qTranslate META Security & Risk Analysis

The qtranslate-meta plugin v1.0.2 exhibits a mixed security posture. On the positive side, it has a very small attack surface with no registered AJAX handlers, REST API routes, shortcodes, or cron events. All SQL queries are properly prepared, and there are no file operations or external HTTP requests, which are good practices. The absence of any known CVEs or past vulnerabilities is also a strong indicator of a relatively secure development history.

However, there are significant concerns within the code. The presence of the `create_function` is a critical security risk, as it is highly susceptible to code injection vulnerabilities. Furthermore, the plugin has a very low rate of output escaping, with only 8% of outputs being properly escaped. This indicates a high likelihood of cross-site scripting (XSS) vulnerabilities. The complete lack of nonce checks and capability checks, especially given the lack of explicit entry points to analyze for, means that any potential future entry points or existing hidden ones could be exploited without proper authorization or validation.

While the plugin's vulnerability history is clean, the static analysis reveals critical weaknesses in code quality that could lead to severe vulnerabilities. The use of `create_function` and the poor output escaping are major red flags that overshadow the limited attack surface and clean vulnerability history. A thorough review and remediation of these code quality issues are strongly recommended.