Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3101Better Click To Share – Shareable Quote Boxes for X (Twitter)37170596k+Unsafe printing function
#3102Blimply3717243800Text Domain Mismatch
#3103Blog News Addons For Elementor (News, Magazine and Blog Addons)3723296400Non-prefixed global variable
#3104Customize WordPress Emails and Alerts – Better Notifications for WP37644730k+Missing Arg Domain
#3105Booster Extension37282896k+Non-prefixed global variable
#3106Britetechs Companion379666132k+Text Domain Mismatch
#3107BuddyPress Members Only37184801k+Text Domain Mismatch
#3108bunny.net – WordPress CDN Plugin3716515910k+Output is not escaped
#3109Contact Zalo Report SW374439900Missing Arg Domain
#3110Delivery Date Time & Pickup for WooCommerce37148216400Output is not escaped
#3111Call Now Button – The #1 Click to Call Button for WordPress371,2735200k+Exception output is not escaped
#3112Carousel Upsells and Related Product for Woocommerce37173351k+Output is not escaped
#3113Catalog Booster & Product Catalog Mode for WooCommerce371061681k+Non-prefixed function
#3114Checkout for PayPal3713467600Unsafe printing function
#3115Clearpay Gateway for WooCommerce37185631k+Text Domain Mismatch
#3116ClickCease Click Fraud Protection37305810k+Non-prefixed class
#3117ClickRank – Ai SEO Automation37102261k+Direct Query
#3118CodePeople Post Map for Google Maps37257313k+Unsafe printing function
#3119Coming Soon & Maintenance Mode by Colorlib371001366k+Non-prefixed global variable
#3120Lightweight Subscribe To Comments37105701k+Unsafe printing function
#3121PiWeb Conditional cart fee / Extra charge rule for WooCommerce371642142k+Text Domain Mismatch
#3122Constant Contact Forms by MailMunch37147532k+wp function not compatible with requires wp
#3123CookieAdmin – Cookie Consent Banner374386400k+Nonce verification recommended
#3124CorvusPay WooCommerce Payment Gateway37291411k+Missing nonce verification
#3125Crafty Social Buttons37279271k+Non Singular String Literal Domain
#3126Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter3715161600Output is not escaped
#3127Simple Custom CSS and JS3716869600k+Output is not escaped
#3128Custom CSS Manager3755201k+Output is not escaped
#3129Custom Post Template37483010k+Output is not escaped
#3130Customer Email Verification for WooCommerce371651642k+Nonce verification recommended
#3131Debug Log Viewer3726831k+Missing nonce verification
#3132Disclaimer Popup37313531k+Text Domain Mismatch
#3133Donation Block For PayPal3723106600Input is not validated
#3134DSGVO/GDPR Cookies, DSE, Impressum & Google Fonts Proxy3739125700Text Domain Mismatch
#3135Duo Two-Factor Authentication3744613k+Missing nonce verification
#3136Easy Photo Album37360431k+Text Domain Mismatch
#3137Pricing Table WordPress Plugin – Easy Pricing Tables3733216110k+Output is not escaped
#3138Easy Profile Widget3715720400Output is not escaped
#3139Easy Testimonial Slider and Form3714144700Request data is not unslashed
#3140EasyMe Connect3713045500Text Domain Mismatch
#3141Eazy CF Captcha379354500Text Domain Mismatch
#3142WP eBay Product Feeds3713631700Output is not escaped
#3143Encyclopedia / Glossary / Wiki37263481k+Output is not escaped
#3144Excerpt Editor37170142500Unsafe printing function
#3145Exploit Scanner37251308k+Non-prefixed global variable
#3146Facturare WooCommerce371581063k+Text Domain Mismatch
#3147Furgonetka.pl: Przesyłki & Narzędzia e-commerce3766487k+Exception output is not escaped
#3148Get Custom Field Values3740441k+Output is not escaped
#3149果果推送3731561k+Nonce verification recommended
#3150Gmail SMTP37857110k+Unsafe printing function