Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#8001XO Security945330k+wp function not compatible with requires wp
#8002Airwallex Online Payments Gateway95224k+Nonce verification recommended
#8003LocoAI – Auto Translate for Loco Translate9510370k+wp function not compatible with requires wp
#8004Blocks9513600Database parameter is not escaped
#8005Blocks to Shortcode – Use blocks everywhere: in page templates, Elementor, etc.958500Non-prefixed global variable
#8006Bulk remove posts from category952510k+date date
#8007Contact Form to Any API95188k+Non-prefixed class
#8008ContentProtector – password protect your page, post or text95132k+Non-prefixed class
#8009Daisy Comments — Disable Comments & Stop Spam95131k+Non-prefixed class
#8010Enhanced Autoload Manager9524600wp function not compatible with requires wp
#8011First Order Coupon Manager for WooCommerce95103900Text Domain Mismatch
#8012Free Customer Service Tools by OpenWidget9521400Request data is not unslashed
#8013Free PDF to Flipbook9512400Nonce verification recommended
#8014Functionality95621k+date date
#8015Hash Link Scroll Offset95841k+Text Domain Mismatch
#8016Arvow AI SEO Writer95161k+Non-prefixed global variable
#8017Media from ZIP9516600Non-prefixed global variable
#8018Paydibs Gateway for WooCommerce95141k+Discouraged text-domain loading
#8019PayHere Payment Gateway95682k+Non-prefixed class
#8020Post Lockdown95531k+Missing direct file access protection
#8021Postname Permalink Auto Redirect9523600Missing direct file access protection
#8022Redirect 404 Error Page to Homepage95126k+outdated tested upto header
#8023Simple Spoiler95182k+Non-prefixed global variable
#8024Style Manager953400Nonce verification recommended
#8025SX No Homepage Pagination95221k+outdated tested upto header
#8026Term Taxonomy Converter95573500Text Domain Mismatch
#8027Upload Converter for WebP9513400Input is not sanitized
#8028Remove Google Fonts – Disable, Block, or Replace with Bunny Fonts for GDPR Compliance95223700Text Domain Mismatch
#8029WCBoost – Variation Swatches9511150k+Non-prefixed hook name
#8030WebMan Templates95131k+Non-prefixed global variable
#8031WING Website Migrator9524400Discouraged PHP function
#8032WPC Product Timer for WooCommerce95173k+Non-prefixed class
#8033Improved External Products for WooCommerce95181k+Non-prefixed class
#8034WP Remove Category Base95148k+trademarked term
#8035WPC Buy Now Button for WooCommerce951810k+Non-prefixed class
#8036YLabs Connector for WPWriter95571k+Forbidden PHP function found
#8037ActiveLayer Anti-Spam: Spam Protection for Forms & Comments9623k+Database parameter is not escaped
#8038Add Featured Image Column96113k+Nonce verification recommended
#8039Advanced Import96390k+Nonce verification recommended
#8040Pricing Table – Block – Show Product or Service Pricing in Table Format9662k+Non-prefixed global variable
#8041Customer Reviews Collector for WooCommerce96515k+Missing direct file access protection
#8042Disable Author Archives961210k+Nonce verification recommended
#8043FAQly – Ultimate FAQ9621k+Nonce verification recommended
#8044FormLayer96270k+Nonce verification recommended
#8045Interactions – Create Interactive Experiences in the Block Editor9622400Missing Translators Comment
#8046KOMOJU Payments9681k+Non-prefixed class
#8047MyServerInfo – Memory Usage, PHP Version, Memory Limit, Execution Time, CPU Usage, Disk Usage9612700mismatched plugin name
#8048WP Post Page Clone96580k+trademarked term
#8049WPB Product Slider for WooCommerce – Responsive Product Carousel & Showcase9654k+trademarked term
#8050WPVulnerability96410k+trademarked term