Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4101Multiple Shipping Addresses for WooCommerce (Address Book)40212082k+Non-prefixed global variable
#4102ThemeZee Toolkit40441166k+Nonce verification recommended
#4103Thin Out Revisions409335800Non Singular String Literal Domain
#4104Timed Content4076635k+Unsafe printing function
#4105Timeline History403117500Output is not escaped
#4106Track Geolocation Of Users Using Contact Form 74017173900Nonce verification recommended
#4107Tumblr Widget401061400Output is not escaped
#4108turboSMTP40114112400Unsafe printing function
#4109TW Recent Posts Widget4097141k+Output is not escaped
#4110TZ Flickr Widget40677500Output is not escaped
#4111Ultimate Custom Cursor401383800Output is not escaped
#4112Ultimate Dashboard – Custom WordPress Dashboard401714460k+Input is not sanitized
#4113Ultimate Noindex Nofollow Tool II4038513k+Input is not validated
#4114Ultimate Member – ForumWP forum integration403173500Nonce verification recommended
#4115Universal Honey Pot4023941k+Missing nonce verification
#4116Unlimited Logo Carousel4028615500Text Domain Mismatch
#4117Upcoming Events Lists407517900Text Domain Mismatch
#4118Url Rewrite Analyzer407323400Unsafe printing function
#4119UsersWP – ReCaptcha4080173k+Text Domain Mismatch
#4120UTM Leads Tracker – XLPlugins402138400Output is not escaped
#4121Visibility Control for LearnDash4055231k+Missing Arg Domain
#4122Visibility Control for LearnPress405219700Missing Arg Domain
#4123Visma Pay for Woocommerce4027372k+Output is not escaped
#4124Visual Builder for Contact Form 7402043500Output is not escaped
#4125Visual Editor Custom Buttons4030484k+Output is not escaped
#4126WP Sticky Button – Click to Chat40736410k+Non-prefixed global variable
#4127WooBooster Partial COD for WooCommerce409051500Text Domain Mismatch
#4128Where Did You Hear About Us Checkout Field for WooCommerce4057661k+Output is not escaped
#4129WC Search Orders By Product404766800Nonce verification recommended
#4130Webo-facto40411021k+Nonce verification recommended
#4131Weight Based Pricing for WooCommerce4016786600Text Domain Mismatch
#4132Wider Admin Menu4076172k+Output is not escaped
#4133Widget Builder404052500Non-prefixed global variable
#4134Widget Menuizer404426600Missing Arg Domain
#4135Widget Visibility Without Jetpack4074475k+Text Domain Mismatch
#4136Widgets Control409247800Output is not escaped
#4137Wonder Video Embed409444k+Output is not escaped
#4138WPC Frequently Bought Together for WooCommerce406310910k+Output is not escaped
#4139Eurobank WooCommerce Payment Gateway4066432k+Non Singular String Literal Domain
#4140Preview E-mails for WooCommerce40353730k+Unsafe printing function
#4141NP Quote Request for WooCommerce40911459k+Non-prefixed global variable
#4142Total Sales Counts for WooCommerce4012162700SQL query is not prepared
#4143Additional Variation Images Gallery for WooCommerce406012920k+Non-prefixed global variable
#4144Wallet for WooCommerce403252420k+Non-prefixed hook name
#4145yubikey-plugin406433400Text Domain Mismatch
#4146All In One SEO Pack for WooCommerce4057253k+Text Domain Mismatch
#4147Simple Registration for WooCommerce4027554k+Missing nonce verification
#4148WooSidebars404337100k+Missing Translators Comment
#4149Word Balloon402012510k+Request data is not unslashed
#4150WP Ajax Load More Pagination and Infinite Scroll406315400Output is not escaped