Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2751Which Elementor Addon35263500Text Domain Mismatch
#2752All-in-One Addons for Elementor – WidgetKit35603118k+Non-prefixed global variable
#2753Wild Apricot Login358830800Non Singular String Literal Domain
#2754Wired Impact Volunteer Management352531751k+Output is not escaped
#2755Open Graph and Twitter Card Tags35152750k+error log error log
#2756ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce355134410k+Request data is not unslashed
#2757Asaas Gateway for WooCommerce35121098k+Non-prefixed global variable
#2758CardCom Payment Gateway35201843k+Text Domain Mismatch
#2759Sola Payment Gateway for WooCommerce35107116700Missing Translators Comment
#2760WP Courseware for WooCommerce3555491k+Text Domain Mismatch
#2761Custom Payment Gateways for WooCommerce35202313k+Non Singular String Literal Domain
#2762Require Login for WooCommerce351062k+wp function not compatible with requires wp
#2763Backend Payments for WooCommerce356342900Exception output is not escaped
#2764Save and Share Cart for WooCommerce3512551600Text Domain Mismatch
#2765DPD Baltic Shipping35912022k+Text Domain Mismatch
#2766Title Limit for WooCommerce3541124k+Output is not escaped
#2767Abandoned Cart Lite for WooCommerce358416120k+Non-prefixed global variable
#2768Checkout Terms Conditions Popup for WooCommerce3576301k+Output is not escaped
#2769Conversion Tracking for WooCommerce35746120k+Output is not escaped
#2770Japanized for WooCommerce3566810k+Non-prefixed class
#2771WooCommerce Gateway Affirm352586k+Nonce verification recommended
#2772Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing355023650k+Non-prefixed hook name
#2773Custom Payment Gateway for WooCommerce3511128k+Missing nonce verification
#2774Payment Gateway for PayPal Pro & PayPal Checkout for WooCommerce35671472k+Request data is not unslashed
#2775Invoices for WooCommerce355516810k+Non-prefixed global variable
#2776PDF Invoices & Packing Slips for WooCommerce3535966300k+Non-prefixed hook name
#2777Product Tabs for WooCommerce3519610010k+Text Domain Mismatch
#2778Quaderno: Global Tax & Invoicing Automation for WooCommerce35470500Missing nonce verification
#2779Brevo for WooCommerce351166730k+Output is not escaped
#2780Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices35225220k+Direct Query
#2781Kybernaut IČO DIČ3579683k+Missing nonce verification
#2782Wooplatnica352724400Non-prefixed class
#2783BulkGate SMS Plugin for WooCommerce3533321k+Output is not escaped
#2784Easy Accept Payments via PayPal353221287k+Text Domain Mismatch
#2785Access Areas for WordPress351795400Direct Query
#2786WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets353522100k+Missing direct file access protection
#2787WP Associate Post R235259863k+Output is not escaped
#2788WP Cassify35106143700Missing nonce verification
#2789Category Dropdown by GCS Design3593521k+Output is not escaped
#2790WP Change Email Sender3551310k+Non-prefixed namespace
#2791WP Compiler3533201k+Output is not escaped
#2792WP Content Copy Protection35761110k+Text Domain Mismatch
#2793Custom Body Class353910110k+Non-prefixed global variable
#2794WP Dark Mode – Improve Accessibility with AI Powered Dark Theme352016020k+Non-prefixed global variable
#2795WP Datepicker352251817k+Output is not escaped
#2796Database Backup for WordPress351288870k+Output is not escaped
#2797WP Duplicate Page35445060k+Text Domain Mismatch
#2798WP Flexslider35157600Unsafe printing function
#2799WP Geo3518084900Output is not escaped
#2800Auto Publish for Google My Business3521619210k+Input is not validated