Prisna GWT – Google Website Translator Security & Risk Analysis

The 'google-website-translator' plugin, version 1.4.15, presents a mixed security posture. While it demonstrates strengths in handling SQL queries with prepared statements and includes some nonce and capability checks, significant concerns arise from its vulnerability history and static analysis findings. The plugin has a history of three known CVEs, including a past critical vulnerability, indicating a pattern of exploitable flaws. The presence of the 'unserialize' function is a red flag, especially when coupled with the taint analysis showing flows with unsanitized paths. Although no critical or high severity taint flows were identified in this specific static analysis, the existence of unsanitized paths combined with the `unserialize` function creates a potential avenue for deserialization vulnerabilities. Furthermore, the low percentage of properly escaped output suggests a risk of cross-site scripting (XSS) vulnerabilities, which aligns with past reported vulnerability types. The plugin's limited attack surface in terms of entry points is a positive sign, but the identified code signals and historical data point to latent risks that require attention.