Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3151GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM3759269600Direct Query
#3152GoCache3727343900Non Singular String Literal Domain
#3153Google for WooCommerce37328121800k+Exception output is not escaped
#3154XML Sitemap Generator for Google3743791m+Input is not validated
#3155GoPay for WooCommerce37661031k+Non-prefixed global variable
#3156GS Portfolio for Envato37155754k+Text Domain Mismatch
#3157Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder378311320k+SQL query is not prepared
#3158HandL UTM Grabber / Tracker373114610k+Missing nonce verification
#3159Hash Elements37147925k+Output is not escaped
#3160Horizontal scrolling announcements372151408k+Output is not escaped
#3161HT Builder – WordPress Theme Builder for Elementor3714241900Output is not escaped
#3162HT Menu – WordPress Mega Menu Builder for Elementor37302583k+Text Domain Mismatch
#3163.htaccess Site Access Control375467800Input is not sanitized
#3164Humans TXT3715986400Output is not escaped
#3165Image Optimizer by 10web – Image Optimizer and Compression plugin37244453k+Text Domain Mismatch
#3166Image Widget Deluxe3719011k+Output is not escaped
#3167Images Optimize and Upload CF73713036600Non Singular String Literal Domain
#3168Images to WebP3739509k+curl curl setopt
#3169Injection Guard3786451k+Unsafe printing function
#3170Job Manager & Career – Manage job board listings, and recruitments371122052k+Missing nonce verification
#3171JS Help Desk – AI-Powered Support & Ticketing System37174067k+Missing nonce verification
#3172JVM Rich Text Icons3787343k+Output is not escaped
#3173Language Switcher37811051k+Missing Translators Comment
#3174LearnPress – Course Review37674320k+Output is not escaped
#3175LH Archived Post Status37150643k+Text Domain Mismatch
#3176List category posts371611780k+Output is not escaped
#3177PiWeb Live sales notification for WooCommerce372897730k+Text Domain Mismatch
#3178LiveAgent – Omnichannel Help Desk & Live Chat Software37125142400Non Singular String Literal Domain
#3179LiveJournal Importer3786678k+Output is not escaped
#3180Local Time Clock37105111k+Output is not escaped
#3181Localendar Calendar for WordPress372416400Output is not escaped
#3182MailingBoss WP Plugin3710830600Output is not escaped
#3183Maintenance Page3762333k+Output is not escaped
#3184Media Sweep – WordPress Media Cleaner37561371k+Interpolated SQL is not prepared
#3185Max Mega Menu37249174300k+Output is not escaped
#3186Meks Video Importer37622392k+Input is not sanitized
#3187Metorik – Reports & Email Automation for WooCommerce37757010k+Output is not escaped
#3188CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor37479040k+Dynamic hook name
#3189Monobank WP Payment3778411k+Text Domain Mismatch
#3190My Post Order37100114400Output is not escaped
#3191Nearby Now Reviews and Audio Testimonials3766671k+wp function not compatible with requires wp
#3192news ticker benaceur371,097311k+Output is not escaped
#3193NextGEN Scroll Gallery3733281k+Output is not escaped
#3194Ninja Van (MY)37212581k+Non-prefixed global variable
#3195Off-Canvas Sidebars & Menus (Slidebars)37457121k+Non Singular String Literal Domain
#3196Sendle Shipping Plugin379164800wp function not compatible with requires wp
#3197Oliver POS – WooCommerce POS for iPhone, iPad & Android3715242800Interpolated SQL is not prepared
#3198Optin Forms – Simple List Building Plugin for WordPress37647223k+Output is not escaped
#3199WP All Export – Order Export for WooCommerce371091113k+Text Domain Mismatch
#3200OSM – OpenStreetMap371306410k+Output is not escaped