Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3201Page scroll to id3738120100k+Missing nonce verification
#3202Panda Pods Repeater Field379260600Non-prefixed global variable
#3203PayU CommercePro Plugin372187k+error log error log
#3204GoHero Store Customizer for WooCommerce377553600Unsafe printing function
#3205Phoenix Media Rename3718010450k+Output is not escaped
#3206Plexx Elementor Extension3758214400Text Domain Mismatch
#3207PNG to JPG3713017310k+Interpolated SQL is not prepared
#3208POEditor3778140500Output is not escaped
#3209Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales3759642k+SQL query is not prepared
#3210Post Terms Order – per Post based3770362k+Output is not escaped
#3211Product Image Hover Effects WOOC – WPSHARE2473716194800Output is not escaped
#3212Product page shipping calculator for WooCommerce372171171k+Text Domain Mismatch
#3213Publish to Schedule37195433k+Text Domain Mismatch
#3214PublishPress Statuses – Custom Post Status and Workflow37231781k+Missing Arg Domain
#3215Quantities and Units for WooCommerce371331181k+Output is not escaped
#3216Quentn WP374251500Nonce verification recommended
#3217Quick Restaurant Menu37136401k+Text Domain Mismatch
#3218rapidmail: Newsletter & E-Mail Marketing for WooCommerce377947400Text Domain Mismatch
#3219Recent Posts Widget With Thumbnails3722246100k+Output is not escaped
#3220resmio button & widget379936400Text Domain Mismatch
#3221Reusable Content Blocks37349144k+Text Domain Mismatch
#3222Rich Table of Contents372625720k+Output is not escaped
#3223Robots & Sitemap3719928500Text Domain Mismatch
#3224RSS for Yandex Zen372401004k+Unsafe printing function
#3225RSS Image Feed37147162k+Output is not escaped
#3226Ryviu – Review Importer & Product Reviews3772951k+Output is not escaped
#3227SB RSS feed plus37172241k+Output is not escaped
#3228Scroll Back To Top371491210k+Output is not escaped
#3229Send PDF for Contact Form 737223089k+Non-prefixed global variable
#3230SendWP37474210k+Output is not escaped
#3231Sensei LMS Certificates37973624k+Non-prefixed global variable
#3232Sezzle Woocommerce Payment371081051k+Text Domain Mismatch
#3233Shortcoder — Create Shortcodes for Anything372570100k+Non-prefixed global variable
#3234Weaver Show Sliders37177132900Text Domain Mismatch
#3235Simple Countdown Timer371101131k+Missing Arg Domain
#3236Simple Image XML Sitemap37119161k+Output is not escaped
#3237Lightbox slider – Responsive Lightbox Gallery37361733k+Non-prefixed global variable
#3238Site Offline Or Coming Soon Or Maintenance Mode3712713830k+Unsafe printing function
#3239Skimlinks Affiliate Marketing Tool378419800wp function not compatible with requires wp
#3240Slider Pro37782601k+Non-prefixed global variable
#3241Smart Send Logistics379281400Output is not escaped
#3242Social Comments375932400Output is not escaped
#3243Spam Destroyer3763436k+rand rand
#3244StagTools37476531k+Text Domain Mismatch
#3245Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation37423310k+Output is not escaped
#3246SuperCPT3717227600Output is not escaped
#3247Super Simple Site Offline37115596k+Text Domain Mismatch
#3248Swifty Bar, sticky bar by WPGens3711281400Output is not escaped
#3249TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot3748406k+Unsafe printing function
#3250Theme Builder For Elementor37477282k+Text Domain Mismatch