Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4251Disable Everything41901630k+Output is not escaped
#4252Disqus Conditional Load4138143k+Output is not escaped
#4253DigitalOcean Spaces Sync41808500Text Domain Mismatch
#4254Dropdown multisite selector418213900Unsafe printing function
#4255GDPR tools: Cookie notice + privacy416786k+Unsafe printing function
#4256DSGVO Youtube4148291k+Unsafe printing function
#4257Duplicate Post Page Menu & Custom Post Type41351110k+Text Domain Mismatch
#4258Duplicate Page and Post41262180k+Unsafe printing function
#4259Easy Random Quotes414214500Output is not escaped
#4260Edit Lock414722500Non Singular String Literal Domain
#4261Email Address Encoder411098100k+wp function not compatible with requires wp
#4262Embed Chessboard411039600Text Domain Mismatch
#4263Essential Form – The lightest plugin for contact forms, ultra lightweight and no spam412153500Missing nonce verification
#4264Payment Gateway of PayPal for WooCommerce41441847k+Nonce verification recommended
#4265Extra User Details4184151k+Non Singular String Literal Domain
#4266Fast Chat Button41241881k+Non-prefixed global variable
#4267Heroic Favicon Generator4110476k+Output is not escaped
#4268Feature A Page Widget416653k+Output is not escaped
#4269Featured Audio41549400Output is not escaped
#4270Featured Image Generator4131161k+Output is not escaped
#4271Flexible Posts Widget41136337k+Output is not escaped
#4272FluentAffiliate – Affiliate Program Management Suite, Affiliates Manager41115141k+Exception output is not escaped
#4273Gallery Lightbox41471610k+Output is not escaped
#4274Genesis Featured Page Advanced4120947k+Output is not escaped
#4275Genesis Footer Builder4112431k+Output is not escaped
#4276Google Authenticator41396520k+Output is not escaped
#4277(Simply) Guest Author Name4135362k+Output is not escaped
#4278SNORDIAN's H5PxAPIkatchu4111988500SQL query is not prepared
#4279Hash Form – Drag & Drop Form Builder4192753k+Non-prefixed global variable
#4280Hide My Dates415011400Unsafe printing function
#4281Hide WP Admin Login412339500Nonce verification recommended
#4282Highcompress Image Compressor4110669600Text Domain Mismatch
#4283iCount Payment Gateway4115322500Text Domain Mismatch
#4284Import external attachments4118262k+Output is not escaped
#4285Infinite Ajax Scrolling Lite For Woocommerce413328500Output is not escaped
#4286Inpost Paczkomaty4135688k+Text Domain Mismatch
#4287Insert JavaScript and CSS416419400Text Domain Mismatch
#4288Jellyfish Counter Widget4117451k+Output is not escaped
#4289Multiple Themes411124110k+Output is not escaped
#4290jQuery Vertical Scroller411104400Output is not escaped
#4291Social Sharing Plugin – Kiwi4123804k+Non-prefixed global variable
#4292Ko-fi Button4175155k+Output is not escaped
#4293Central Color Palette41733310k+Output is not escaped
#4294Lazy Load Optimizer4163263k+Unsafe printing function
#4295Lazy Load XT41877600Non Singular String Literal Domain
#4296LH Agree to Terms415932800Output is not escaped
#4297Lockdown WP Admin41205010k+Request data is not unslashed
#4298Log cleaner for Solid Security4165478k+Text Domain Mismatch
#4299Magic Liquidizer Responsive Table41114386k+Text Domain Mismatch
#4300MaxLimits – Increase Maximum Upload, Post & PHP Limits4199162k+Unsafe printing function