Does POEditor have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is POEditor compatible with WordPress 6.9.0?

According to WordPress.org data, POEditor 0.9.12 has been tested up to WordPress 6.9.0. Check the plugin's changelog for the latest compatibility information.

How often is POEditor updated?

POEditor was last updated on Dec 8, 2025. Frequent updates are generally a positive security signal.

What is POEditor's security score?

POEditor has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

POEditor Security & Risk Analysis

wordpress.org/plugins/poeditor

This plugin will let you manage your POEditor translations directly from Wordpress via the POEditor API.

600 active installs v0.9.12 PHP + WP 3.5+ Updated Dec 8, 2025

apilocalizationtranslate

A · Safe

CVEs total4

Unpatched0

Last CVEJun 5, 2025

Plugin page Download

Safety Verdict

Is POEditor Safe to Use in 2026?

Generally Safe

Score 95/100

POEditor has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Jun 5, 2025Updated 5mo ago

Risk Assessment

The 'poeditor' plugin version 0.9.12 presents a mixed security posture. While it demonstrates good practices in using prepared statements for SQL queries and a significant percentage of properly escaped outputs, there are notable concerns. The presence of two unprotected AJAX handlers is a significant risk, creating a direct attack surface that could be exploited. The use of the `unserialize` function, a known dangerous function, without further context on its usage and sanitization, raises red flags. The vulnerability history is also a concern, with a total of four known CVEs, including one high and three medium severity vulnerabilities. The common vulnerability types, Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), are often linked to insufficient input validation and improper handling of user-supplied data, which aligns with the observed issues in the static analysis. The most recent vulnerability being in 2025 suggests that vulnerabilities have been discovered and patched, but the pattern of past issues cannot be ignored.

Key Concerns

Unprotected AJAX handlers
Dangerous function unserialize used
One high severity CVE
Three medium severity CVEs
Flows with unsanitized paths

Vulnerabilities

4 published

POEditor Security Vulnerabilities

CVEs by Year

2 CVEs in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

4 total CVEs

CVE-2025-49237high · 8.1Cross-Site Request Forgery (CSRF)

POEditor <= 0.9.10 - Cross-Site Request Forgery

Jun 5, 2025 Patched in 0.9.11 (7d)

CVE-2024-32453medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

POEditor <= 0.9.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 12, 2024 Patched in 0.9.9 (6d)

CVE-2023-32091medium · 4.3Cross-Site Request Forgery (CSRF)

POEditor <= 0.9.4 - Cross-Site Request Forgery

Sep 5, 2023 Patched in 0.9.5 (140d)

CVE-2023-4209medium · 4.3Cross-Site Request Forgery (CSRF)

POEditor <= 0.9.7 - Cross-Site Request Forgery

Aug 7, 2023 Patched in 0.9.8 (169d)

Version History

POEditor Release Timeline

No version history available.

Code Analysis

Analyzed Mar 16, 2026

POEditor Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

89 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$projects = unserialize(get_option('poeditor_projects'));poeditor.php:89

unserialize$locations = unserialize(get_option('poeditor_files'));poeditor.php:90

unserialize$languages = unserialize(get_option('poeditor_languages'));poeditor.php:91

unserialize$assingments = unserialize(get_option('poeditor_assingments'));poeditor.php:92

unserialize$assingments = unserialize(get_option('poeditor_assingments'));poeditor.php:353

unserialize$assingments = unserialize(get_option('poeditor_assingments'));poeditor.php:373

unserialize$assingments = unserialize(get_option('poeditor_assingments'));poeditor.php:413

unserialize$languages = unserialize(get_option('poeditor_languages'));poeditor.php:416

unserialize$projects = unserialize(get_option('poeditor_projects'));poeditor.php:453

unserialize$assingments = unserialize(get_option('poeditor_assingments'));poeditor.php:454

unserialize$assingments = unserialize(get_option('poeditor_assingments'));poeditor.php:483

unserialize$languages = unserialize(get_option('poeditor_languages'));poeditor.php:491

unserialize$flash_messages = unserialize(get_option('poeditor_flash_messages', serialize('')));poeditor.php:577

unserialize$poeditor_projects = unserialize(get_option('poeditor_projects'));poeditor.php:697

Output Escaping

77% escaped115 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths

import (poeditor.php:477)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

POEditor Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_scanpoeditor.php:49

authwp_ajax_get_projectspoeditor.php:51

WordPress Hooks 6

actionadmin_menupoeditor.php:28

actionadmin_noticespoeditor.php:42

actioninitpoeditor.php:45

actionadmin_headpoeditor.php:48

actionadmin_headpoeditor.php:50

actionadmin_initpoeditor.php:719

Maintenance & Trust

POEditor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0

Last updatedDec 8, 2025

PHP min version

Downloads46K

Community Trust

Rating88/100

Number of ratings11

Active installs600

Alternatives

POEditor Alternatives

Polylang

polylang

Go multilingual in a simple and efficient way. Keep writing posts and taxonomy terms as usual while defining their languages all at once.

800K 3 CVEs

Ray Enterprise Translation

lingotek-translation

Convenient cloud-based localization and translation for WordPress.

10K 1 unpatched

WP Multilang – Translation and Multilingual Plugin

wp-multilang

Multilingual plugin for WordPress. Go Multilingual in minutes with full WordPress support. Translate your site easily with this localization plugin.

10K 1 CVE

WPGlobus

wpglobus

Multilingual/Globalization: URL-based multilanguage with an easy translation interface.

10K 7 CVEs

wpLingua – Automatic translation – Translate and make website multilingual

wplingua

100

Make your websites multilingual and translate them automatically: no word limits, editable translations, SEO-friendly, no coding knowledge needed

2K No CVEs

Developer Profile

POEditor Developer Profile

POEditor

1 plugin · 600 total installs

trust score

Avg Security Score

95/100

Avg Patch Time

81 days

View full developer profile

Detection Fingerprints

How We Detect POEditor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/poeditor/css/poeditor.css/wp-content/plugins/poeditor/css/jquery.jgrowl.min.css/wp-content/plugins/poeditor/js/poeditor.js/wp-content/plugins/poeditor/js/jquery.jgrowl.min.js

Script Paths

/wp-content/plugins/poeditor/js/poeditor.js/wp-content/plugins/poeditor/js/jquery.jgrowl.min.js

Version Parameters

poeditor/style.css?ver=poeditor/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

poeditor-wrapperpoeditor-change-api-keypoeditor-projectspoeditor-languagespoeditor-filespoeditor-assignmentspoeditor-add-languagepoeditor-add-project

HTML Comments

Data Attributes

data-poeditor-project-iddata-poeditor-language-iddata-poeditor-file-id

JS Globals

window.poeditor_ajax_urlwindow.poeditor_vars

REST Endpoints

/wp-json/poeditor/v1/scan/wp-json/poeditor/v1/projects/wp-json/poeditor/v1/languages

FAQ