Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2951Linkable Title Html and Php Widget3610831600Output is not escaped
#2952Login as User361016430k+Output is not escaped
#2953LONG URL MAKER3639711k+Direct Query
#2954LocalWeb All In One36342975k+Non-prefixed global variable
#2955MailMunch – Grow your Email List36102496k+Output is not escaped
#2956Manage Notification E-mails3612998100k+Non-prefixed function
#2957Materialis Companion36129676k+Unsafe printing function
#2958Media Deduper3660999k+Missing Arg Domain
#2959Microsoft Clarity3648163200k+Nonce verification recommended
#2960Mobile Menu Builder for WordPress368133600Output is not escaped
#2961Motors VIN Decoder368788400Output is not escaped
#2962코드엠샵 마이사이트 – MSHOP MY SITE365855800Output is not escaped
#2963Multiple Sidebars3610975600Non Singular String Literal Domain
#2964WP Sticky Sidebar – Floating Sidebar On Scroll for Any Theme36938410k+Non-prefixed global variable
#2965News Manager3613457600Output is not escaped
#2966News Ticker for Elementor3676572k+Text Domain Mismatch
#2967NextGEN Custom Fields362151311k+SQL query is not prepared
#2968MailerLite – Signup forms (official)36430158100k+Output is not escaped
#2969We’re Open!362731875k+Unsafe printing function
#2970Order Status History for WooCommerce362101711k+Output is not escaped
#2971Ovation Elements362339910k+Non-prefixed global variable
#2972Ozh' Admin Drop Down Menu36125433k+Output is not escaped
#2973PayPal Currency Converter BASIC for WooCommerce3634820400Output is not escaped
#2974PayTR Sanal POS WooCommerce – iFrame API361175410k+Output is not escaped
#2975PDF Forms Filler for CF736185793k+Text Domain Mismatch
#2976PDF Forms Filler for WPForms3616154600Text Domain Mismatch
#2977Peter’s Post Notes362241023k+Output is not escaped
#2978Photonic Gallery & Lightbox for Flickr, SmugMug & Others3618011710k+Missing Translators Comment
#2979Photoswipe Masonry Gallery3657476k+Non Singular String Literal Text
#2980Plugins Garbage Collector (Database Cleanup)36325110k+Missing nonce verification
#2981Post Views Stats Counter36142241700Non-prefixed global variable
#2982ActiveCampaign Postmark for WordPress36477550k+Text Domain Mismatch
#2983WowStore – Store Builder & Product Blocks for WooCommerce36564374k+Non-prefixed global variable
#2984افزونه رسمی ترب36428620k+Exception output is not escaped
#2985Qubely – Advanced Gutenberg Blocks3639788k+Request data is not unslashed
#2986Quick 301 Redirects36891205k+Non-prefixed global variable
#2987Direct Checkout – Quick View – Buy Now For WooCommerce36901122k+Missing nonce verification
#2988Rara One Click Demo Import361229820k+Missing Translators Comment
#2989Better Find and Replace – AI-Powered Suggestions366712940k+Missing direct file access protection
#2990Recent Posts3610630500Text Domain Mismatch
#2991Responsive Testimonials3625232500Text Domain Mismatch
#2992Optimize Database after Deleting Revisions3664412760k+Output is not escaped
#2993Search & Replace365053100k+Missing nonce verification
#2994Search Everything361657710k+Text Domain Mismatch
#2995Speed Optimizer – The All-In-One Performance-Boosting Plugin3645961m+Non-prefixed hook name
#2996Shadowbox JS36246141k+Unsafe printing function
#2997ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution3663669100k+Non-prefixed global variable
#2998Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website362165050k+Output is not escaped
#2999SMTP for SendGrid – YaySMTP3627961k+Non-prefixed global variable
#3000StaticPress368879500Output is not escaped