Does Quick Flag have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Quick Flag compatible with WordPress 3.4.2?

According to WordPress.org data, Quick Flag 2.12 has been tested up to WordPress 3.4.2. Check the plugin's changelog for the latest compatibility information.

How often is Quick Flag updated?

Quick Flag was last updated on Aug 2, 2019. Frequent updates are generally a positive security signal.

What is Quick Flag's security score?

Quick Flag has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Quick Flag Security & Risk Analysis

wordpress.org/plugins/quick-flag

Resolves IP address to ISO 3166-1 alpha-2 two-letter country code and name and displays country flag image if required.

100 active installs v2.12 PHP + WP 3.0+ Updated Aug 2, 2019

geolocationip-to-countryip2country

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Quick Flag Safe to Use in 2026?

Generally Safe

Score 85/100

Quick Flag has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6yr ago

Risk Assessment

The quick-flag plugin v2.12 exhibits a mixed security posture. While it has a very small attack surface and no recorded vulnerability history, suggesting it may be well-maintained or less complex, the static analysis reveals several concerning patterns. A significant portion of SQL queries are not using prepared statements, and a concerningly low percentage of output is properly escaped. The taint analysis is particularly worrying, indicating two flows with unsanitized paths classified as high severity. This suggests potential for injection vulnerabilities if these flows are exposed through an entry point.

Although there are no reported CVEs, the presence of high-severity taint flows without proper sanitization is a significant red flag. The lack of nonce and capability checks, combined with a shortcode as the sole entry point that doesn't appear to have explicit authorization checks in the static analysis, increases the risk of these unsanitized paths being exploited. The plugin's strengths lie in its limited attack surface and clean vulnerability history, but these are overshadowed by the critical code-level weaknesses identified in the static analysis, particularly regarding data sanitization and SQL query practices.

Key Concerns

High severity taint flow with unsanitized path (x2)
SQL queries not using prepared statements (89% un-prepared)
Low output escaping percentage (38%)
Missing nonce checks
Missing capability checks

Vulnerabilities

None known

Quick Flag Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Quick Flag Release Timeline

v2.12Current

Code Analysis

Analyzed Mar 16, 2026

Quick Flag Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

6 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

11% prepared9 total queries

Output Escaping

38% escaped16 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

get_info (quick-flag.php:122)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Quick Flag Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[quick-flag] quick-flag.php:80

WordPress Hooks 7

actionplugins_loadedquick-flag.php:73

filterplugin_row_metaquick-flag.php:74

actioninitquick-flag.php:75

actionadmin_initquick-flag.php:77

actionadmin_menuquick-flag.php:78

filtercron_schedulesquick-flag.php:84

filterplugin_action_linksquick-flag.php:265

Maintenance & Trust

Quick Flag Maintenance & Trust

Maintenance Signals

WordPress version tested3.4.2

Last updatedAug 2, 2019

PHP min version

Downloads16K

Community Trust

Rating100/100

Number of ratings3

Active installs100

Alternatives

Quick Flag Alternatives

Ip2country

ip2country

Plugin converts IP-address to the country.

10 No CVEs

IP-to-Country

ip-to-country

Provide a simple interface for plugin authors to determine, in which country an IP is located.

20 No CVEs

SlimStat Analytics

wp-slimstat

The leading web analytics plugin for WordPress

80K 24 CVEs

Geolocation IP Detection

geoip-detect

Provides geographic information detected by an IP adress.

20K 1 CVE

Price Based on Country for WooCommerce

woocommerce-product-price-based-on-countries

100

Product Pricing and Currency based on Shopper's Country for WooCommerce with multi-currency support and geolocation to boost international sales.

20K No CVEs

Developer Profile

Quick Flag Developer Profile

Marko-M

2 plugins · 130 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Quick Flag

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/quick-flag/css/quick-flag-admin.css/wp-content/plugins/quick-flag/js/quick-flag-admin.js/wp-content/plugins/quick-flag/img/flags/AD.gif/wp-content/plugins/quick-flag/img/flags/AE.gif/wp-content/plugins/quick-flag/img/flags/AF.gif/wp-content/plugins/quick-flag/img/flags/AG.gif/wp-content/plugins/quick-flag/img/flags/AI.gif/wp-content/plugins/quick-flag/img/flags/AL.gif+238 more

Script Paths

/wp-content/plugins/quick-flag/js/quick-flag-admin.js

HTML / DOM Fingerprints

CSS Classes

quick-flag

Shortcode Output

IP address not found inside database.

FAQ