| #1 | Universally – AI Translation & Multilingual SEO: Translate Your Site into 110+ Languages | 100 | | 1 | 2k+ | | | mismatched plugin name |
| #2 | Feeds for TikTok (TikTok feed, video, and gallery plugin) | 98 | 5 | 3 | 70k+ | | | Missing direct file access protection |
| #3 | WPChat – Live Chat & Messaging Widget for Customer Support | 98 | 3 | 7 | 2k+ | | | Post Not In exclude |
| #4 | All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | 97 | 19 | 3 | 3m+ | | | wp function not compatible with requires wp |
| #5 | Disable New User Notification Emails | 97 | 2 | 6 | 4k+ | | | Non-prefixed hook name |
| #6 | ActiveLayer Anti-Spam: Spam Protection for Forms & Comments | 96 | | 2 | 1k+ | | | Database parameter is not escaped |
| #7 | Table of Contents Plus | 95 | 29 | 9 | 200k+ | | | wp function not compatible with requires wp |
| #8 | Contact Form & SMTP Plugin for WordPress by PirateForms | 93 | 14 | 102 | 30k+ | | | Non-prefixed hook name |
| #9 | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More | 92 | 17 | 65 | 100k+ | | | Non-prefixed global variable |
| #10 | PDF Embedder | 91 | 1 | 7 | 300k+ | | | Non-prefixed class |
| #11 | SearchWP Modal Search Form | 91 | 9 | 9 | 5k+ | | | trademarked term |
| #12 | WPConsent – Cookie Banner & Cookie Consent for Privacy Compliance (GDPR / CCPA / EU Compliance Cookie Notice) | 91 | 2 | 12 | 100k+ | | | Post Not In exclude |
| #13 | aThemes Addons for Elementor | 90 | 13 | 96 | 8k+ | | | Non-prefixed global variable |
| #14 | Compact Archives | 90 | 8 | 14 | 2k+ | | | Non-prefixed function |
| #15 | Slider by Soliloquy – Responsive Image Slider for WordPress | 90 | 470 | 29 | 30k+ | | | Text Domain Mismatch |
| #16 | WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager | 89 | 21 | 30 | 3m+ | | | wp function not compatible with requires wp |
| #17 | WP101 Video Tutorial Plugin | 86 | 15 | 18 | 10k+ | | | Missing direct file access protection |
| #18 | Intranet & Private Site – All-In-One Intranet | 82 | 1 | 11 | 4k+ | | | Input is not sanitized |
| #19 | AffiliateWP – Affiliate Info | 79 | 27 | 7 | 1k+ | | | Text Domain Mismatch |
| #20 | SearchWP Live Ajax Search | 78 | 8 | 23 | 50k+ | | | Non-prefixed global variable |
| #21 | Embed Files from Google Drive | 77 | 4 | 35 | 5k+ | | | Nonce verification recommended |
| #22 | Change Mail Sender | 76 | 97 | 19 | 20k+ | | | Text Domain Mismatch |
| #23 | Product Labels, Quick View, Buy Now, Pre-Orders, Frequently Bought Together & More for WooCommerce – Merchant | 60 | 11 | 740 | 10k+ | | | Non-prefixed global variable |
| #24 | AffiliateWP – Order Details For Affiliates | 54 | 62 | 27 | 2k+ | | | Output is not escaped |
| #25 | WP Call Button – Easy Click to Call Button for WordPress | 54 | 21 | 38 | 40k+ | | | Non-prefixed global variable |
| #26 | Affiliate Area Shortcodes by AffiliateWP | 52 | 56 | 16 | 2k+ | | | Text Domain Mismatch |
| #27 | Gallery Carousel Without JetPack | 49 | 56 | 35 | 4k+ | | | Text Domain Mismatch |
| #28 | WP Lightbox 2 | 46 | 52 | 18 | 30k+ | | | Text Domain Mismatch |
| #29 | Transients Manager | 42 | 45 | 50 | 20k+ | | | Output is not escaped |
| #30 | AffiliateWP – Affiliate Product Rates | 41 | 84 | 24 | 2k+ | | | Output is not escaped |
| #31 | Athemes Toolbox | 40 | 254 | 58 | 3k+ | | | Text Domain Mismatch |
| #32 | AffiliateWP – Affiliate Area Tabs | 39 | 86 | 26 | 3k+ | | | Output is not escaped |
| #33 | Sydney Toolbox | 39 | 84 | 62 | 50k+ | | | Unsafe printing function |
| #34 | One Click Demo Import | 38 | 22 | 84 | 1m+ | | | Non-prefixed global variable |
| #35 | FOMO & Social Proof Notifications by TrustPulse – Best WordPress FOMO Plugin | 36 | 104 | 39 | 10k+ | | | Output is not escaped |
| #36 | WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin | 36 | 18 | 146 | 4m+ | | | Direct Query |
| #37 | PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget | 34 | 54 | 304 | 9k+ | | | Missing nonce verification |
| #38 | Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers | 34 | 261 | 863 | 30k+ | | | Non-prefixed global variable |
| #39 | WP Mail Logging | 34 | 76 | 258 | 300k+ | | | Nonce verification recommended |
| #40 | aThemes Blocks | 32 | 192 | 1,034 | 6k+ | | | Non-prefixed global variable |
| #41 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | | | Output is not escaped |
| #42 | Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation | 32 | 462 | 41 | 1m+ | | | Text Domain Mismatch |
| #43 | WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More | 31 | 165 | 271 | 5m+ | | | Non-prefixed global variable |
| #44 | aThemes Starter Sites | 30 | 259 | 195 | 40k+ | | | Text Domain Mismatch |
| #45 | Login for Google Apps | 27 | 139 | 85 | 10k+ | | | Exception output is not escaped |
| #46 | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More | 26 | 97 | 270 | 10k+ | | | error log error log |
| #47 | Smash Balloon Social Post Feed – Simple Social Feeds for WordPress | 25 | 554 | 982 | 200k+ | | | Output is not escaped |
| #48 | Smash Balloon Social Photo Feed – Easy Social Feeds Plugin | 25 | 449 | 1,300 | 1m+ | | | Interpolated SQL is not prepared |
| #49 | Custom Twitter Feeds – A Tweets Widget or X Feed Widget | 24 | 446 | 922 | 100k+ | | | Output is not escaped |
| #50 | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) | 24 | 118 | 442 | 300k+ | | | Nonce verification recommended |
