Security Issues

Issue Codes

38 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Using FILE

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

like escape Found

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

attribute escape Found

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

js escape Found

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

sanitize user object Found

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Updated	Top Issue
#1	BulletProof Security	0	5,048	4,949	20k+	1 month ago	Output Not Escaped
#2	Intercom	0	60	71	6k+	1 year ago	Non Prefixed Function Found
#3	Plugin Check (PCP)	0	128	132	10k+	23 days ago	Exception Not Escaped
#4	Themify Builder	9	5,195	2,096	5k+	5 days ago	Text Domain Mismatch
#5	JetBackup – Backup, Restore & Migrate	10	1,559	145	100k+	2 months ago	Exception Not Escaped
#6	Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more	15	32	163	500k+	3 months ago	Direct Query
#7	Visual Composer Website Builder	16	82	320	40k+	11 months ago	Non Prefixed Variable Found
#8	AnyComment	17	445	449	5k+	4 years ago	Output Not Escaped
#9	JetFormBuilder — Dynamic Blocks Form Builder	17	2,094	1,588	90k+	4 days ago	Text Domain Mismatch
#10	wpForo Forum	17	4,033	2,922	20k+	21 days ago	Unsafe Printing Function
#11	WPtouch – Make your WordPress Website Mobile-Friendly	17	1,466	325	50k+	7 months ago	Text Domain Mismatch
#12	Prime Slider Addons for Elementor	18	3,500	230	100k+	6 days ago	Text Domain Mismatch
#13	WP Import Export Lite	18	738	979	40k+	11 months ago	Non Prefixed Variable Found
#14	Element Pack – Widgets, Templates & Addons for Elementor	19	9,448	517	100k+	5 days ago	Text Domain Mismatch
#15	Download Monitor	19	425	1,364	80k+	5 days ago	Non Prefixed Hookname Found
#16	Event Organiser	19	1,106	544	20k+	2 years ago	Text Domain Mismatch
#17	Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution	19	1,218	901	100k+	12 days ago	Exception Not Escaped
#18	Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)	19	3,275	3,228	10k+	7 months ago	Output Not Escaped
#19	Matomo Analytics – Powerful, Privacy-First Insights for WordPress	19	1,909	878	100k+	5 days ago	Exception Not Escaped
#20	Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization	19	1,295	2,679	9k+	6 days ago	Output Not Escaped
#21	Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)	19	541	385	3m+	4 days ago	Missing Translators Comment
#22	Membership Plugin – Kadence Memberships	19	5,082	2,982	9k+	26 days ago	Text Domain Mismatch
#23	SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments	19	526	1,119	90k+	5 days ago	Non Prefixed Variable Found
#24	BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot	20	508	1,406	30k+	3 days ago	Non Prefixed Variable Found
#25	Brizy – Page Builder	20	589	720	70k+	12 days ago	Output Not Escaped
#26	Filter Everything — WordPress & WooCommerce Filters	20	568	730	50k+	3 days ago	Output Not Escaped
#27	GiveWP – Donation Plugin and Fundraising Platform	20	3,435	3,580	100k+	6 days ago	Output Not Escaped
#28	Link Library	20	1,941	1,397	10k+	2 months ago	Unsafe Printing Function
#29	Brevo – Email, SMS, Web Push, Chat, and more.	20	460	646	100k+	2 months ago	Missing Unslash
#30	Microthemer Lite – Visual Editor to Customize CSS	20	1,004	1,699	10k+	2 months ago	Non Prefixed Variable Found
#31	Nimble Page Builder	20	1,591	1,684	30k+	1 year ago	Missing Arg Domain
#32	Pix por Piggly (para Woocommerce)	20	547	195	4k+	2 years ago	Exception Not Escaped
#33	Remove Add to Cart WooCommerce	20	616	1,378	4k+	8 months ago	Non Prefixed Variable Found
#34	Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF	20	557	541	100k+	1 month ago	Output Not Escaped
#35	Razorpay for WooCommerce	20	974	855	100k+	2 days ago	Non Prefixed Function Found
#36	WPJAM Basic	20	328	356	4k+	5 days ago	Output Not Escaped
#37	Store Locator WordPress	21	2,372	1,572	10k+	18 days ago	Text Domain Mismatch
#38	Backup Migration	21	981	1,093	80k+	16 days ago	Non Prefixed Variable Found
#39	bbPress	21	929	3,672	100k+	12 months ago	Non Prefixed Function Found
#40	rtMedia for WordPress, BuddyPress and bbPress	21	363	633	8k+	3 months ago	Non Prefixed Constant Found
#41	Captcha Them All	21	300	323	6k+	3 years ago	Output Not Escaped
#42	CartFlows – Funnel Builder & Checkout Plugin for WooCommerce	21	461	614	200k+	19 days ago	Text Domain Mismatch
#43	Smart Grid-Layout Design for Contact Form 7	21	1,126	734	10k+	1 month ago	Output Not Escaped
#44	Comet Cache	21	857	245	20k+	12 months ago	Output Not Escaped
#45	Cost Calculator Builder	21	322	765	30k+	2 days ago	Non Prefixed Variable Found
#46	Free Downloads WooCommerce	21	430	359	4k+	1 month ago	Output Not Escaped
#47	Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More	21	2,572	1,277	1m+	1 month ago	Output Not Escaped
#48	Envo Extra	21	878	600	20k+	25 days ago	Text Domain Mismatch
#49	eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams	21	186	437	9k+	2 months ago	Non Prefixed Variable Found
#50	ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support	21	829	5,966	5k+	3 days ago	Direct Query