Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4201Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO)4117526100k+Unsafe printing function
#4202Autocomplete Google Address4122672k+Nonce verification recommended
#4203Avatar Manager4129415k+Unsafe printing function
#4204AxiaChat AI – Free AI Chatbot (Answers Customers Automatically)4111352k+Interpolated SQL is not prepared
#4205Backend Designer4150111k+Output is not escaped
#4206Beam me up Scotty – Back to Top Button4171381k+Output is not escaped
#4207Beautiful Cookie Consent Banner41337640k+Non-prefixed global variable
#4208Book Now4175141k+Output is not escaped
#4209Bop Search Box Item Type For Nav Menus4152141k+Output is not escaped
#4210BuddyPress Xprofile Custom Field Types41391894k+Missing nonce verification
#4211BuddyPress Edit Activity412826800Output is not escaped
#4212Bulk Delete Comments4115615k+Direct Query
#4213Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)4116371k+Missing nonce verification
#4214Bulk Images to Posts415551k+Unsafe printing function
#4215Buzzsprout Podcasting4175135k+Non Singular String Literal Domain
#4216Cache control by Cacholong418730500Non Singular String Literal Domain
#4217Carbon Copy4164893k+Text Domain Mismatch
#4218Easy Social Like Box – Popup – Sidebar Widget41217917k+Text Domain Mismatch
#4219Categorized Tag Cloud4144171k+Output is not escaped
#4220Category Wise Search41589500Output is not escaped
#4221Čeština: zalomení řádků418686k+Text Domain Mismatch
#4222Conditional Fields for Contact Form 74110653100k+Output is not escaped
#4223CF7 Invisible reCAPTCHA4119527k+Request data is not unslashed
#4224Submission DOM tracking for Contact Form 7411448400Text Domain Mismatch
#4225ChatBot Conversational AI Support4172321k+Short PHP open tag found
#4226Checklist416225400Text Domain Mismatch
#4227clickskeks.at Cookiebanner412118500Unsafe printing function
#4228CloudGuard4141131k+Output is not escaped
#4229CMS Tree Page View – Reorder Pages with a Drag-and-Drop Tree411219650k+Unsafe printing function
#4230CoinPayments.net Payment Gateway for WooCommerce4151321k+Text Domain Mismatch
#4231Collapsed Archives415441k+Output is not escaped
#4232Colorful Categories4120202k+Output is not escaped
#4233Comments Like Dislike41172205k+Non Singular String Literal Domain
#4234Contact Form 7 Captcha41775100k+Request data is not unslashed
#4235Contact Form 7 Widget417042k+Output is not escaped
#4236Content Widget41729400Output is not escaped
#4237Contribuinte Checkout4130301k+Output is not escaped
#4238Controlled Admin Access41224010k+Nonce verification recommended
#4239Cookie Notice & Consent41101291k+Output is not escaped
#4240Simple Website Banner411068700Output is not escaped
#4241CurrencyConverter416296700Non Singular String Literal Domain
#4242Custom Meta412329700Output is not escaped
#4243Custom Post Type Cleanup4170121k+Output is not escaped
#4244Custom Recent Posts Widget416341k+Output is not escaped
#4245Dashboard Notepad41293410k+Missing nonce verification
#4246Database for CF74137322k+Text Domain Mismatch
#4247Debug Bar41642520k+Output is not escaped
#4248Developer Loggers for Simple History414628400Text Domain Mismatch
#4249DevVN Local Store4184281k+Unsafe printing function
#4250Dinamize414165500Output is not escaped