Translation with DeepL API Security & Risk Analysis

wordpress.org/plugins/wpdeepl

Get DeepL translation magic into your WordPress Admin. Not affiliated with or endorsed by DeepL SE. DeepL® is a registered trademark of DeepL SE.

4K active installs v2.6.1 PHP 8.0+ WP 5.1+ Updated Mar 4, 2026
posttranslation
99
A · Safe
CVEs total3
Unpatched0
Last CVEOct 25, 2023
Download
Safety Verdict

Is Translation with DeepL API Safe to Use in 2026?

Generally Safe

Score 99/100

Translation with DeepL API has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Oct 25, 2023Updated 4mo ago
Risk Assessment

The wpdeepl plugin exhibits a mixed security posture. On the positive side, static analysis reveals a very small attack surface with no identified unprotected entry points. The code also demonstrates strong adherence to secure coding practices regarding SQL queries, with all queries using prepared statements. Furthermore, output escaping is highly effective, with 98% of outputs properly escaped, and a significant number of capability checks are in place. However, a critical concern arises from the presence of the `unserialize` function, which is inherently risky if used with untrusted input. While the taint analysis did not reveal any unsanitized paths for this specific version, the potential for misuse remains significant.

The vulnerability history is particularly noteworthy. The plugin has a history of 3 medium-severity CVEs, specifically related to Cross-Site Request Forgery (CSRF) and Exposure of Sensitive Information. The fact that these vulnerabilities have been patched indicates the developers are responsive to security issues, but the repeated occurrence of certain vulnerability types suggests potential recurring weaknesses in input validation or handling that could be exploited. The most recent vulnerability was in October 2023.

In conclusion, wpdeepl has strengths in its limited attack surface and diligent use of prepared statements and output escaping. However, the `unserialize` function represents a latent risk, and the past prevalence of CSRF and information exposure vulnerabilities warrants careful monitoring and potentially deeper code review to ensure these issues are permanently addressed. The current version appears free of known unpatched vulnerabilities, which is a positive sign.

Key Concerns

  • Presence of unserialize function
  • History of 3 medium CVEs
Vulnerabilities
3 published

Translation with DeepL API Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2023-46620medium · 4.3Cross-Site Request Forgery (CSRF)

DeepL Pro API translation <= 2.4.1.1 - Cross-Site Request Forgery via wpdeepl_prune_logs

Oct 25, 2023 Patched in 2.4.1.2 (90d)
CVE-2023-27446medium · 4.3Cross-Site Request Forgery (CSRF)

DeepL Pro API translation <= 2.1.4 - Cross-Site Request Forgery via saveSettings

Mar 2, 2023 Patched in 2.1.5 (327d)
CVE-2022-3691medium · 6.5Exposure of Sensitive Information to an Unauthorized Actor

DeepL Pro API Translation <= 1.7.4 - Sensitive Information Disclosure

Oct 31, 2022 Patched in 1.7.5 (449d)
Version History

Translation with DeepL API Release Timeline

Code Analysis
Analyzed Mar 16, 2026

Translation with DeepL API Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
4 prepared
Unescaped Output
9
417 escaped
Nonce Checks
4
Capability Checks
5
File Operations
8
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserializewpdeepl_debug_display(unserialize($line));admin\deepl-admin-functions.php:176

SQL Query Safety

100% prepared4 total queries

Output Escaping

98% escaped426 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<wp-improved-settings.class> (settings\wp-improved-settings.class.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Translation with DeepL API Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 14
actioninitadmin\deepl-admin-hooks.php:3
actionadmin_enqueue_scriptsadmin\deepl-admin-hooks.php:23
actionadmin_footeradmin\deepl-admin-hooks.php:42
actionadd_meta_boxesadmin\deepl-metabox.php:8
actionadmin_noticesmodules\deepl-translate-post.php:23
actionadmin_footermodules\deepl-translate-post.php:36
actionadmin_initmodules\deepl-translate-post.php:65
actionadmin_initsettings\wp-improved-settings.class.php:115
actionadmin_initsettings\wp-improved-settings.class.php:116
actionadmin_menusettings\wp-improved-settings.class.php:120
actionadmin_noticessettings\wp-improved-settings.class.php:242
actionadmin_noticessettings\wp-improved-settings.class.php:244
filterzebench_plugins_pathswpdeepl.php:80
actioninitwpdeepl.php:154
Maintenance & Trust

Translation with DeepL API Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 4, 2026
PHP min version8.0
Downloads151K

Community Trust

Rating80/100
Number of ratings29
Active installs4K
Developer Profile

Translation with DeepL API Developer Profile

malaiac

2 plugins · 4K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
289 days
View full developer profile
Detection Fingerprints

How We Detect Translation with DeepL API

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpdeepl/assets/wpdeepl-admin.css/wp-content/plugins/wpdeepl/assets/wpdeepl-metabox.js
Script Paths
/wp-content/plugins/wpdeepl/assets/wpdeepl-metabox.js
Version Parameters
wpdeepl/assets/wpdeepl-admin.css?ver=wpdeepl/assets/wpdeepl-metabox.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- Error loading WPDeepL -->
Data Attributes
name="wpdeepl_metabox_behaviour"
JS Globals
DeepLStringsWPDEEPL_VERSIONWPDEEPL_URLWPDEEPL_PATHWPDEEPL_FLAVORWPDEEPL_DEBUG+3 more
FAQ

Frequently Asked Questions about Translation with DeepL API