Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2851Yes/No Chart351361392k+Unsafe printing function
#2852Year Make Model Search for WooCommerce351881621k+Output is not escaped
#2853Yoco Payments3523210k+Nonce verification recommended
#2854Yotpo: Product & Photo Reviews for WooCommerce35241892k+Non-prefixed function
#2855Embeds for YouTube3525530710k+Non-prefixed global variable
#2856ZI Hide Featured Image3583700Hidden files included
#2857Ziina3510252k+Input is not sanitized
#28582C2P Redirect API for WooCommerce3613662900wp function not compatible with requires wp
#28593B Meteo3650761k+Output is not escaped
#2860Product Labels For Woocommerce (Sale Badges)36904810k+Output is not escaped
#2861Admin Customizer36143641k+Output is not escaped
#2862Advanced Export for WP & WPMU3612455700Output is not escaped
#2863Age Verification for your checkout page. Verify your customer's identity36155238500Output is not escaped
#2864SOOZ – AI for SEO – Bulk Generate Focus Keyphrases, Metadata, Alt Text (SEO Autopilot)3643422k+Nonce verification recommended
#2865Awesome GDPR Compliant Cookie Consent and Notice36653201500Text Domain Mismatch
#2866Bard Extra3615975700Text Domain Mismatch
#2867Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder36332210k+Nonce verification recommended
#2868Black Widgets For Elementor362,60819800Text Domain Mismatch
#2869Blaze Demo Importer36101948k+Output is not escaped
#2870BlockStrap Page Builder – Bootstrap Blocks3681892k+Missing direct file access protection
#2871Blog, Posts and Category Filter for Elementor36159551k+Text Domain Mismatch
#2872BP Disable Activation Reloaded3614728800Output is not escaped
#2873BP Group Documents3627195600Non-prefixed global variable
#2874BP Profile Search36321855k+Output is not escaped
#2875bpost shipping369743700Output is not escaped
#2876Breadcrumb NavXT36102111800k+Non Singular String Literal Domain
#2877BuddyMeet3611432700Unsafe printing function
#2878WOLF – WordPress Posts Bulk Editor and Manager Professional3615744k+Request data is not unslashed
#2879Bulk Post Update Date36966610k+Unsafe printing function
#2880Bus Ticket Booking with Seat Reservation36145192800Non-prefixed global variable
#2881Better WordPress Recent Comments3631969600Text Domain Mismatch
#2882Carousel Ultimate36450284700Text Domain Mismatch
#2883Carousel Horizontal Posts Content Slider36271592k+Text Domain Mismatch
#2884Cashflows for WooCommerce3611836600Text Domain Mismatch
#2885Simple SEO3616411310k+Non Singular String Literal Domain
#2886Contact Form 7 Gated Content3612236800Short PHP open tag found
#2887Multi Step for Contact Form 7366110610k+Missing nonce verification
#2888Contact Form 7 Polylang Module3632455k+Output is not escaped
#2889CloudPayments Gateway for WooCommerce3620570500Text Domain Mismatch
#2890CLP – Custom Login Page by NiteoThemes3624049700Output is not escaped
#2891CM Header and Footer – Add custom scripts and styles to your header and footer with ease362301981k+Output is not escaped
#2892CMB23614819300k+Output is not escaped
#2893Code Snippets36342031m+Nonce verification recommended
#2894ColorMeShop WordPress Plugin3639237600Exception output is not escaped
#2895Coming Soon, Under Construction & Maintenance Mode By Dazzler361731327k+Text Domain Mismatch
#2896Conditional Payments for WooCommerce3629218410k+Text Domain Mismatch
#2897Conditional Shipping for WooCommerce369319610k+Non-prefixed global variable
#2898Continuous Image Carousel With Lightbox362551291k+Output is not escaped
#2899CP Blocks3646381k+wp function not compatible with requires wp
#2900Crelly Slider3642118510k+Unsafe printing function