Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3001Stripe Tax – Sales tax automation for WooCommerce36976130k+Exception output is not escaped
#3002Subscribe to Comments3612916310k+Output is not escaped
#3003Supplier Order Email3654105400Output is not escaped
#3004Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder3616240200k+Output is not escaped
#3005SureContact – Newsletters, Email Marketing, Automation, Revenue Tracking & CRM363141327k+Text Domain Mismatch
#3006SurveyJS: Drag & Drop Form Builder3612134500Missing Version
#3007Sync QCloud COS3663109600Non-prefixed function
#3008Bulk Product Editor plugin allows you to create and edit your WooCommerce products and categories with Google Sheets.3650105400Direct Query
#3009Advance Side Cart, Ajax Cart & Floating Cart for WooCommerce36371216k+Non-prefixed global variable
#3010The Events Calendar Shortcode & Block367012710k+Non-prefixed hook name
#3011Toolbox for Asgaros Forum36150841k+Output is not escaped
#3012Plugin Name: Traffic Counter Widget Plugin3671107600Output is not escaped
#3013Zoho ZeptoMail36321105k+Request data is not unslashed
#3014TrustMate.io – WooCommerce integration362551013k+Output is not escaped
#3015FOMO & Social Proof Notifications by TrustPulse – Best WordPress FOMO Plugin361043910k+Output is not escaped
#3016Ubigeo de Perú para Woocommerce y WordPress361912354k+Non-prefixed function
#3017Uji Countdown36284984k+Text Domain Mismatch
#3018Slider Ultimate3629480500Output is not escaped
#3019underConstruction36986040k+Unsafe printing function
#3020PDF Flipbook, WPBakery Addon – Unreal FlipBook36400921k+Non Singular String Literal Domain
#3021User Roles and Capabilities362271328k+Output is not escaped
#3022Video Thumbnails Reloaded36343582k+Text Domain Mismatch
#3023VK Post Author Display368711310k+Non-prefixed function
#3024Wanderlust OCA para WooCommerce3615755500Text Domain Mismatch
#3025WC Builder – WooCommerce Page Builder for WPBakery36647501k+Text Domain Mismatch
#3026Out of Stock Message Manager for WooCommerce36293952k+Text Domain Mismatch
#3027WC Pickup Store36245522k+Output is not escaped
#3028Quantity Plus Minus Button for WooCommerce36838410k+Output is not escaped
#3029Shipping with Venipak for WooCommerce36239611k+Text Domain Mismatch
#3030When Last Login365212350k+Non-prefixed global variable
#3031Widget Indicadores Económicos (Chile)365320500Output is not escaped
#3032Disable Payment Methods based on cart conditions for WooCommerce36158571k+Non Singular String Literal Domain
#3033Custom Add to Cart Button Label and Link for WooCommerce363711123k+Text Domain Mismatch
#3034Guaranteed Reviews Company (Société des Avis Garantis)363691971k+Output is not escaped
#3035Viva Payments – Viva Wallet WooCommerce Payment Gateway3697321k+Non Singular String Literal Domain
#3036Rabo Smart Pay for WooCommerce3615055600Text Domain Mismatch
#3037Extended Coupon Features for WooCommerce FREE362196310k+Text Domain Mismatch
#3038CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce36165695k+Text Domain Mismatch
#3039Eway Payments for Woo36525403k+Text Domain Mismatch
#3040SuperFaktura WooCommerce36601162k+Nonce verification recommended
#3041Hide admin notices – Admin Notification Center36114678k+Output is not escaped
#3042WP Better Permalinks36110591k+Output is not escaped
#3043WP-Cleanup367929400Output is not escaped
#3044Export Themes36122902k+Non-prefixed constant
#3045WP Coder – Insert & Manage Code Snippets365328010k+Nonce verification recommended
#3046WP Counter368643800Output is not escaped
#3047WP Custom Cursors | WordPress Cursor Plugin366913909k+Text Domain Mismatch
#3048WP-EMail36340951k+Unsafe printing function
#3049WP Header Images361741336k+Unsafe printing function
#3050WP Hotel Booking WooCommerce3693991k+Output is not escaped