WP-Safety

Sublanguage Security & Risk Analysis

wordpress.org/plugins/sublanguage

Sublanguage is a lightweight multilanguage plugin for wordpress.

700 active installs v2.12 PHP + WP 4.5+ Updated Dec 8, 2025
languagemultilanguagemultilingualtranslation
100
A · Safe
CVEs total1
Unpatched0
Last CVEJul 4, 2023
Plugin page Download
Safety Verdict

Is Sublanguage Safe to Use in 2026?

Generally Safe

Score 100/100

Sublanguage has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jul 4, 2023Updated 3mo ago
Risk Assessment

The 'sublanguage' v2.12 plugin presents a mixed security posture. On the positive side, the static analysis reveals no apparent attack surface through common entry points like AJAX handlers, REST API routes, shortcodes, or cron events, and no dangerous functions are detected. The majority of SQL queries utilize prepared statements, which is a strong security practice. However, a significant concern is the low percentage (12%) of properly escaped output. This indicates a high potential for Cross-Site Scripting (XSS) vulnerabilities, as user-supplied data might be rendered directly in the browser without sufficient sanitization. While there are no critical or high severity taint flows identified, one flow with unsanitized paths remains a potential risk. The vulnerability history shows one medium severity CVE in the past, which has since been patched. The common vulnerability type being 'Missing Authorization' in the past is a notable pattern, suggesting a historical tendency for authorization issues, though the current version appears to have addressed this or it was not found in the static analysis. Overall, the plugin has improved its security from past issues, but the high number of unescaped outputs is a substantial risk that requires immediate attention.

Key Concerns

  • Low percentage of properly escaped output
  • Taint flow with unsanitized path
  • One medium severity CVE (even if patched)
Vulnerabilities
1

Sublanguage Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-36695medium · 5.4Missing Authorization

Sublanguage <= 2.9 - Missing Authorization

Jul 4, 2023 Patched in 2.10 (203d)
Code Analysis
Analyzed Mar 16, 2026

Sublanguage Code Analysis

Dangerous Functions
0
Raw SQL Queries
9
34 prepared
Unescaped Output
163
23 escaped
Nonce Checks
11
Capability Checks
4
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

79% prepared43 total queries

Output Escaping

12% escaped186 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
save_post_option (class-admin-ui.php:389)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Sublanguage Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 160
actionadmin_menuclass-admin-ui.php:37
actioninitclass-admin-ui.php:40
actioninitclass-admin-ui.php:43
actioninitclass-admin-ui.php:46
actioninitclass-admin-ui.php:49
filterredirect_post_locationclass-admin-ui.php:52
actionload-post.phpclass-admin-ui.php:55
actionload-post-new.phpclass-admin-ui.php:56
actionload-edit.phpclass-admin-ui.php:59
actionedit_termclass-admin-ui.php:62
actionload-edit-tags.phpclass-admin-ui.php:65
actionadmin_initclass-admin-ui.php:68
actionadmin_enqueue_scriptsclass-admin-ui.php:75
actionadmin_menuclass-admin-ui.php:78
actionwp_loadedclass-admin-ui.php:91
actiongenerate_rewrite_rulesclass-admin-ui.php:92
actionsave_post_pageclass-admin-ui.php:93
actionpost_updatedclass-admin-ui.php:94
filtersublanguage_default-nav_menu_itemclass-admin-ui.php:97
filtersublanguage_post_type_metakeysclass-admin-ui.php:98
filterwp_insert_post_dataclass-admin-ui.php:799
filterparse_queryclass-admin-ui.php:805
filterdefault_hidden_meta_boxesclass-admin-ui.php:808
actionload-post-new.phpclass-admin-ui.php:811
actionload-post.phpclass-admin-ui.php:814
filterpost_updated_messagesclass-admin-ui.php:816
actionedit_form_topclass-admin-ui.php:1175
actionedit_form_topclass-admin-ui.php:1178
filterenter_title_hereclass-admin-ui.php:1181
filterhome_urlclass-admin-ui.php:1184
actionrestrict_manage_postsclass-admin-ui.php:1253
filterthe_postsclass-admin-ui.php:1525
filterthe_postsclass-admin-ui.php:1526
filterthe_titleclass-admin-ui.php:1527
filterenter_title_hereclass-admin-ui.php:1528
actionadmin_initclass-admin-ui.php:1530
actionadmin_initclass-admin-ui.php:1546
actionblock_editor_meta_box_hidden_fieldsclass-admin-ui.php:1973
actionplugins_loadedclass-admin.php:20
filterget_post_metadataclass-admin.php:36
filtersublanguage_postmeta_overrideclass-admin.php:37
filterthe_postsclass-admin.php:39
filterthe_postclass-admin.php:40
filterpage_linkclass-admin.php:42
filterpost_type_linkclass-admin.php:43
filterattachment_linkclass-admin.php:44
filtersingle_term_titleclass-admin.php:46
filtersingle_cat_titleclass-admin.php:47
filtersingle_tag_titleclass-admin.php:48
filterget_edit_post_linkclass-admin.php:50
filterwp_insert_post_empty_contentclass-admin.php:53
filterwp_insert_post_dataclass-admin.php:56
actionsave_postclass-admin.php:59
actionsave_postclass-admin.php:62
actionbefore_delete_postclass-admin.php:65
filterpreview_post_linkclass-admin.php:67
filterget_sample_permalinkclass-admin.php:70
filterupdate_post_metadataclass-admin.php:73
filteradd_post_metadataclass-admin.php:74
filterdelete_post_metadataclass-admin.php:75
filterterms_clausesclass-admin.php:77
filterpre_insert_termclass-admin.php:78
filterlist_pagesclass-admin.php:81
filterthemes_update_check_localesclass-admin.php:84
filterplugins_update_check_localesclass-admin.php:85
actionpost_updatedclass-admin.php:88
filtersublanguage_default-postclass-admin.php:91
filtersublanguage_default-pageclass-admin.php:92
filtersublanguage_taxonomy_default-categoryclass-admin.php:93
actionadmin_enqueue_scriptsclass-admin.php:98
filterajax_query_attachments_argsclass-admin.php:100
filterwp_prepare_attachment_for_jsclass-admin.php:101
filterwp_insert_attachment_dataclass-admin.php:102
actionedit_attachmentclass-admin.php:103
filtersublanguage_default-attachmentclass-admin.php:106
filtersublanguage_post_type_metakeysclass-admin.php:109
filterimage_add_caption_textclass-admin.php:112
filterget_image_tagclass-admin.php:115
actionsublanguage_import_postclass-admin.php:121
actionsublanguage_import_termclass-admin.php:124
actioninitclass-admin.php:127
filterwp_update_term_dataclass-ajax.php:26
filterhome_urlclass-ajax.php:29
actioninitclass-current.php:78
filterparse_queryclass-current.php:79
filterget_object_termsclass-current.php:80
filterget_termclass-current.php:81
filterget_termsclass-current.php:82
filterget_the_termsclass-current.php:83
filterlist_catsclass-current.php:84
filterthe_postsclass-current.php:85
filterget_pagesclass-current.php:86
filtersublanguage_translate_post_fieldclass-current.php:87
filtersublanguage_translate_term_fieldclass-current.php:88
filtersublanguage_untranslated_metaclass-current.php:89
filtersublanguage_query_add_languageclass-current.php:90
actionwidgets_initclass-current.php:91
actioninitclass-current.php:94
actionregistered_post_typeclass-current.php:95
filterrest_prepare_revisionclass-current.php:96
actionsave_post_revisionclass-current.php:99
actionwp_restore_post_revisionclass-current.php:100
filter_wp_post_revision_fieldsclass-current.php:101
filterwp_save_post_revision_post_has_changedclass-current.php:102
filterposts_join_requestclass-current.php:643
filterposts_searchclass-current.php:644
filterposts_distinct_requestclass-current.php:645
filterget_meta_sqlclass-current.php:678
filterregister_post_type_argsclass-rewrite.php:22
actionregistered_post_typeclass-rewrite.php:23
filterregister_taxonomy_argsclass-rewrite.php:25
actionregistered_taxonomyclass-rewrite.php:26
filterpage_rewrite_rulesclass-rewrite.php:29
filterrewrite_rules_arrayclass-rewrite.php:32
filterlocaleclass-site.php:22
actionplugins_loadedclass-site.php:23
filterthe_contentclass-site.php:36
filterthe_titleclass-site.php:37
filterget_the_excerptclass-site.php:38
filtersingle_post_titleclass-site.php:39
filterget_post_metadataclass-site.php:40
filterwp_setup_nav_menu_itemclass-site.php:41
filterwp_nav_menu_objectsclass-site.php:42
filtertag_cloud_sortclass-site.php:43
actioninitclass-site.php:44
filterquery_varsclass-site.php:62
filterrequestclass-site.php:63
actionwpclass-site.php:64
actionwp_enqueue_scriptsclass-site.php:71
actionparse_requestclass-site.php:76
actionrest_api_initclass-site.php:79
filterlogin_urlclass-site.php:82
filterlostpassword_urlclass-site.php:83
filterlogout_urlclass-site.php:84
filterregister_urlclass-site.php:85
actionlogin_formclass-site.php:86
actionlostpassword_formclass-site.php:87
actionresetpass_formclass-site.php:88
actionregister_formclass-site.php:89
filterretrieve_password_messageclass-site.php:90
filterlostpassword_redirectclass-site.php:91
filterregistration_redirectclass-site.php:92
actionwp_headclass-site.php:95
actionsublanguage_print_language_switchclass-site.php:98
filtersublanguage_custom_translateclass-site.php:99
filterhome_urlclass-site.php:646
filterpre_post_linkclass-site.php:647
filterpost_linkclass-site.php:648
filterpage_linkclass-site.php:649
filterpost_type_linkclass-site.php:650
filterattachment_linkclass-site.php:651
filterpost_link_categoryclass-site.php:652
filterpost_type_archive_linkclass-site.php:653
filteryear_linkclass-site.php:654
filtermonth_linkclass-site.php:655
filterday_linkclass-site.php:656
filterterm_linkclass-site.php:657
filterget_edit_post_linkclass-site.php:658
filterhome_urlinclude\settings-post-option-page.php:10
filterhome_urlinclude\settings-taxonomy-option-page.php:12
Maintenance & Trust

Sublanguage Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedDec 8, 2025
PHP min version
Downloads27K

Community Trust

Rating92/100
Number of ratings31
Active installs700
Alternatives

Sublanguage Alternatives

WP Multilang – Translation and Multilingual Plugin

WP Multilang – Translation and Multilingual Plugin

wp-multilang

A
98

Multilingual plugin for WordPress. Go Multilingual in minutes with full WordPress support. Translate your site easily with this localization plugin.

10K 1 CVE
Falang for Elementor Lite

Falang for Elementor Lite

falang-for-elementor-lite

A
100

The Falang for Elementor plugin makes your Elementor page translation simpler.

400 No CVEs
Falang for Divi Lite

Falang for Divi Lite

falang-for-divi-lite

A
100

The Falang for Divi plugin makes your Divi page translation simpler.

100 No CVEs
Sublanguage Switcher Widget

Sublanguage Switcher Widget

sublanguage-switcher-widget

A
100

Sublanguage Switcher Widget is a plugin to display a fancy language switcher widget when Sublanguage plugin is used

80 No CVEs
Monk

Monk

monk

A
85

Monk is a lightweight translation plugin to make your content reach the world.

10 No CVEs
Developer Profile

Sublanguage Developer Profile

maximeschoeni

1 plugin · 700 total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
203 days
View full developer profile
Detection Fingerprints

How We Detect Sublanguage

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/sublanguage/js/sublanguage.js/wp-content/plugins/sublanguage/js/select2.min.js/wp-content/plugins/sublanguage/js/tinymce/plugins/compat3x/tiny_mce_popup.js/wp-content/plugins/sublanguage/js/tinymce/plugins/compat3x/editors.js/wp-content/plugins/sublanguage/js/tinymce/tinymce.min.js/wp-content/plugins/sublanguage/css/sublanguage.css/wp-content/plugins/sublanguage/css/select2.css
Generator Patterns
Sublanguage
Script Paths
/wp-content/plugins/sublanguage/js/sublanguage.js/wp-content/plugins/sublanguage/js/select2.min.js/wp-content/plugins/sublanguage/js/tinymce/plugins/compat3x/tiny_mce_popup.js/wp-content/plugins/sublanguage/js/tinymce/plugins/compat3x/editors.js/wp-content/plugins/sublanguage/js/tinymce/tinymce.min.js
Version Parameters
sublanguage.css?ver=sublanguage.js?ver=select2.min.js?ver=tiny_mce_popup.js?ver=editors.js?ver=tinymce.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
sl-language-flagssl-flagssl-language-flagsl-hidesl-selected-languagesl-languages-menusl-menu-itemsl-current-language-flag+1 more
HTML Comments
<!-- Sublanguage -->
Data Attributes
data-sl-language-codesdata-sl-current-language
JS Globals
sublanguage_settingsSublanguage
REST Endpoints
/wp-json/sublanguage/v1/languages/wp-json/sublanguage/v1/language/wp-json/sublanguage/v1/translate
Shortcode Output
[sublanguage]
FAQ

Frequently Asked Questions about Sublanguage