Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4401WPC Product Bundles for WooCommerce41219330k+Missing nonce verification
#4402Country Based Restrictions for WooCommerce4127675k+Request data is not unslashed
#4403Quick View For WooCommerce4144441k+Output is not escaped
#4404WPC Smart Wishlist for WooCommerce414738100k+Output is not escaped
#4405WooCommerce Colors41632810k+Output is not escaped
#4406Pay for Payment for WooCommerce41296710k+Missing nonce verification
#4407Spam Protect for Contact Form 741166110k+Request data is not unslashed
#4408WP Crontrol412091300k+Nonce verification recommended
#4409WP Dashboard Notes41242920k+Unsafe printing function
#4410WP Extended Search411593720k+Output is not escaped
#4411Regions for WP Job Manager4129557k+Nonce verification recommended
#4412WP Lorem ipsum413729500Unsafe printing function
#4413WP Media folders4119743k+Direct Query
#4414WP Modal Popup with Cookie Integration4188131k+Unsafe printing function
#4415Pledged Plugins PCI Gateway for NMI and WooCommerce41160422k+Text Domain Mismatch
#4416WP Permalink Translator4134212k+Unsafe printing function
#4417WP Router412913800Exception output is not escaped
#4418WP Test Email41322820k+Unsafe printing function
#4419User Login Notifier for WordPress4172261k+Output is not escaped
#4420WPC Composite Products for WooCommerce4111739k+Missing nonce verification
#4421WPS Hide Login4134722m+Nonce verification recommended
#4422Export WooCommerce Orders, Products, Customers & Coupons to Google Sheets414535700Output is not escaped
#4423Simple Accessibility Button4133171900Non-prefixed global variable
#4424Z-Credit Checkout – WooCommerce Payment Gateway4115122900Text Domain Mismatch
#4425Zilla Portfolio4113915400Text Domain Mismatch
#4426Pricing Table – Responsive & Easy421171483k+Non-prefixed global variable
#4427ActiveTrail – Contact Form 7421885600Missing nonce verification
#4428Add to Cart Button Custom Text429849k+Text Domain Mismatch
#4429Add to Home Screen & Progressive Web App4223681k+Request data is not unslashed
#4430Admin Options Pages423284500Nonce verification recommended
#4431Affiliate Link Tracker422449500Request data is not unslashed
#4432Agoda Affiliate Partners Text Link Generator42440500Interpolated SQL is not prepared
#4433Post Grid Master — Post Grids & AJAX Filters42441151k+Non-prefixed global variable
#4434All-in-one Like Widget4216521k+Text Domain Mismatch
#4435Open Currency Converter4259191k+Unsafe printing function
#4436Automatic NBSP4224163k+Output is not escaped
#4437AweSplash – Just Splash Page423934400Output is not escaped
#4438多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条4217382k+Input is not sanitized
#4439Basic SEO Pack42868700Output is not escaped
#4440Bazz CallBack widget4255283k+Unsafe printing function
#4441Block Temporary Email423313500Unsafe printing function
#4442Booking.com Official Search Box4236322k+Output is not escaped
#4443BP Auto Group Join425555700Output is not escaped
#4444Bulk Change Media Author4225202k+Unsafe printing function
#4445CCAvenue Payment Gateway for WooCommerce4253403k+Text Domain Mismatch
#4446Custom Spinner for Contact Form 74236111k+Output is not escaped
#4447HTML Template for CF74221271k+Non-prefixed global variable
#4448Change Background Color for Pages, Posts, Widgets42357500Text Domain Mismatch
#4449Chartbeat4233181k+Output is not escaped
#4450Cities Shipping Zones for WooCommerce4294444k+Text Domain Mismatch