Security Issues
Issue Codes
39 normalized finding codes in this category.
Output is not escaped
WordPress.Security.EscapeOutput.OutputNotEscaped
Dynamic data is printed to the page without an escaping function for the output context.
Request data is not unslashed
WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Input is not sanitized
WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Request data is used without being cleaned for the expected type or format.
Nonce verification recommended
WordPress.Security.NonceVerification.Recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Input is not validated
WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Request data is used without checking that it is allowed for the operation.
Missing nonce verification
WordPress.Security.NonceVerification.Missing
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Unsafe printing function
WordPress.Security.EscapeOutput.UnsafePrintingFunction
A printing function is outputting dynamic content without proving that the content is escaped.
Database parameter is not escaped
PluginCheck.Security.DirectDB.UnescapedDBParameter
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
wp redirect wp redirect
WordPress.Security.SafeRedirect.wp_redirect_wp_redirect
Plugin Check reported a security-sensitive coding pattern that needs review.
SQL query is not prepared
WordPress.DB.PreparedSQL.NotPrepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Interpolated SQL is not prepared
WordPress.DB.PreparedSQL.InterpolatedNotPrepared
Variables are interpolated into a SQL string before the query is prepared.
Exception output is not escaped
WordPress.Security.EscapeOutput.ExceptionNotEscaped
An exception message or related exception value is printed without escaping.
Setting is missing a sanitization callback
PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
A registered setting does not define a sanitization callback.
Unfinished Prepare
WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Quoted Simple Placeholder
WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Replacements Wrong Number
WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Plugin menu slug uses __FILE__
WordPress.Security.PluginMenuSlug.Using__FILE__
Plugin Check reported a security-sensitive coding pattern that needs review.
Input is not validated or sanitized
WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized
Request data is used without both cleanup and an allowability check.
Like Wildcards In Query
WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Heredoc Output Not Escaped
WordPress.Security.EscapeOutput.HeredocOutputNotEscaped
A value reaches browser output without clear escaping for the final HTML context.
Unquoted Complex Placeholder
WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Unnecessary Prepare
WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Unsupported Identifier Placeholder
WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Like Wildcards In Query With Placeholder
WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Unsupported Placeholder
WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Deprecated function: attribute_escape
WordPress.WP.DeprecatedFunctions.attribute_escapeFound
The plugin uses a WordPress API, parameter, class, or value that has been deprecated.
Quoted Dynamic Placeholder Generation
WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
mysql mysqli real escape string
WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string
The plugin uses a raw MySQL extension or class instead of WordPress database APIs.
Deprecated function: like_escape
WordPress.WP.DeprecatedFunctions.like_escapeFound
The plugin uses a WordPress API, parameter, class, or value that has been deprecated.
Like Without Wildcards
WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
mysql mysql real escape string
WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string
The plugin uses a raw MySQL extension or class instead of WordPress database APIs.
Unescaped Literal
WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Deprecated function: js_escape
WordPress.WP.DeprecatedFunctions.js_escapeFound
The plugin uses a WordPress API, parameter, class, or value that has been deprecated.
Missing Replacements
WordPress.DB.PreparedSQLPlaceholders.MissingReplacements
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
curl curl escape
WordPress.WP.AlternativeFunctions.curl_curl_escape
The plugin uses raw cURL functions instead of the WordPress HTTP API.
curl curl unescape
WordPress.WP.AlternativeFunctions.curl_curl_unescape
The plugin uses raw cURL functions instead of the WordPress HTTP API.
register setting Invalid
PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid
Plugin Check reported a security-sensitive coding pattern that needs review.
Quoted Identifier Placeholder
WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Deprecated function: sanitize_user_object
WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound
The plugin uses a WordPress API, parameter, class, or value that has been deprecated.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3001 | Stripe Tax – Sales tax automation for WooCommerce | 36 | 97 | 61 | 30k+ | Exception output is not escaped | ||
| #3002 | Subscribe to Comments | 36 | 129 | 163 | 10k+ | Output is not escaped | ||
| #3003 | Supplier Order Email | 36 | 54 | 105 | 400 | Output is not escaped | ||
| #3004 | Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder | 36 | 162 | 40 | 200k+ | Output is not escaped | ||
| #3005 | SureContact – Newsletters, Email Marketing, Automation, Revenue Tracking & CRM | 36 | 314 | 132 | 7k+ | Text Domain Mismatch | ||
| #3006 | SurveyJS: Drag & Drop Form Builder | 36 | 12 | 134 | 500 | Missing Version | ||
| #3007 | Sync QCloud COS | 36 | 63 | 109 | 600 | Non-prefixed function | ||
| #3008 | Bulk Product Editor plugin allows you to create and edit your WooCommerce products and categories with Google Sheets. | 36 | 50 | 105 | 400 | Direct Query | ||
| #3009 | Advance Side Cart, Ajax Cart & Floating Cart for WooCommerce | 36 | 37 | 121 | 6k+ | Non-prefixed global variable | ||
| #3010 | The Events Calendar Shortcode & Block | 36 | 70 | 127 | 10k+ | Non-prefixed hook name | ||
| #3011 | Toolbox for Asgaros Forum | 36 | 150 | 84 | 1k+ | Output is not escaped | ||
| #3012 | Plugin Name: Traffic Counter Widget Plugin | 36 | 71 | 107 | 600 | Output is not escaped | ||
| #3013 | Zoho ZeptoMail | 36 | 32 | 110 | 5k+ | Request data is not unslashed | ||
| #3014 | TrustMate.io – WooCommerce integration | 36 | 255 | 101 | 3k+ | Output is not escaped | ||
| #3015 | FOMO & Social Proof Notifications by TrustPulse – Best WordPress FOMO Plugin | 36 | 104 | 39 | 10k+ | Output is not escaped | ||
| #3016 | Ubigeo de Perú para Woocommerce y WordPress | 36 | 191 | 235 | 4k+ | Non-prefixed function | ||
| #3017 | Uji Countdown | 36 | 284 | 98 | 4k+ | Text Domain Mismatch | ||
| #3018 | Slider Ultimate | 36 | 294 | 80 | 500 | Output is not escaped | ||
| #3019 | underConstruction | 36 | 98 | 60 | 40k+ | Unsafe printing function | ||
| #3020 | PDF Flipbook, WPBakery Addon – Unreal FlipBook | 36 | 400 | 92 | 1k+ | Non Singular String Literal Domain | ||
| #3021 | User Roles and Capabilities | 36 | 227 | 132 | 8k+ | Output is not escaped | ||
| #3022 | Video Thumbnails Reloaded | 36 | 343 | 58 | 2k+ | Text Domain Mismatch | ||
| #3023 | VK Post Author Display | 36 | 87 | 113 | 10k+ | Non-prefixed function | ||
| #3024 | Wanderlust OCA para WooCommerce | 36 | 157 | 55 | 500 | Text Domain Mismatch | ||
| #3025 | WC Builder – WooCommerce Page Builder for WPBakery | 36 | 647 | 50 | 1k+ | Text Domain Mismatch | ||
| #3026 | Out of Stock Message Manager for WooCommerce | 36 | 293 | 95 | 2k+ | Text Domain Mismatch | ||
| #3027 | WC Pickup Store | 36 | 245 | 52 | 2k+ | Output is not escaped | ||
| #3028 | Quantity Plus Minus Button for WooCommerce | 36 | 83 | 84 | 10k+ | Output is not escaped | ||
| #3029 | Shipping with Venipak for WooCommerce | 36 | 239 | 61 | 1k+ | Text Domain Mismatch | ||
| #3030 | When Last Login | 36 | 52 | 123 | 50k+ | Non-prefixed global variable | ||
| #3031 | Widget Indicadores Económicos (Chile) | 36 | 53 | 20 | 500 | Output is not escaped | ||
| #3032 | Disable Payment Methods based on cart conditions for WooCommerce | 36 | 158 | 57 | 1k+ | Non Singular String Literal Domain | ||
| #3033 | Custom Add to Cart Button Label and Link for WooCommerce | 36 | 371 | 112 | 3k+ | Text Domain Mismatch | ||
| #3034 | Guaranteed Reviews Company (Société des Avis Garantis) | 36 | 369 | 197 | 1k+ | Output is not escaped | ||
| #3035 | Viva Payments – Viva Wallet WooCommerce Payment Gateway | 36 | 97 | 32 | 1k+ | Non Singular String Literal Domain | ||
| #3036 | Rabo Smart Pay for WooCommerce | 36 | 150 | 55 | 600 | Text Domain Mismatch | ||
| #3037 | Extended Coupon Features for WooCommerce FREE | 36 | 219 | 63 | 10k+ | Text Domain Mismatch | ||
| #3038 | CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce | 36 | 165 | 69 | 5k+ | Text Domain Mismatch | ||
| #3039 | Eway Payments for Woo | 36 | 525 | 40 | 3k+ | Text Domain Mismatch | ||
| #3040 | SuperFaktura WooCommerce | 36 | 60 | 116 | 2k+ | Nonce verification recommended | ||
| #3041 | Hide admin notices – Admin Notification Center | 36 | 114 | 67 | 8k+ | Output is not escaped | ||
| #3042 | WP Better Permalinks | 36 | 110 | 59 | 1k+ | Output is not escaped | ||
| #3043 | WP-Cleanup | 36 | 79 | 29 | 400 | Output is not escaped | ||
| #3044 | Export Themes | 36 | 122 | 90 | 2k+ | Non-prefixed constant | ||
| #3045 | WP Coder – Insert & Manage Code Snippets | 36 | 53 | 280 | 10k+ | Nonce verification recommended | ||
| #3046 | WP Counter | 36 | 86 | 43 | 800 | Output is not escaped | ||
| #3047 | WP Custom Cursors | WordPress Cursor Plugin | 36 | 691 | 390 | 9k+ | Text Domain Mismatch | ||
| #3048 | WP-EMail | 36 | 340 | 95 | 1k+ | Unsafe printing function | ||
| #3049 | WP Header Images | 36 | 174 | 133 | 6k+ | Unsafe printing function | ||
| #3050 | WP Hotel Booking WooCommerce | 36 | 93 | 99 | 1k+ | Output is not escaped |