WP-Safety

WP_Multilingual Security & Risk Analysis

wordpress.org/plugins/wp-multilingual

WP_Multilingual is extension that brings WordPress multilingual support. With it's help you can publish more that in one language at a time.

100 active installs v1.3.4.15 PHP + WP 2.3.1+ Updated Oct 23, 2008
languageslocalizationlocalizationsmultilingualtags
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP_Multilingual Safe to Use in 2026?

Generally Safe

Score 85/100

WP_Multilingual has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 17yr ago
Risk Assessment

The plugin 'wp-multilingual' v1.3.4.15 exhibits a mixed security posture. While the static analysis indicates a very small attack surface with no apparent exposed entry points like AJAX handlers, REST API routes, or shortcodes without authentication checks, several concerning code signals suggest potential vulnerabilities. The presence of 15 dangerous functions, including `preg_replace(/e)` and `unserialize`, alongside a low rate of properly escaped output (13%), raises significant red flags. The taint analysis revealing 5 flows with unsanitized paths, including 2 of high severity, further amplifies these concerns, suggesting potential for code injection or sensitive data leakage if these flows are triggered. The lack of any recorded CVEs is a positive sign, indicating no publicly known exploitable vulnerabilities at this time. However, the internal code quality issues identified in the static analysis, particularly concerning data sanitization and output escaping, suggest that latent vulnerabilities may exist. Therefore, while the plugin appears secure from external attack vectors based on its exposed interfaces, the internal code quality presents a notable risk that should be addressed through code review and remediation.

Key Concerns

  • Dangerous functions detected (preg_replace(/e), unserialize)
  • Low percentage of properly escaped output
  • High severity taint flows found
  • Unsanitized paths in taint flows
  • SQL queries not using prepared statements
  • Zero nonce checks
  • Low percentage of capability checks
Vulnerabilities
None known

WP_Multilingual Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP_Multilingual Code Analysis

Dangerous Functions
15
Raw SQL Queries
69
8 prepared
Unescaped Output
87
13 escaped
Nonce Checks
0
Capability Checks
2
File Operations
8
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

preg_replace(/e)preg_replace("/$matches\[(\d+)\]/ei"multilingual.php:1069
unserialize$str = serialize(array(base64_encode(serialize(unserialize(serialize($translation))))));multilingual.php:162
unserialize$GLOBALS['wpdb']->query("INSERT INTO ".$GLOBALS['table_prefix']."postmeta (post_id,meta_value,meta_kmultilingual.php:165
unserialize$translations = unserialize($item['meta_value']);multilingual.php:404
unserialize$translations = unserialize(base64_decode($translations[0]));multilingual.php:405
unserialize$str = serialize(array(base64_encode(serialize(unserialize(serialize($translations))))));multilingual.php:410
unserialize$translations = unserialize($res);multilingual.php:1262
unserialize$translations = unserialize(base64_decode($translations[0]));multilingual.php:1263
unserialize$translation = unserialize($res);multilingual.php:1603
unserialize$translation = unserialize(base64_decode($translation[0]));multilingual.php:1604
unserialize$translation = unserialize($resMeta);multilingual.php:1733
unserialize$translation = unserialize(base64_decode($translation[0]));multilingual.php:1734
unserialize$translation = unserialize($resMeta);multilingual.php:1770
unserialize$translation = unserialize(base64_decode($translation[0]));multilingual.php:1771
unserialize$str = serialize(array(base64_encode(serialize(unserialize(serialize($translation))))));multilingual.php:1797

SQL Query Safety

10% prepared77 total queries

Output Escaping

13% escaped100 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

6 flows5 with unsanitized paths
language_switcher (multilingual.php:650)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP_Multilingual Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 63
filterlocalemultilingual.php:623
filterlocalemultilingual.php:625
actioninitmultilingual.php:635
actionadmin_menumultilingual.php:689
actionadmin_headmultilingual.php:690
actionsave_postmultilingual.php:693
actionadmin_headmultilingual.php:699
actionadmin_menumultilingual.php:700
actionedit_form_advancedmultilingual.php:709
actionedit_page_formmultilingual.php:710
actionsimple_edit_formmultilingual.php:711
actionedit_postmultilingual.php:715
actionsave_postmultilingual.php:716
actionpublish_postmultilingual.php:718
actionpublish_pagemultilingual.php:719
actionedit_user_profilemultilingual.php:723
actionshow_user_profilemultilingual.php:724
actiondelete_categorymultilingual.php:727
actiondelete_post_tagmultilingual.php:728
actiondelete_link_categorymultilingual.php:729
actiondelete_postmultilingual.php:731
actiongenerate_rewrite_rulesmultilingual.php:732
filterbloginfomultilingual.php:734
actionget_footermultilingual.php:744
actionget_headermultilingual.php:746
actionwp_headmultilingual.php:751
filterquery_varsmultilingual.php:757
filterquery_stringmultilingual.php:758
filterparse_querymultilingual.php:759
filterfeed_linkmultilingual.php:761
filtercategory_linkmultilingual.php:763
filterauthor_linkmultilingual.php:764
filteryear_linkmultilingual.php:765
filtermonth_linkmultilingual.php:766
filterday_linkmultilingual.php:767
actioncomment_formmultilingual.php:769
filterbloginfomultilingual.php:772
filterlanguage_attributesmultilingual.php:773
actiontemplate_redirectmultilingual.php:774
filterposts_wheremultilingual.php:775
filterposts_joinmultilingual.php:776
filterget_pagesmultilingual.php:778
filterget_pagemultilingual.php:779
filterget_postsmultilingual.php:780
filterget_postmultilingual.php:781
actionposts_resultsmultilingual.php:782
filteroption_rss_languagemultilingual.php:785
filterget_the_guidmultilingual.php:786
filterthe_titlemultilingual.php:788
filtersingle_post_titlemultilingual.php:789
filterget_categorymultilingual.php:791
filterget_post_tagmultilingual.php:792
filterget_termmultilingual.php:793
filterget_categoriesmultilingual.php:795
filterget_the_tagsmultilingual.php:796
filterget_termsmultilingual.php:797
filterthe_contentmultilingual.php:801
filterfound_posts_querymultilingual.php:803
filterpost_linkmultilingual.php:818
filterpage_linkmultilingual.php:819
filtercategory_linkmultilingual.php:820
filterrewrite_rules_arraymultilingual.php:1080
actionadmin_noticesmultilingual.php:1581
Maintenance & Trust

WP_Multilingual Maintenance & Trust

Maintenance Signals

WordPress version tested2.5.1
Last updatedOct 23, 2008
PHP min version
Downloads29K

Community Trust

Rating0/100
Number of ratings0
Active installs100
Alternatives

WP_Multilingual Alternatives

Smartcat Translator for WPML

Smartcat Translator for WPML

smartcat-wpml

A
99

The easiest way to translate your WPML-enabled WordPress site into various languages.

60 1 CVE
Polylang

Polylang

polylang

A
93

Go multilingual in a simple and efficient way. Keep writing posts and taxonomy terms as usual while defining their languages all at once.

800K 3 CVEs
Connect Polylang for Elementor

Connect Polylang for Elementor

connect-polylang-elementor

A
100

Connect Polylang with Elementor: translated templates, language switcher widget, language visibility conditions and more

100K No CVEs
Bogo

Bogo

bogo

A
100

A straight-forward multilingual plugin. No more double-digit custom DB tables or hidden HTML comments that could cause you headaches later on.

10K No CVEs
WP Multilang – Translation and Multilingual Plugin

WP Multilang – Translation and Multilingual Plugin

wp-multilang

A
98

Multilingual plugin for WordPress. Go Multilingual in minutes with full WordPress support. Translate your site easily with this localization plugin.

10K 1 CVE
Developer Profile

WP_Multilingual Developer Profile

Oleg Butuzov

2 plugins · 900 total installs

86
trust score
Avg Security Score
89/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP_Multilingual

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-multilingual/js/multilingual.js/wp-content/plugins/wp-multilingual/css/multilingual.css/wp-content/plugins/wp-multilingual/js/multilingual_admin.js/wp-content/plugins/wp-multilingual/js/colorbox/jquery.colorbox.js/wp-content/plugins/wp-multilingual/css/colorbox/colorbox.css
Script Paths
/wp-content/plugins/wp-multilingual/js/multilingual.js/wp-content/plugins/wp-multilingual/js/multilingual_admin.js/wp-content/plugins/wp-multilingual/js/colorbox/jquery.colorbox.js
Version Parameters
wp-multilingual/js/multilingual.js?ver=wp-multilingual/css/multilingual.css?ver=wp-multilingual/js/multilingual_admin.js?ver=wp-multilingual/js/colorbox/jquery.colorbox.js?ver=wp-multilingual/css/colorbox/colorbox.css?ver=

HTML / DOM Fingerprints

CSS Classes
multilingual_switcher
HTML Comments
<!-- multilingual Admin Area --><!-- multilingual JavaScript --><!-- Language edition --><!-- WP_Multilingual uninstallation -->+6 more
Data Attributes
data-multilingual-typedata-multilingual-positiondata-multilingual-cssdata-multilingual-http-user-language
JS Globals
WP_MultilingualMULTILINGUAL_DOMAIN
FAQ

Frequently Asked Questions about WP_Multilingual