Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2901Crelly Slider3642118510k+Unsafe printing function
#2902CSH Login3612641500Output is not escaped
#2903Custom Database Applications by Caspio363263400Input is not sanitized
#2904Custom PHP Settings361537610k+Output is not escaped
#2905Custom Category Post Order368083500Text Domain Mismatch
#2906Dashboard Widgets Suite362061244k+Output is not escaped
#2907Depicter — Popup & Slider Builder3613012180k+Exception output is not escaped
#2908Desktop Mode3615872k+Direct Query
#2909DeveloPress Sticky Footer Bar3616549400Output is not escaped
#2910Different Menu in Different Pages – Conditional Menu361671134k+Text Domain Mismatch
#2911Doneren met Mollie364203514k+SQL query is not prepared
#2912Drag and Drop Multiple File Upload for Contact Form 736823660k+wp function not compatible with requires wp
#2913Duitku Payment Gateway36507107700Text Domain Mismatch
#2914Duplicate Post – duplicate pages, copy content, clone posts3676815k+wp function not compatible with requires wp
#2915Dynamic Copyright Year3697243800Output is not escaped
#2916Dynamic Front-End Heartbeat Control362171111k+Text Domain Mismatch
#2917Dynamic Visibility for Elementor36568950k+Non-prefixed hook name
#2918WP CTA – Call Now Button, Sticky Button & Call to Action Builder3614332k+Non-prefixed global variable
#2919Easy Support Videos – Embed videos in the admin3616095500Output is not escaped
#2920Product Carousel Slider for Elementor36148631k+Text Domain Mismatch
#2921Email Before Download3689296k+Unsafe printing function
#2922Endora3653721k+Output is not escaped
#2923Enhanced Media Library3636111760k+Unsafe printing function
#2924Enormail Sign Up Forms36133126400Output is not escaped
#2925Envo's Templates & Widgets for Elementor and WooCommerce361,0655410k+Text Domain Mismatch
#2926Events Manager and WPML Compatibility361011771k+Direct Query
#2927Export Variable Products367949400Text Domain Mismatch
#2928Happy WooCommerce FAQs – Ultimate Product FAQ Plugin36651191k+Nonce verification recommended
#2929FreePay for WooCommerce36114102400Output is not escaped
#2930Friendly Functions for Welcart36311831k+Non Singular String Literal Domain
#2931Genesis Sandbox Featured Content Widget36229241k+Text Domain Mismatch
#2932GetPaid > Wallet36149174700Text Domain Mismatch
#2933Google SEO Pressor for Rich snippets3651160400Missing nonce verification
#2934Google Webfont Optimizer364549700Output is not escaped
#2935Gutena Kit – Gutenberg Blocks and Templates3639871k+Nonce verification recommended
#2936Header Footer Script Adder – Insert Code in Header, Body & Footer36203781k+Text Domain Mismatch
#2937Header Footer Code Manager3681180600k+Non-prefixed global variable
#2938Optimize Social Share36203613k+Unsafe printing function
#2939HTML Forms – Simple WordPress Forms Plugin3623116610k+Output is not escaped
#2940HTML5 Maps361941605k+Output is not escaped
#2941HTTP Requests Manager3698901k+Output is not escaped
#2942Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS3668336k+Output is not escaped
#2943If-So Geolocation3650571k+Non-prefixed global variable
#2944Insert Headers and Footers Code – HT Script36391347k+Text Domain Mismatch
#2945IntelliWidget Per Page Custom Menus and Dynamic Content36586162600Output is not escaped
#2946Italy Cookie Choices (for EU Cookie Law & Cookie Notice)361157710k+Unsafe printing function
#2947Just TinyMCE Custom Styles36112281k+Missing Arg Domain
#2948Lara's Google Analytics (GA4)36303579k+Unsafe printing function
#2949Leartes TRY Exchange Rates3625027500Text Domain Mismatch
#2950Legal Text Connector of the IT-Recht Kanzlei36454610k+Exception output is not escaped