP 4.7+ Updated Jan 26, 2026
bilinguallocalizationmultilingualtranslatetranslation
91
A · Safe
CVEs total8
Unpatched0
Last CVESep 16, 2025
Plugin page Download
Safety Verdict

Is Falang multilanguage for WordPress Safe to Use in 2026?

Generally Safe

Score 91/100

Falang multilanguage for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Sep 16, 2025Updated 2mo ago
Risk Assessment

The Falang plugin version 1.4.0 presents a moderate security risk due to a significant number of unprotected entry points and a history of critical vulnerabilities. While it employs prepared statements for a majority of its SQL queries and has a good number of nonce and capability checks, the presence of 24 unprotected AJAX handlers is a major concern. This wide attack surface increases the likelihood of unauthorized access and potential exploitation. The static analysis also highlights critical taint flows with unsanitized paths, indicating potential for code injection or other severe attacks. Furthermore, the plugin's vulnerability history, with 8 known CVEs including high and medium severity issues like deserialization, missing authorization, and XSS, demonstrates a recurring pattern of exploitable weaknesses. The fact that the last vulnerability was relatively recent (September 2025) suggests that security flaws continue to be discovered and addressed, but the underlying issues may not be fully mitigated. While the plugin has strengths in its SQL query preparation and some security checks, the combination of a large unprotected attack surface and a concerning vulnerability history warrants caution.

Key Concerns

  • Significant number of unprotected AJAX handlers
  • High severity taint flows with unsanitized paths
  • History of high severity vulnerabilities (2 high)
  • History of medium severity vulnerabilities (6 medium)
  • Use of 'unserialize' function without explicit context
  • Low percentage of properly escaped output
  • Vulnerability history includes deserialization issues
  • Vulnerability history includes missing authorization
  • Vulnerability history includes XSS
Vulnerabilities
8

Falang multilanguage for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
4 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
6

8 total CVEs

CVE-2025-58619high · 8.1Deserialization of Untrusted Data

Falang multilanguage <= 1.3.65 - Unauthenticated PHP Object Injection

Sep 16, 2025 Patched in 1.3.66 (7d)
CVE-2025-48285medium · 4.3Cross-Site Request Forgery (CSRF)

Falang multilanguage <= 1.3.61 - Cross-Site Request Forgery

May 19, 2025 Patched in 1.3.62 (10d)
CVE-2024-6869medium · 5.4Missing Authorization

Falang multilanguage for WordPress <= 1.3.52 - Missing Authorization to Translation Update and Information Exposure

Aug 7, 2024 Patched in 1.3.53 (1d)
CVE-2024-37240medium · 4.3Cross-Site Request Forgery (CSRF)

Falang multilanguage <= 1.3.51 - Cross-Site Request Forgery

Jun 21, 2024 Patched in 1.3.52 (7d)
CVE-2024-4417medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Falang multilanguage for WordPress <= 1.3.49 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 10, 2024 Patched in 1.3.50 (1d)
CVE-2024-30495high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Falang multilanguage <= 1.3.47 - Authenticated (Administrator+) SQL Injection

Mar 28, 2024 Patched in 1.3.48 (7d)
CVE-2023-37968medium · 5.4Cross-Site Request Forgery (CSRF)

Falang multilanguage <= 1.3.39 - Cross-Site Request Forgery via add_language

Jul 12, 2023 Patched in 1.3.40 (195d)
WF-04917cfe-2bfb-48cf-a060-ca3bfde8eba1-falangmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Falang multilanguage for WordPress < 1.3.18 - Reflected Cross-Site Scripting

Oct 25, 2021 Patched in 1.3.18 (820d)
Code Analysis
Analyzed Mar 16, 2026

Falang multilanguage for WordPress Code Analysis

Dangerous Functions
2
Raw SQL Queries
16
27 prepared
Unescaped Output
461
194 escaped
Nonce Checks
17
Capability Checks
17
File Operations
0
External Requests
6
Bundled Libraries
1

Dangerous Functions Found

unserialize$field_value = unserialize($field_value, ['allowed_classes' => false]);admin\class-falang-admin.php:764
unserialize$description = unserialize($language->description);src\Falang\Model\Falang_Model.php:380

Bundled Libraries

Select2

SQL Query Safety

63% prepared43 total queries

Output Escaping

30% escaped655 total outputs
Data Flows
9 unsanitized

Data Flow Analysis

16 flows9 with unsanitized paths
ajax_service_translate (admin\class-falang-admin.php:3097)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
24 unprotected

Falang multilanguage for WordPress Attack Surface

Entry Points29
Unprotected24

AJAX Handlers 27

authwp_ajax_falang_settings_post_optionsadmin\class-falang-admin.php:115
authwp_ajax_falang_settings_taxonomy_optionsadmin\class-falang-admin.php:116
authwp_ajax_update_settings_post_optionsadmin\class-falang-admin.php:119
authwp_ajax_update_settings_taxonomy_optionsadmin\class-falang-admin.php:120
authwp_ajax_falang_post_translationadmin\class-falang-admin.php:123
authwp_ajax_falang_save_postadmin\class-falang-admin.php:124
authwp_ajax_falang_menu_translationadmin\class-falang-admin.php:126
authwp_ajax_falang_save_menuadmin\class-falang-admin.php:127
authwp_ajax_falang_term_translationadmin\class-falang-admin.php:130
authwp_ajax_falang_term_delete_translationadmin\class-falang-admin.php:133
authwp_ajax_falang_string_translationadmin\class-falang-admin.php:136
authwp_ajax_falang_option_translationadmin\class-falang-admin.php:139
authwp_ajax_falang_term_update_translationadmin\class-falang-admin.php:142
authwp_ajax_falang_string_update_translationadmin\class-falang-admin.php:145
authwp_ajax_falang_string_delete_translationadmin\class-falang-admin.php:147
authwp_ajax_falang_option_update_translationadmin\class-falang-admin.php:150
authwp_ajax_falang_option_delete_translationadmin\class-falang-admin.php:152
authwp_ajax_falang_post_delete_translationadmin\class-falang-admin.php:155
authwp_ajax_falang_menu_delete_translationadmin\class-falang-admin.php:157
authwp_ajax_falang_export_optionsadmin\class-falang-admin.php:161
authwp_ajax_falang_option_translationsadmin\class-falang-admin.php:162
authwp_ajax_falang_set_option_translationadmin\class-falang-admin.php:163
authwp_ajax_falang_debug_displayadmin\class-falang-admin.php:198
authwp_ajax_falang_language_orderingadmin\class-falang-admin.php:213
authwp_ajax_falang_set_admin_notice_viewedadmin\class-falang-admin.php:216
authwp_ajax_falang_display_staticadmin\class-falang-admin.php:219
authwp_ajax_service_translateadmin\class-falang-admin.php:229

Shortcodes 2

[falang] public\class-falang-public.php:228
[falangsw] public\class-falang-public.php:230
WordPress Hooks 190
actionplugins_loadedadmin\class-falang-admin.php:67
actionupgrader_process_completeadmin\class-falang-admin.php:101
actionwp_loadedadmin\class-falang-admin.php:109
filterhome_urladmin\class-falang-admin.php:111
filterfalang_default-postadmin\class-falang-admin.php:167
filterfalang_default-pageadmin\class-falang-admin.php:168
filterfalang_taxonomy_default-categoryadmin\class-falang-admin.php:169
actionwp_loadedadmin\class-falang-admin.php:172
actiongenerate_rewrite_rulesadmin\class-falang-admin.php:173
actionsave_post_pageadmin\class-falang-admin.php:174
actionpost_updatedadmin\class-falang-admin.php:175
filterfalang_default-nav_menu_itemadmin\class-falang-admin.php:178
filterfalang_type_metakeysadmin\class-falang-admin.php:179
actionin_widget_formadmin\class-falang-admin.php:182
filterwidget_update_callbackadmin\class-falang-admin.php:183
filterplugin_row_metaadmin\class-falang-admin.php:186
actionadmin_print_styles-post.phpadmin\class-falang-admin.php:189
actionadmin_print_styles-post-new.phpadmin\class-falang-admin.php:190
filterpreview_post_linkadmin\class-falang-admin.php:193
filterget_sample_permalinkadmin\class-falang-admin.php:194
filterpost_type_linkadmin\class-falang-admin.php:195
actionload-edit-tags.phpadmin\class-falang-admin.php:201
actionedit_termadmin\class-falang-admin.php:203
filterfalang_sanitize_string_translationadmin\class-falang-admin.php:206
filterupdate_post_metadataadmin\class-falang-admin.php:209
filterwp_nav_menu_item_custom_fieldsadmin\class-falang-admin.php:223
filterterm_linkadmin\class-falang-admin.php:226
filtertiny_mce_before_initadmin\class-falang-admin.php:377
filtertiny_mce_before_initadmin\class-falang-admin.php:390
filterhome_urladmin\views\settings_post_option_page.php:75
filterhome_urladmin\views\settings_taxonomy_option_page.php:98
filterwpml_translate_single_stringext\wpml\wpml-api.php:22
actionwpml_register_single_stringext\wpml\wpml-api.php:25
filterfalang_get_stringsext\wpml\wpml-compat.php:31
actionfalang_language_definedext\wpml\wpml-compat.php:33
actionplugins_loadedincludes\class-falang.php:87
filtermanage_pages_columnsincludes\class-falang.php:109
filtermanage_posts_columnsincludes\class-falang.php:111
actionmanage_posts_custom_columnincludes\class-falang.php:113
actionmanage_pages_custom_columnincludes\class-falang.php:115
actionsave_postincludes\class-falang.php:118
actionplugins_loadedincludes\class-falang.php:180
actionadmin_enqueue_scriptsincludes\class-falang.php:196
actionadmin_enqueue_scriptsincludes\class-falang.php:197
actionadmin_menuincludes\class-falang.php:198
actionadmin_enqueue_scriptsincludes\class-falang.php:201
actionwp_enqueue_scriptsincludes\class-falang.php:227
actionwp_enqueue_scriptsincludes\class-falang.php:230
filterlocalepublic\class-falang-public.php:58
actionplugins_loadedpublic\class-falang-public.php:59
actionsetup_themepublic\class-falang-public.php:62
actionwp_loadedpublic\class-falang-public.php:127
actionparse_querypublic\class-falang-public.php:130
filterget_object_termspublic\class-falang-public.php:131
filterget_termpublic\class-falang-public.php:132
filterget_termspublic\class-falang-public.php:133
filterget_the_termspublic\class-falang-public.php:134
filterget_term_metadatapublic\class-falang-public.php:135
filterlist_catspublic\class-falang-public.php:136
filterthe_postspublic\class-falang-public.php:138
filterget_pagespublic\class-falang-public.php:139
filterfalang_query_add_languagepublic\class-falang-public.php:140
filterposts_joinpublic\class-falang-public.php:145
filterposts_wherepublic\class-falang-public.php:146
filterthe_contentpublic\class-falang-public.php:149
filterthe_titlepublic\class-falang-public.php:150
filterget_the_excerptpublic\class-falang-public.php:151
filtersingle_post_titlepublic\class-falang-public.php:152
filterget_post_metadatapublic\class-falang-public.php:153
filterwp_setup_nav_menu_itempublic\class-falang-public.php:154
filterwp_nav_menu_objectspublic\class-falang-public.php:155
filtertag_cloud_sortpublic\class-falang-public.php:156
filterquery_varspublic\class-falang-public.php:157
actioninitpublic\class-falang-public.php:158
actionwidgets_initpublic\class-falang-public.php:159
filterwidget_display_callbackpublic\class-falang-public.php:162
filtersidebars_widgetspublic\class-falang-public.php:163
filterwp_get_attachment_captionpublic\class-falang-public.php:168
actioncomment_form_logged_in_afterpublic\class-falang-public.php:171
actioncomment_form_after_fieldspublic\class-falang-public.php:172
filtercomment_post_redirectpublic\class-falang-public.php:174
actioncomment_postpublic\class-falang-public.php:176
filterquery_varspublic\class-falang-public.php:196
filterrequestpublic\class-falang-public.php:197
actionwppublic\class-falang-public.php:198
actionparse_requestpublic\class-falang-public.php:202
actionrest_api_initpublic\class-falang-public.php:205
filterlogin_urlpublic\class-falang-public.php:208
filterlostpassword_urlpublic\class-falang-public.php:209
filterlogout_urlpublic\class-falang-public.php:210
filterregister_urlpublic\class-falang-public.php:211
actionlogin_formpublic\class-falang-public.php:212
actionlostpassword_formpublic\class-falang-public.php:213
actionresetpass_formpublic\class-falang-public.php:214
actionregister_formpublic\class-falang-public.php:215
filterretrieve_password_messagepublic\class-falang-public.php:216
filterlostpassword_redirectpublic\class-falang-public.php:217
filterregistration_redirectpublic\class-falang-public.php:218
actionwp_headpublic\class-falang-public.php:221
actionfalang_print_language_switchpublic\class-falang-public.php:224
filterfalang_custom_translatepublic\class-falang-public.php:225
filterhome_urlpublic\class-falang-public.php:253
filterpre_post_linkpublic\class-falang-public.php:254
filterpost_linkpublic\class-falang-public.php:255
filterpage_linkpublic\class-falang-public.php:256
filterpost_type_linkpublic\class-falang-public.php:257
filterattachment_linkpublic\class-falang-public.php:258
filterpost_link_categorypublic\class-falang-public.php:259
filterpost_type_archive_linkpublic\class-falang-public.php:260
filteryear_linkpublic\class-falang-public.php:261
filtermonth_linkpublic\class-falang-public.php:262
filterday_linkpublic\class-falang-public.php:263
filterterm_linkpublic\class-falang-public.php:264
filterget_edit_post_linkpublic\class-falang-public.php:265
filterposts_join_requestpublic\class-falang-public.php:2203
filterposts_searchpublic\class-falang-public.php:2204
filterposts_distinct_requestpublic\class-falang-public.php:2205
filterget_term_metadatapublic\class-falang-public.php:3034
actionadmin_noticessrc\Falang\Core\Admin_Notices.php:32
actionswitch_blogsrc\Falang\Core\Cache.php:28
actioninitsrc\Falang\Core\Falang_Core.php:116
actionwidgets_initsrc\Falang\Core\Falang_Core.php:117
actioninitsrc\Falang\Core\Falang_Mo.php:26
filterregister_post_type_argssrc\Falang\Core\Falang_Rewrite.php:34
actionregistered_post_typesrc\Falang\Core\Falang_Rewrite.php:35
filterregister_taxonomy_argssrc\Falang\Core\Falang_Rewrite.php:37
actionregistered_taxonomysrc\Falang\Core\Falang_Rewrite.php:38
filterpage_rewrite_rulessrc\Falang\Core\Falang_Rewrite.php:41
filterrewrite_rules_arraysrc\Falang\Core\Falang_Rewrite.php:44
filterfalang_sanitize_string_translationsrc\Falang\Core\Falang_Translate_Option.php:72
filterfalang_sanitize_string_translationsrc\Falang\Core\Falang_Translate_Option.php:74
actionadmin_enqueue_scriptssrc\Falang\Filter\Admin\Attachment.php:29
filterajax_query_attachments_argssrc\Falang\Filter\Admin\Attachment.php:31
filterwp_prepare_attachment_for_jssrc\Falang\Filter\Admin\Attachment.php:32
filterwp_insert_attachment_datasrc\Falang\Filter\Admin\Attachment.php:33
actionedit_attachmentsrc\Falang\Filter\Admin\Attachment.php:34
filterfalang_default-attachmentsrc\Falang\Filter\Admin\Attachment.php:37
filterfalang_post_type_metakeyssrc\Falang\Filter\Admin\Attachment.php:40
filterattachment_fields_to_editsrc\Falang\Filter\Admin\Attachment.php:43
actionadd_meta_boxessrc\Falang\Filter\Admin\Classic_Editor.php:16
actionwoocommerce_after_edit_attribute_fieldssrc\Falang\Filter\Admin\Filters_WC_Columns.php:30
actionwoocommerce_attribute_updatedsrc\Falang\Filter\Admin\Filters_WC_Columns.php:33
actionwoocommerce_attribute_deletedsrc\Falang\Filter\Admin\Filters_WC_Columns.php:36
actionadmin_headsrc\Falang\Filter\Admin\Filters_WC_Columns.php:39
filterwp_setup_nav_menu_itemsrc\Falang\Filter\Admin\Nav_Menu.php:18
actionadmin_initsrc\Falang\Filter\Admin\Nav_Menu.php:22
actionadmin_enqueue_scriptssrc\Falang\Filter\Admin\Nav_Menu.php:32
actionwp_update_nav_menu_itemsrc\Falang\Filter\Admin\Nav_Menu.php:33
actionshow_user_profilesrc\Falang\Filter\Admin\User_Profile.php:19
actionedit_user_profilesrc\Falang\Filter\Admin\User_Profile.php:20
actionpersonal_options_updatesrc\Falang\Filter\Admin\User_Profile.php:23
actionedit_user_profile_updatesrc\Falang\Filter\Admin\User_Profile.php:24
filterwoocommerce_get_cart_page_permalinksrc\Falang\Filter\Admin\WooCommerce.php:17
filterwoocommerce_get_checkout_page_permalinksrc\Falang\Filter\Admin\WooCommerce.php:18
filterwoocommerce_variation_optionssrc\Falang\Filter\Admin\WooCommerce.php:19
filteravf_post_slider_entry_excerptsrc\Falang\Filter\Site\Enfold.php:18
filteravf_magazine_entry_contentsrc\Falang\Filter\Site\Enfold.php:22
filterfalang_translate_custom_post_linksrc\Falang\Filter\Site\Flatsome.php:17
filterwp_get_nav_menu_itemssrc\Falang\Filter\Site\Nav_Menu.php:17
filterrank_math/frontend/titlesrc\Falang\Filter\Site\RankMath.php:22
filterrank_math/sitemap/entrysrc\Falang\Filter\Site\RankMath.php:24
filterrank_math/sitemap/xml_post_urlsrc\Falang\Filter\Site\RankMath.php:26
filtersc_mod_shortcodesrc\Falang\Filter\Site\Shortcoder.php:19
filterget_user_metadatasrc\Falang\Filter\Site\User_Profile.php:21
filterwidget_pages_argssrc\Falang\Filter\Site\Widget_Pages.php:16
filterwoocommerce_attribute_labelsrc\Falang\Filter\Site\WooCommerce.php:23
filterwoocommerce_short_descriptionsrc\Falang\Filter\Site\WooCommerce.php:25
filterwoocommerce_available_variationsrc\Falang\Filter\Site\WooCommerce.php:27
filterwoocommerce_cart_item_namesrc\Falang\Filter\Site\WooCommerce.php:29
filterwoocommerce_get_cart_page_permalinksrc\Falang\Filter\Site\WooCommerce.php:32
filterwoocommerce_get_checkout_page_permalinksrc\Falang\Filter\Site\WooCommerce.php:33
filterwoocommerce_order_item_namesrc\Falang\Filter\Site\WooCommerce.php:36
filterwoocommerce_product_titlesrc\Falang\Filter\Site\WooCommerce.php:40
filterwoocommerce_product_titlesrc\Falang\Filter\Site\WooCommerce.php:43
filterwoocommerce_product_get_namesrc\Falang\Filter\Site\WooCommerce.php:46
filterwoocommerce_get_endpoint_urlsrc\Falang\Filter\Site\WooCommerce.php:49
actionwoocommerce_checkout_terms_and_conditionssrc\Falang\Filter\Site\WooCommerce.php:53
filterwoocommerce_account_menu_item_classessrc\Falang\Filter\Site\WooCommerce.php:56
filterwpseo_titlesrc\Falang\Filter\Site\Yoast.php:21
filterwpseo_opengraph_titlesrc\Falang\Filter\Site\Yoast.php:22
filterwpseo_canonicalsrc\Falang\Filter\Site\Yoast.php:23
filterwpseo_metadescsrc\Falang\Filter\Site\Yoast.php:25
filterwpseo_opengraph_descsrc\Falang\Filter\Site\Yoast.php:26
filterwpseo_should_save_indexablesrc\Falang\Filter\Site\Yoast.php:29
filterwpseo_schema_organizationsrc\Falang\Filter\Site\Yoast.php:31
filterwpseo_schema_websitesrc\Falang\Filter\Site\Yoast.php:32
filterwpseo_schema_webpagesrc\Falang\Filter\Site\Yoast.php:33
filterwpseo_frontend_presentationsrc\Falang\Filter\Site\Yoast.php:36
filterwpseo_breadcrumb_linkssrc\Falang\Filter\Site\Yoast.php:39
filterposts_wheresrc\Falang\Table\Post.php:181
Maintenance & Trust

Falang multilanguage for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 26, 2026
PHP min version5.6
Downloads79K

Community Trust

Rating100/100
Number of ratings110
Active installs1K
Alternatives

Falang multilanguage for WordPress Alternatives

Polylang

Polylang

polylang

A
93

Go multilingual in a simple and efficient way. Keep writing posts and taxonomy terms as usual while defining their languages all at once.

800K 3 CVEs
Translate Multilingual sites – TranslatePress

Translate Multilingual sites – TranslatePress

translatepress-multilingual

A
92

Translate your entire site directly from the front-end and go multilingual. Full support for WooCommerce, page builders + Google Translate integration

400K 5 CVEs
WP Multilang – Translation and Multilingual Plugin

WP Multilang – Translation and Multilingual Plugin

wp-multilang

A
98

Multilingual plugin for WordPress. Go Multilingual in minutes with full WordPress support. Translate your site easily with this localization plugin.

10K 1 CVE
wpLingua – Automatic translation – Translate and make website multilingual

wpLingua – Automatic translation – Translate and make website multilingual

wplingua

A
100

Make your websites multilingual and translate them automatically: no word limits, editable translations, SEO-friendly, no coding knowledge needed

2K No CVEs
WEB-T – eTranslation Multilingual

WEB-T – eTranslation Multilingual

etranslation-multilingual

A
100

Make your site multilingual in few steps with WEB-T – eTranslation Multilingual WordPress plugin.

300 No CVEs
Developer Profile

Falang multilanguage for WordPress Developer Profile

sbouey

6 plugins · 2K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
131 days
View full developer profile
Detection Fingerprints

How We Detect Falang multilanguage for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/falang/admin/css/falang-admin.css/wp-content/plugins/falang/admin/js/falang-admin.js/wp-content/plugins/falang/css/falang.css/wp-content/plugins/falang/js/falang.js
Script Paths
/wp-content/plugins/falang/admin/js/falang-admin.js/wp-content/plugins/falang/js/falang.js
Version Parameters
falang/admin/css/falang-admin.css?ver=falang/admin/js/falang-admin.js?ver=falang/css/falang.css?ver=falang/js/falang.js?ver=

HTML / DOM Fingerprints

CSS Classes
falang-lang-switcherfalang-menu-language-switcherfalang-post-language-switcher
Data Attributes
data-falang-iddata-falang-language
JS Globals
falang_ajax_object
REST Endpoints
/wp-json/falang/v1/translations
FAQ

Frequently Asked Questions about Falang multilanguage for WordPress