| #1 | WPConsent – Cookie Banner & Cookie Consent for Privacy Compliance (GDPR / CCPA / EU Compliance Cookie Notice) | 99 | | 6 | 100k+ | | | trademarked term |
| #2 | WPForms – AI Form Builder for WordPress – Contact Forms, Payment Forms, Survey Form, Quiz & More | 32 | 165 | 273 | 5m+ | | | Non-prefixed global variable |
| #3 | ActiveLayer Anti-Spam: Spam Protection for Forms & Comments | 96 | | 2 | 2k+ | | | Database parameter is not escaped |
| #4 | Affiliate Area Shortcodes by AffiliateWP | 52 | 56 | 16 | 2k+ | | | Text Domain Mismatch |
| #5 | AffiliateWP – Affiliate Area Tabs | 39 | 86 | 26 | 3k+ | | | Output is not escaped |
| #6 | AffiliateWP – Affiliate Info | 79 | 27 | 7 | 1k+ | | | Text Domain Mismatch |
| #7 | AffiliateWP – Affiliate Product Rates | 41 | 84 | 24 | 2k+ | | | Output is not escaped |
| #8 | AffiliateWP – Allow Own Referrals | 78 | 37 | 10 | 600 | | | Text Domain Mismatch |
| #9 | AffiliateWP – Allowed Products | 73 | 47 | 19 | 1k+ | | | Text Domain Mismatch |
| #10 | AffiliateWP Checkout Referrals | 47 | 48 | 26 | 600 | | | Output is not escaped |
| #11 | AffiliateWP – External Referral Links | 77 | 30 | 11 | 800 | | | Text Domain Mismatch |
| #12 | AffiliateWP – Force Pending Referrals | 79 | 35 | 12 | 500 | | | Text Domain Mismatch |
| #13 | AffiliateWP – Leaderboard | 49 | 68 | 13 | 1k+ | | | Output is not escaped |
| #14 | AffiliateWP – Order Details For Affiliates | 54 | 62 | 27 | 2k+ | | | Output is not escaped |
| #15 | AffiliateWP – Sign Up Bonus | 74 | 46 | 13 | 400 | | | Text Domain Mismatch |
| #16 | AffiliateWP – Store Credit | 48 | 47 | 21 | 400 | | | Output is not escaped |
| #17 | AffiliateWP – WooCommerce Redirect Affiliates | 79 | 27 | 7 | 1k+ | | | Text Domain Mismatch |
| #18 | Airi Demo Importer | 98 | 1 | 7 | 1k+ | | | Deprecated function: get_page_by_title |
| #19 | Intranet & Private Site – All-In-One Intranet | 82 | 1 | 11 | 4k+ | | | Input is not sanitized |
| #20 | All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | 97 | 19 | 4 | 3m+ | | | wp function not compatible with requires wp |
| #21 | All in One SEO Pack Importer | 56 | 17 | 25 | 500 | | | Direct Query |
| #22 | aThemes Addons for Elementor | 90 | 13 | 96 | 8k+ | | | Non-prefixed global variable |
| #23 | aThemes Blocks | 32 | 192 | 1,034 | 6k+ | | | Non-prefixed global variable |
| #24 | aThemes Starter Sites | 30 | 262 | 195 | 40k+ | | | Text Domain Mismatch |
| #25 | Athemes Toolbox | 40 | 254 | 58 | 3k+ | | | Text Domain Mismatch |
| #26 | Batch Comment Spam Deletion | 46 | 22 | 15 | 1k+ | | | Nonce verification recommended |
| #27 | Beacon Lead Magnets and Lead Capture | 75 | 8 | 25 | 500 | | | Nonce verification recommended |
| #28 | BP Auto Group Join | 42 | 55 | 55 | 700 | | | Output is not escaped |
| #29 | BuddyPress Edit Activity | 41 | 28 | 26 | 800 | | | Output is not escaped |
| #30 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | | | Output is not escaped |
| #31 | Gallery Carousel Without JetPack | 49 | 56 | 35 | 4k+ | | | Text Domain Mismatch |
| #32 | Change Mail Sender | 76 | 97 | 19 | 20k+ | | | Text Domain Mismatch |
| #33 | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More | 26 | 97 | 270 | 10k+ | | | error log error log |
| #34 | Compact Archives | 90 | 8 | 14 | 2k+ | | | Non-prefixed function |
| #35 | Smash Balloon Social Post Feed – Simple Social Feeds for WordPress | 25 | 554 | 982 | 200k+ | | | Output is not escaped |
| #36 | Custom Twitter Feeds – A Tweets Widget or X Feed Widget | 24 | 446 | 922 | 100k+ | | | Output is not escaped |
| #37 | Disable New User Notification Emails | 97 | 2 | 6 | 4k+ | | | Non-prefixed hook name |
| #38 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | | | Output is not escaped |
| #39 | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy | 23 | 3,723 | 10,283 | 40k+ | | | Non-prefixed namespace |
| #40 | Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more | 15 | 32 | 163 | 500k+ | | | Direct Query |
| #41 | EDD Auto Register | 89 | 13 | 7 | 900 | | | Missing Translators Comment |
| #42 | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More | 92 | 17 | 65 | 100k+ | | | Non-prefixed global variable |
| #43 | Feeds for TikTok (TikTok feed, video, and gallery plugin) | 98 | 5 | 3 | 70k+ | | | Missing direct file access protection |
| #44 | Feeds for YouTube (YouTube video, channel, and gallery plugin) | 21 | 558 | 978 | 100k+ | | | Output is not escaped |
| #45 | Force Plugin Updates Check | 92 | 5 | 5 | 500 | | | trademarked term |
| #46 | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) | 24 | 118 | 442 | 300k+ | | | Nonce verification recommended |
| #47 | Login for Google Apps | 27 | 139 | 85 | 10k+ | | | Exception output is not escaped |
| #48 | Embed Files from Google Drive | 77 | 4 | 35 | 5k+ | | | Nonce verification recommended |
| #49 | WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager | 89 | 21 | 30 | 3m+ | | | wp function not compatible with requires wp |
| #50 | Smash Balloon Social Photo Feed – Easy Social Feeds Plugin | 25 | 449 | 1,300 | 1m+ | | | Interpolated SQL is not prepared |
