Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4051PT Theme Addon4067211k+Output is not escaped
#4052Quick Child Theme Generator402274900Request data is not unslashed
#4053Quiz Cat – WordPress Quiz Plugin40151694k+Output is not escaped
#4054Random Banner40591251k+Output is not escaped
#4055Recent & Featured Posts Widget401242600Output is not escaped
#4056Random Post Plugin – Redirect URL to Post4028743k+Nonce verification recommended
#4057Redirector4048327k+Output is not escaped
#4058Manual Related Posts4051321k+Output is not escaped
#4059Rename default post Labels405436600Text Domain Mismatch
#4060Responsive Plus – Elementor Templates & Starter Sites404630510k+Non-prefixed global variable
#4061Responsive Full Width Background Slider40131222k+Unsafe printing function
#4062Responsive Gallery Grid4090144k+Output is not escaped
#4063Responsive Sidebar404312700Output is not escaped
#4064Responsive Slider4028153k+Output is not escaped
#4065REST API Custom Fields404416800Text Domain Mismatch
#4066Risk Free Cash On Delivery (COD) – WooCommerce4010631400Text Domain Mismatch
#4067LazyLoad Plugin – Lazy Load Images, Videos, and Iframes403117100k+Output is not escaped
#4068Role Based Redirect4020962k+Non-prefixed global variable
#4069RPB Chessboard4086981k+Missing direct file access protection
#4070Salat Times4023520500Output is not escaped
#4071Sales Tax Reports For WooCommerce405065900Output is not escaped
#4072Same Category Posts4018383k+Output is not escaped
#4073Schedule Posts Calendar4074361k+Output is not escaped
#4074Search Live4013271600Output is not escaped
#4075Search with Typesense4081122700Non-prefixed global variable
#4076Secondary Title40117317k+Unsafe printing function
#4077Select All Categories and Taxonomies, Change Checkbox to Radio Buttons40116303k+Output is not escaped
#4078Select Post Export405118500Output is not escaped
#4079Sendy Widget404617700Output is not escaped
#4080Serviceform Pixel401822400Output is not escaped
#4081Multipage407228900Unsafe printing function
#4082Show Pages URL List40292341k+Non-prefixed global variable
#4083Contact Info Widget4018431k+Output is not escaped
#4084Simple Statistics for Feeds4064131800Nonce verification recommended
#4085AdFlow – Easy Google AdSense Integration4015093k+Unsafe printing function
#4086Simple Link List Widget4012982k+Output is not escaped
#4087Simple Page Sidebars40556510k+Output is not escaped
#4088Simple Restrict4035131k+Output is not escaped
#4089Sinatra Core40101158k+Output is not escaped
#4090SiteSEO – SEO Simplified4036119500k+Nonce verification recommended
#4091Specific Content For Mobile – Customize the mobile version without redirections40261554k+Nonce verification recommended
#4092SportsPress for Cricket4012234500Text Domain Mismatch
#4093ST Demo Importer402775800Missing nonce verification
#4094Statify Widget4052134k+Output is not escaped
#4095Stax Addons for Elementor4014381500Output is not escaped
#4096CPS | Age Verification4012735800Unsafe printing function
#4097Developer Tools Blocker403547400strip tags strip tags
#4098Tagging403337500Output is not escaped
#4099Tealium407319600Unsafe printing function
#4100Theme Toolkit405314500Output is not escaped