Does Preferred Languages have any unpatched vulnerabilities?

No. All known vulnerabilities in Preferred Languages have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Preferred Languages compatible with WordPress 6.9.4?

According to WordPress.org data, Preferred Languages 2.4.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Preferred Languages compatible with PHP 7.2.24+?

Preferred Languages requires PHP 7.2.24 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Preferred Languages updated?

Preferred Languages was last updated on Nov 28, 2025. Frequent updates are generally a positive security signal.

What is Preferred Languages's security score?

Preferred Languages has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Preferred Languages Security & Risk Analysis

wordpress.org/plugins/preferred-languages

Choose languages for displaying WordPress in, in order of preference.

2K active installs v2.4.1 PHP 7.2.24+ WP 6.6+ Updated Nov 28, 2025

i18ninternationalizationlanguagelocalizationtranslation

A · Safe

CVEs total1

Unpatched0

Last CVEMay 30, 2024

Plugin page Download

Safety Verdict

Is Preferred Languages Safe to Use in 2026?

Generally Safe

Score 99/100

Preferred Languages has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: May 30, 2024Updated 4mo ago

Risk Assessment

The "preferred-languages" plugin, version 2.4.1, exhibits a generally strong security posture based on the static analysis. The plugin demonstrates good development practices by having no identified unprotected entry points, no dangerous functions, and utilizing prepared statements for all SQL queries. Furthermore, all output is properly escaped, and necessary security checks like nonce and capability checks are implemented. The absence of file operations and external HTTP requests also minimizes potential attack vectors.

However, the plugin's vulnerability history is a significant concern. Despite the current analysis showing no unpatched vulnerabilities, the presence of one previously known CVE, specifically a Cross-site Scripting (XSS) vulnerability, indicates a past weakness. The fact that this vulnerability was recently patched suggests that the developers are addressing security issues, but it also highlights that the plugin has been susceptible to attacks. The lack of any taint flow analysis results is also a neutral observation, as it doesn't necessarily indicate security, but rather the absence of identified issues within the scope of the analysis.

In conclusion, while the current static analysis for version 2.4.1 is reassuring, the past XSS vulnerability should not be overlooked. Users should remain vigilant and ensure they are always running the latest patched version of the plugin. The absence of a large attack surface and adherence to many security best practices are positive, but the historical vulnerability warrants a cautious approach.

Key Concerns

Past medium severity XSS vulnerability

Vulnerabilities

Preferred Languages Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-35644medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Preferred Languages <= 2.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 30, 2024 Patched in 2.3.0 (7d)

Code Analysis

Analyzed Mar 16, 2026

Preferred Languages Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

100% escaped2 total outputs

Attack Surface

Preferred Languages Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 36

filterlang_dir_for_domaininc\functions.php:16

actioninitinc\functions.php:18

actioninitinc\functions.php:19

actioninitinc\functions.php:20

actionadmin_initinc\functions.php:22

actionwpmu_optionsinc\functions.php:23

actionupdate_wpmu_optionsinc\functions.php:24

actionpersonal_optionsinc\functions.php:26

actionpersonal_options_updateinc\functions.php:27

actionedit_user_profile_updateinc\functions.php:28

filterpre_update_option_preferred_languagesinc\functions.php:30

filterpre_update_site_option_preferred_languagesinc\functions.php:31

actionadd_option_preferred_languagesinc\functions.php:32

actionupdate_option_preferred_languagesinc\functions.php:33

actionadd_site_option_preferred_languagesinc\functions.php:34

actionupdate_site_option_preferred_languagesinc\functions.php:35

filterpre_option_WPLANGinc\functions.php:36

filterpre_site_option_WPLANGinc\functions.php:37

actionadd_user_metainc\functions.php:38

actionupdate_user_metainc\functions.php:39

filterget_user_metadatainc\functions.php:40

filterlocaleinc\functions.php:41

filteroverride_load_textdomaininc\functions.php:42

filterload_textdomain_mofileinc\functions.php:43

filterpre_load_script_translationsinc\functions.php:44

filterload_script_translation_fileinc\functions.php:45

filterdebug_informationinc\functions.php:47

filterget_user_metadatainc\functions.php:188

filterpre_option_WPLANGinc\functions.php:399

filterpre_option_WPLANGinc\functions.php:433

filterpre_site_option_WPLANGinc\functions.php:463

filteroverride_load_textdomaininc\functions.php:697

filterload_textdomain_mofileinc\functions.php:698

filterpre_load_script_translationsinc\functions.php:857

filterload_script_translation_fileinc\functions.php:858

filterlang_dir_for_domaininc\functions.php:1258

Maintenance & Trust

Preferred Languages Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedNov 28, 2025

PHP min version7.2.24

Downloads108K

Community Trust

Rating100/100

Number of ratings17

Active installs2K

Alternatives

Preferred Languages Alternatives

Performant Translations

performant-translations

100

Making internationalization/localization in WordPress faster than ever before.

40K No CVEs

Translation Tools

translation-tools

100

Translation tools for your WordPress install.

100 No CVEs

Translation Stats

translation-stats

100

Show plugins translation stats on your WordPress install.

20 No CVEs

ICanLocalize Translator

icanlocalize-translator

Allows running multilingual WordPress sites with zero management. Automatically creates and updates translation when you edit.

10 No CVEs

Translator with Baidu Service

translator-with-baidu-service

Translate your site in many languages with this plugin from JoyBin, Inc. The translating service provider is Baidu.

10 No CVEs

Developer Profile

Preferred Languages Developer Profile

Pascal Birchler

4 plugins · 53K total installs

100

trust score

Avg Security Score

100/100

Avg Patch Time

7 days

View full developer profile

Detection Fingerprints

How We Detect Preferred Languages

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/preferred-languages/admin/css/settings.css/wp-content/plugins/preferred-languages/admin/js/settings.js

Version Parameters

preferred-languages/admin/css/settings.css?ver=preferred-languages/admin/js/settings.js?ver=

HTML / DOM Fingerprints

CSS Classes

preferred-languages-settings-sectionpreferred-languages-notice

Data Attributes

data-preferred-languages-locale-list

JS Globals

preferred_languages_settings_params

REST Endpoints

/wp-json/preferred-languages/v1/options

FAQ