Does Say What? have any unpatched vulnerabilities?

No. All known vulnerabilities in Say What? have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Say What? compatible with WordPress 6.9.4?

According to WordPress.org data, Say What? 2.2.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Say What? compatible with PHP 7.4+?

Say What? requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Say What? updated?

Say What? was last updated on Mar 3, 2026. Frequent updates are generally a positive security signal.

What is Say What?'s security score?

Say What? has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Say What? Security & Risk Analysis

wordpress.org/plugins/say-what

An easy-to-use plugin that allows you to change translatable strings from plugins / themes and WordPress core without editing code.

40K active installs v2.2.6 PHP 7.4+ WP 6.2+ Updated Mar 3, 2026

changestringtranslation

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Say What? Safe to Use in 2026?

Generally Safe

Score 100/100

Say What? has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The 'say-what' plugin version 2.2.6 demonstrates a generally strong security posture, adhering to several key WordPress security best practices. The absence of known CVEs and the consistent use of prepared statements for all SQL queries are significant strengths. Furthermore, the plugin correctly implements nonce checks and capability checks, and its output escaping is also largely effective, with a high percentage of outputs being properly escaped. This suggests a conscientious development approach focused on mitigating common web vulnerabilities.

However, the static analysis reveals some areas for concern. Specifically, the taint analysis highlights three flows with unsanitized paths, all categorized as high severity. While there are no publicly known vulnerabilities, these internal findings suggest potential avenues for exploitation if not properly addressed. The presence of unsanitized paths could lead to issues like path traversal or information disclosure if user-supplied input is not rigorously validated and sanitized before being used in file operations or other sensitive functions. The fact that these are not flagged as critical is a positive, but their existence warrants investigation.

In conclusion, 'say-what' v2.2.6 is a plugin that has implemented many security best practices effectively, as evidenced by its clean vulnerability history and secure SQL handling. The primary concern lies in the three high-severity taint flows with unsanitized paths. Addressing these specific code paths will be crucial to further hardening the plugin's security. While the overall risk appears moderate, proactive remediation of these identified flows is recommended to prevent potential future vulnerabilities.

Key Concerns

High severity taint flow with unsanitized path
High severity taint flow with unsanitized path
High severity taint flow with unsanitized path

Vulnerabilities

None known

Say What? Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Say What? Code Analysis

Dangerous Functions

Raw SQL Queries

21 prepared

Unescaped Output

31 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared21 total queries

Output Escaping

94% escaped33 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths

admin_delete (src\Admin.php:137)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Say What? Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 11

actionadmin_menusrc\Admin.php:31

actionadmin_initsrc\Admin.php:32

filtergettextsrc\Frontend.php:30

filterngettextsrc\Frontend.php:31

filtergettext_with_contextsrc\Frontend.php:32

filterngettext_with_contextsrc\Frontend.php:33

actionwp_enqueue_scriptssrc\Frontend.php:34

actionadmin_enqueue_scriptssrc\Frontend.php:35

actioninitsrc\Main.php:35

actionadmin_initsrc\Main.php:36

filtersay_what_domain_aliasessrc\Main.php:37

Maintenance & Trust

Say What? Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 3, 2026

PHP min version7.4

Downloads696K

Community Trust

Rating86/100

Number of ratings91

Active installs40K

Alternatives

Say What? Alternatives

WP Override String Translations

wp-override-translations

100

Thanks to this plugin you can translate all the strings of your portal through the admin panel.

1K No CVEs

String Replacer

string-replacer

100

Replace any string visible to site visitors or found in outgoing emails—titles, content, footers, and more. Comes with a dynamic admin interface.

100 No CVEs

WPML String Translation Importer

string-translation-importer-wpml

WPML String Translation Importer is used to import wpml string translations to update their translations.

100 No CVEs

Just Translate

just-translate

100

Automatically captures and translates text strings using a custom translation panel with multi-language support.

0 No CVEs

Loco Translate

loco-translate

Translate WordPress plugins and themes directly in your browser. Versatile PO file editor with integrated AI translation providers.

1.0M 3 CVEs

Developer Profile

Say What? Developer Profile

Lee Willis

4 plugins · 41K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Say What?

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/say-what/css/admin.css

Version Parameters

say-what/css/admin.css?ver=

HTML / DOM Fingerprints

FAQ