Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3351BuddyPress Follow38114671k+Text Domain Mismatch
#3352Bulgarisation for WooCommerce381295925k+Nonce verification recommended
#3353Cache Warmer38322191k+Interpolated SQL is not prepared
#3354Car Route Planner Plugin3813517400Output is not escaped
#3355Category Posts Widget381532640k+Output is not escaped
#3356CC Child Pages38631529k+Non-prefixed global variable
#3357Cecabank WooCommerce Plugin3863323k+Text Domain Mismatch
#3358Certificate Verification3833401k+Output is not escaped
#3359Database for Contact Form 738341287k+Missing nonce verification
#3360WPAppsDev – CF7 Form Submission Limit38104331k+Text Domain Mismatch
#3361Contact Form 7 – Post Fields38167253k+Text Domain Mismatch
#3362CF7 to Webhook381027230k+Unsafe printing function
#3363Checkout Files Upload for WooCommerce38571207k+Input is not sanitized
#3364Classic Editor Plus – WordPress Classic Editor plugin by Felix388342500Text Domain Mismatch
#3365Clever Mega Menu for Visual Composer38500871k+Output is not escaped
#3366Clever Mega Menu for Elementor38835441k+Output is not escaped
#3367Chatbot for WordPress by Collect.chat ⚡️3858366k+Unsafe printing function
#3368Colorlib 404 Customizer3865155k+Missing direct file access protection
#3369Country Code Selector3891201k+Unsafe printing function
#3370country-redirect385819400Text Domain Mismatch
#3371Crop-Thumbnails38332740k+Missing direct file access protection
#3372CRUDLab Disable Comments382054700Missing nonce verification
#3373One page checkout and layouts for woocommerce3883523k+Non-prefixed global variable
#3374Custom Menu Wizard Widget38326302k+Output is not escaped
#3375WP Page Templates389228400Non Singular String Literal Domain
#3376Custom post type templates for Elementor3828933700Text Domain Mismatch
#3377Customize Posts3831771k+Non-prefixed hook name
#3378Login Page Customizer – Customize Login Screen & Branding38361721k+Non-prefixed function
#3379Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included)3838183600Non-prefixed global variable
#3380Datafeedr Comparison Sets38450533k+Output is not escaped
#3381Datafeedr WooCommerce Importer38112565k+Text Domain Mismatch
#3382Availability Datepicker – Booking Calendar for Contact Form 7 – Input WP383443020k+Text Domain Mismatch
#3383Decent Comments3893282k+Output is not escaped
#3384Responsive Pricing Table3830910510k+Non Singular String Literal Domain
#3385Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster3837985k+Interpolated SQL is not prepared
#3386Easy WP Cleaner38581242k+Non-prefixed global variable
#3387Easy Yandex Metrica389748900Output is not escaped
#3388Elemailer Lite – Elementor email template & campaign builder3844505k+Output is not escaped
#3389Email Encoder – Protect Email Addresses and Phone Numbers38915090k+Non-prefixed global variable
#3390PiWeb Product Enquiry or product catalog for WooCommerce382551451k+Text Domain Mismatch
#3391Erident Custom Login and Dashboard38122288k+Unsafe printing function
#3392EU Cookie Law Compliance38151222k+Non Singular String Literal Domain
#3393Export to Blogger3847117900Non-prefixed global variable
#3394Export User Data38187626k+Text Domain Mismatch
#3395Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds381678240k+Output is not escaped
#3396Social Photo Fetcher38151431k+Output is not escaped
#3397Social Shop for WooCommerce385124800Output is not escaped
#3398Responsive WordPress Slider – HG Slider3867757k+Missing nonce verification
#3399Flexy Breadcrumb382411320k+Output is not escaped
#3400Foyer – Digital Signage for WordPress381481911k+Non-prefixed global variable