Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4001La Sentinelle antispam4088463k+Output is not escaped
#4002Flag Icons40300193k+Output is not escaped
#4003Social Like Box and Page by WpDevArt4062245k+Output is not escaped
#4004Limit Login Attempts408138300k+Output is not escaped
#4005Links shortcode407313900Unsafe printing function
#4006Listdomer Core404592400Non-prefixed global variable
#4007WP All Import – Listings Import for Listify403427400Output is not escaped
#4008LJ Multi Column Archive4017251k+Output is not escaped
#4009LLM Bot Tracker – AI Crawler Detection & Analytics401890800Database parameter is not escaped
#4010Loan Comparison4027192400Request data is not unslashed
#4011Logbook4033591k+Nonce verification recommended
#4012WPO365 | Mail Integration for Office 365 / Outlook4059272k+Output is not escaped
#4013MailerSend – Official SMTP Integration4039252k+Unsafe printing function
#4014Manual Image Crop40178618k+Output is not escaped
#4015Mark New Posts406139500Non Singular String Literal Domain
#4016MAS Company Reviews For WP Job Manager4044711k+Output is not escaped
#4017Mass Email To Users408481800Output is not escaped
#4018MembershipWorks – Membership, Events & Directory4041292k+Output is not escaped
#4019Mobile Contact Line40393551k+Non-prefixed global variable
#4020WP Mobile Redirect404420400Text Domain Mismatch
#4021Modal Window – create popup modal window40417010k+Non-prefixed global variable
#4022Monkeyman Rewrite Analyzer4089102k+Non Singular String Literal Domain
#4023코드엠샵 소셜톡404736400Output is not escaped
#4024Multiple Featured Images4050225k+Output is not escaped
#4025My Social Feeds – Social Feeds Embedder Plugin for WP40877400Request data is not unslashed
#4026Flying Images: Optimize and Lazy Load Images for Faster Page Speed4032583k+Missing direct file access protection
#4027NextGEN Gallery Sidebar Widget405910500Output is not escaped
#4028No-Bot Registration40112422k+Unsafe printing function
#4029No CAPTCHA reCAPTCHA40112264k+Text Domain Mismatch
#4030One Click SSL401366210k+Unsafe printing function
#4031OPML Importer4035133k+Output is not escaped
#4032Owl Carousel WP4062191k+Output is not escaped
#4033Page As Subdomain Lite406125500Output is not escaped
#4034Page Comments Off Please4017291k+Nonce verification recommended
#4035Donations via PayPal401431720k+Output is not escaped
#4036Give – Paystack Gateway4096101k+Text Domain Mismatch
#4037Paystack MemberPress407176400Output is not escaped
#4038PE Recent Posts40292112k+Output is not escaped
#4039Permalink Editor4050281k+Output is not escaped
#4040Permalink Manager for WooCommerce40115208k+Short PHP open tag found
#4041List Petfinder Pets4012146400Output is not escaped
#4042Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels40692283k+Missing nonce verification
#4043Plugin Load Filter40761127k+Text Domain Mismatch
#4044Popup addon for Ninja Forms40121251k+Output is not escaped
#4045Post Ratings4016032600Output is not escaped
#4046Post Tiles40465400Output is not escaped
#4047Requirements Checklist4020022900Output is not escaped
#4048Private Google Calendars40227371k+Output is not escaped
#4049Privilege Widget4013952600Text Domain Mismatch
#4050Product Video Gallery for Woocommerce40613610k+Setting is missing a sanitization callback