Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4351Send link to friend418147400Output is not escaped
#4352Service Box41150230400Missing nonce verification
#4353Service Showcase4141597800Non-prefixed global variable
#4354Share a Draft413963k+Output is not escaped
#4355Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More414361100k+Request data is not unslashed
#4356Simple Cache4133591k+Input is not sanitized
#4357Simple CPT41280604k+Unsafe printing function
#4358Simple Like Page – Fast & Privacy-Friendly Page Embeds411453110k+Output is not escaped
#4359Simple Google Photos Grid414821k+Output is not escaped
#4360IP Ban4129392k+Input is not validated
#4361Simple Lightbox412148100k+Nonce verification recommended
#4362Simple Page Access Restriction4166516k+Unsafe printing function
#4363Simple Restrict4134121k+Output is not escaped
#4364Simple Revision Control4134431k+Dynamic hook name
#4365Slate Admin Theme41121196k+Output is not escaped
#4366Smart User Slug Hider4185123k+Output is not escaped
#4367Smooth Scroll Up4161106k+Output is not escaped
#4368Smoove connector for Elementor forms412260600Nonce verification recommended
#4369SnapScan Payment Gateway413330700Output is not escaped
#4370Masonry Widget415811500Output is not escaped
#4371TechGasp Sound Master411364500Output is not escaped
#4372TechGasp Music Master411434500Output is not escaped
#4373SQL Chart Builder413852600Text Domain Mismatch
#4374Squeeze – Image Optimization & Compression, WEBP Conversion4120702k+Nonce verification recommended
#4375Sticky Posts – Switch418456k+Output is not escaped
#4376Styler for Gravity Forms4136922k+Text Domain Mismatch
#4377Super Testimonial – Testimonial & Customer Review Slider Plugin for WordPress41271682k+Request data is not unslashed
#4378tarteaucitron.io41449210k+Output is not escaped
#4379Taxonomy Converter415424500Output is not escaped
#4380Taxonomy Filter4114340800Output is not escaped
#4381Terms of Service & Privacy Policy Generator41991600Output is not escaped
#4382Text Hover4144131k+Output is not escaped
#4383Text Replace4155123k+Output is not escaped
#4384Feedback Company416336800Output is not escaped
#4385Theme Blvd Importer412558500Missing nonce verification
#4386Theme Duplicator411431400Nonce verification recommended
#4387Threat Scan Plugin412917400Output is not escaped
#4388Advanced Editor Tools41143841m+Unsafe printing function
#4389TW Pagination4190231k+Non Singular String Literal Domain
#4390Unbloater4157185k+Output is not escaped
#4391Usersnap413717500Output is not escaped
#4392Visibility Logic for Elementor41274330k+Output is not escaped
#4393fancyBox 3 for WordPress4172111k+Output is not escaped
#4394Waka Bulk Page4152161k+Unsafe printing function
#4395WaveSurfer-WP418322400Unsafe printing function
#4396Abandoned Cart Recovery for WooCommerce41202024k+Request data is not unslashed
#4397Checkout Field Editor (Checkout Manager) for WooCommerce41988400k+Nonce verification recommended
#4398Advanced Custom Stock Status4184339k+Output is not escaped
#4399Top Image SEO41115265k+Unsafe printing function
#4400M-Pesa(Kenya) Checkout for Woocommerce4146381k+Text Domain Mismatch