Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4151WP Compress for MainWP402036700Output is not escaped
#4152Custom CSS/JS405834800Text Domain Mismatch
#4153WP Date and Time Shortcode40901210k+Output is not escaped
#4154WP Discord Invite407342400Unsafe printing function
#4155Easy PayPal & Stripe Buy Now Button403889610k+Unsafe printing function
#4156WP Help4049549k+Unsafe printing function
#4157WP All Import – Job Listing Import for WP Job Manager4035272k+Output is not escaped
#4158WP Keyword Suggest402941500Non Singular String Literal Domain
#4159Media Library Categories40294920k+Output is not escaped
#4160WP Meteor Website Speed Optimization Addon40341920k+Output is not escaped
#4161WP Multisite Content Copier/Updater4019144800Interpolated SQL is not prepared
#4162WP Nav Plus4095131k+Output is not escaped
#4163WP Paint – WordPress Image Editor4030296k+Missing Arg Domain
#4164WP Posts Carousel40199123k+Unsafe printing function
#4165QR code MeCard/vCard generator40322212k+Unsafe printing function
#4166WP Reroute Email401411061k+Output is not escaped
#4167Sentry for WordPress40804010k+Text Domain Mismatch
#4168Social Share Buttons & Analytics Plugin – GetSocial.io4097252k+Output is not escaped
#4169WP Tab Widget401283210k+Output is not escaped
#4170WP Theme Test4021397k+Input is not sanitized
#4171WPC Force Sells for WooCommerce403897600Output is not escaped
#4172WPC Smart Price Filter for WooCommerce402362600Nonce verification recommended
#4173WPFront Notification Bar402224450k+Output is not escaped
#4174WPS Menu Exporter40472210k+Output is not escaped
#4175XLTab – Accordions and Tabs for Elementor Page Builder40317651k+Text Domain Mismatch
#4176Yektanet Ecommerce40451031k+Request data is not unslashed
#4177My YouTube Channel4054385k+Output is not escaped
#4178Zippy4043319k+Output is not escaped
#4179Simple Counter4160121k+Unsafe printing function
#4180AMP for WP – Accelerated Mobile Pages416562,40180k+Non-prefixed global variable
#4181ACF: Advanced Taxonomy Selector4156151k+Output is not escaped
#4182Ad Auto Insert H41496151k+Non Singular String Literal Domain
#4183Add-on Contact Form 7 – MailPoet 34188123k+Output is not escaped
#4184Add Chat App Button4182122k+Output is not escaped
#4185AddQuicktag418610100k+Output is not escaped
#4186Advance Bank Payment Transfer Gateway41105621k+Text Domain Mismatch
#4187ACF: Google Map Extended411418800Text Domain Mismatch
#4188Advanced Excerpt41694370k+Unsafe printing function
#4189AffiliateWP – Affiliate Product Rates4184242k+Output is not escaped
#4190Age Verify4129311k+Output is not escaped
#4191AH Display Widgets4152168k+Text Domain Mismatch
#4192Schema – All In One Schema Rich Snippets4159818030k+Text Domain Mismatch
#4193Alma – Pay in installments or later for WooCommerce41116681k+Exception output is not escaped
#4194Amazon Link Engine4138172k+Output is not escaped
#4195Amazon Web Services4153215k+Missing Translators Comment
#4196Announcer – Sticky Message Banner & Notification Bar411102710k+Output is not escaped
#4197Antispam411141400Missing nonce verification
#4198ATP Call Now41987700Output is not escaped
#4199Authenticator4159441k+Output is not escaped
#4200Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO)4117526100k+Unsafe printing function