Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2801Auto Publish for Google My Business3521619210k+Input is not validated
#2802WP GPX Maps35271004k+Non-prefixed global variable
#2803WPGraphQL35108630k+Non-prefixed hook name
#2804WP Hydra3510181k+Input is not sanitized
#2805WP-KaTeX35148800Missing direct file access protection
#2806WP-LESS3516810k+Missing direct file access protection
#2807WP Login and Logout Redirect351666k+Text Domain Mismatch
#2808Mail logging – WP Mail Catcher3523215720k+Text Domain Mismatch
#2809WP Mailto Links – Protect Email Addresses3595698k+Output is not escaped
#2810WP-Markdown353139400Output is not escaped
#2811WP Instant Feeds3519126k+Output is not escaped
#2812WP Open Street Map35591113k+Input is not validated
#2813WP-PageNavi358495500k+Non Singular String Literal Domain
#2814WP-Paginate35375520k+Input is not validated
#2815WP-Persian35144377k+Unsafe printing function
#2816WP PGP Encrypted Emails356339400Output is not escaped
#2817WP Post Nav3573242400Non-prefixed global variable
#2818WP Post Series35109600Non-prefixed global variable
#2819WP-PostViews3513264100k+Unsafe printing function
#2820WP-Print35110528k+Unsafe printing function
#2821WP All Import – Property Import for WP Residence354132700Output is not escaped
#2822video carousel slider with lightbox353501361k+Output is not escaped
#2823WP Site Verification tool3534371k+Non-prefixed global variable
#2824WP Spam Question Filter3563302k+Output is not escaped
#2825Subresource Integrity (SRI) Manager352694900Request data is not unslashed
#2826WP System Information3523730700Text Domain Mismatch
#2827WP To Top3530291k+Non-prefixed global variable
#2828Integration for WooCommerce and QuickBooks352631251k+Output is not escaped
#2829WP-Yomigana3517152k+Output is not escaped
#2830WPC Badge Management for WooCommerce3513812k+Missing nonce verification
#2831WPCore Plugin Manager35118389k+Text Domain Mismatch
#2832WPD Beaver Builder Additions3540635600Non Singular String Literal Domain
#2833WP Views Counter3581422k+Output is not escaped
#2834WPElemento Importer351261239k+Text Domain Mismatch
#2835WPFront User Role Editor3533357830k+Output is not escaped
#2836WPGraphQL for ACF3561810k+Output is not escaped
#2837WPGraphQL IDE3538181k+Text Domain Mismatch
#2838wpLingua – Automatic translation – Translate and make website multilingual35791672k+Nonce verification recommended
#2839Memory Meter3523600Request data is not unslashed
#2840WPPerformanceTester3594441k+Output is not escaped
#2841WPZOOM Addons for Elementor – Starter Templates & Widgets3516013020k+Output is not escaped
#2842WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress357410910k+Nonce verification recommended
#2843WPZOOM Portfolio Lite – Filterable Portfolio Plugin35429220k+Non-prefixed global variable
#2844Writesonic3514161k+Non-prefixed global variable
#2845WSB HUB335361091k+Missing nonce verification
#2846xili-tidy-tags352241571k+Output is not escaped
#2847XServer Migrator35395310k+Interpolated SQL is not prepared
#2848TypeSquare Webfonts for エックスサーバー3518398100k+Missing Arg Domain
#2849XT Event Widget for Social Events35355800Non-prefixed global variable
#2850Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts35481145k+Non-prefixed hook name