Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3251Theme Builder For Elementor37477282k+Text Domain Mismatch
#3252Tilopay37351301k+Nonce verification recommended
#3253Time Clock – A WordPress Employee & Volunteer Time Clock Plugin37166107500Output is not escaped
#3254Tracking Code Manager37554290k+Output is not escaped
#3255Tracking Script Manager3782572k+Non Singular String Literal Domain
#3256Tourfic Toolkit37671651k+Post Not In exclude
#3257Ultimate WordPress Auction Plugin376231421k+Text Domain Mismatch
#3258Landing Page Builder – Free Landing Page Templates37329111600Output is not escaped
#3259Ultimate Tag Cloud Widget37715164k+Output is not escaped
#3260User Meta Display377874500Output is not escaped
#3261UsersWP – Social Login37299912k+Text Domain Mismatch
#3262ValidateCertify Free37123971k+Text Domain Mismatch
#3263Varnish/Nginx Proxy Caching3728736600Output is not escaped
#3264ViaBill – WooCommerce3743786500Text Domain Mismatch
#3265Virtual Classroom – Video Conferencing & Online Meeting with BigBlueButton3745140400Nonce verification recommended
#3266Featured Video for WordPress – VideographyWP37287931k+Unsafe printing function
#3267Views for WPForms – Display & Edit WPForms Entries on your site frontend3780641k+Output is not escaped
#3268Innovs WPBakery Visual Composer WHMCS Elements37154242k+Text Domain Mismatch
#3269Weather Atlas Widget376301118k+Output is not escaped
#3270Widget Box Lite3731817900Output is not escaped
#3271Conditional Discounts for WooCommerce – A simple yet complete woocommerce dynamic pricing plugin3799339k+Text Domain Mismatch
#3272Orders Tracking for WooCommerce37731210k+Request data is not unslashed
#3273Módulo PagSeguro379046900Unsafe printing function
#3274Piraeus Bank WooCommerce Payment Gateway371461043k+Non Singular String Literal Domain
#3275SUMIT Payment Gateway for WooCommerce37358741k+Text Domain Mismatch
#3276Variation Swatches for WooCommerce379210310k+Output is not escaped
#3277Xendit Payment3731973k+Missing nonce verification
#3278Amazon Pay for WooCommerce372911710k+Non-prefixed class
#3279WP WooCommerce Mailchimp3762856k+Non-prefixed hook name
#3280WooCommerce PayPal Payments37194110800k+Exception output is not escaped
#3281Quickpay for WooCommerce3766564k+Nonce verification recommended
#3282Wordable – Export Google Docs to WordPress3747632k+Output is not escaped
#3283Hustle – Email Marketing, Lead Generation, Optins, Popups374,8945,94290k+Non-prefixed global variable
#3284Fix Media Library3753711k+Output is not escaped
#3285WP Category Permalink3775312k+Output is not escaped
#3286WP-Cron Control3754221k+Output is not escaped
#3287WP Emmet3715483k+Output is not escaped
#3288WP Export Categories & Taxonomies3716935500Output is not escaped
#3289WPForce Logout – WordPress User Login Logout Management Plugin37567328k+Output is not escaped
#3290WP FullCalendar3732648k+Nonce verification recommended
#3291FundEngine – Donation and Crowdfunding Platform378991k+Exception output is not escaped
#3292WP Image Markers – Easy Hotspot Solution3717966700Text Domain Mismatch
#3293WP Flow Plus37175146800Output is not escaped
#3294WP PageNavi Style37109118k+Unsafe printing function
#3295Persistent Login373381086k+Unsafe printing function
#3296WP Plugin Info Card3753376500Nonce verification recommended
#3297WP Post Signature3790131k+Unsafe printing function
#3298ReCaptcha Integration for WordPress3760669k+Output is not escaped
#3299WP Show Stats37197103400Output is not escaped
#3300Special Text Boxes3738422k+Direct Query