Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3301TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More3787859800Output is not escaped
#3302WPElemento Importer37121889k+Text Domain Mismatch
#3303WPO365 | MICROSOFT 365 GRAPH MAILER371128310k+Text Domain Mismatch
#3304WP VR – 360 Panorama and Virtual Tour Builder37327510k+Non-prefixed hook name
#3305XT Visitor Counter37177527k+Output is not escaped
#3306Yada Wiki37207452k+Text Domain Mismatch
#3307YOURLS Link Creator3719639500Text Domain Mismatch
#3308Widget Responsive for Youtube3724077k+Output is not escaped
#3309Zakeke Interactive Product Designer for WooCommerce371861772k+Nonce verification recommended
#3310Zoho Marketing Automation37241941k+Non-prefixed global variable
#3311Zendesk Chat37446710k+Output is not escaped
#3312Accessibility3866611k+Non-prefixed global variable
#3313AccessibleWP – Accessibility Toolbar383812620k+Text Domain Mismatch
#3314ACF-VC Integrator38190913k+Output is not escaped
#3315Action Scheduler389213420k+Exception output is not escaped
#3316Parallax Scroll by adamrob.co.uk38102511k+Output is not escaped
#3317Add Customer for WooCommerce382291531k+Text Domain Mismatch
#3318Admin Bar Editor – Toolbar Customization with User Role based access & Custom menus3856463k+Output is not escaped
#3319Admin Bar & Dashboard Access Control3894373k+Text Domain Mismatch
#3320Admin Management Xtended382801615k+Output is not escaped
#3321Admin Tools38189103k+Unsafe printing function
#3322AdRoll for WooCommerce Stores384025600Output is not escaped
#3323AWCA – The Great Analytics Insights for Your eStore382381432k+Output is not escaped
#3324Advanced 301 and 302 Redirect38813391k+Non-prefixed global variable
#3325Advanced Media Offloader3857935k+error log error log
#3326Advanced Product Search For WooCommerce38160384k+Text Domain Mismatch
#3327Advanced Sermons388331841k+Unsafe printing function
#3328Afterpay Gateway for WooCommerce381836210k+Text Domain Mismatch
#3329AK Featured Post Widget381354400Output is not escaped
#3330Alphabetic Pagination38144117500Unsafe printing function
#3331Anant Sites — Elementor & Gutenberg Readymade Template Library Free & Pro Templates38201561k+Non-prefixed global variable
#3332Announce from the Dashboard38138247k+Non Singular String Literal Domain
#3333Announcement Bar38192613k+Non Singular String Literal Domain
#3334Any Mobile Theme Switcher38695920k+Output is not escaped
#3335Aplazame383439600Non-prefixed global variable
#3336Activity Log – Monitor & Record User Changes3881149200k+Nonce verification recommended
#3337Ashe Extra38109543k+Text Domain Mismatch
#3338Attachments38238668k+Unsafe printing function
#3339Audio Story Images384644400Output is not escaped
#3340Author Category3885254k+Output is not escaped
#3341Auto Prune Posts3854571k+Output is not escaped
#3342Autologin Links3873748k+Output is not escaped
#3343Automatic Post Tagger385923072k+Output is not escaped
#3344bbPress Login Register Links On Forum Topic Pages3814236600Text Domain Mismatch
#3345Beauty Form Styler for Gravity Forms387093600Output is not escaped
#3346Before After Image Comparison Slider for Elementor38633610k+Text Domain Mismatch
#3347Bible Verse of the Day38378233k+Unsafe printing function
#3348SoftTech-IT bKash, Rocket, Nagad38164816k+Text Domain Mismatch
#3349Blogger Importer38443950k+Output is not escaped
#3350Bot Block – Stop Spam Referrals in Google Analytics382842600Output is not escaped