Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4451Cities Shipping Zones for WooCommerce4294444k+Text Domain Mismatch
#4452Clover Payments for WooCommerce4225152k+Exception output is not escaped
#4453Comment Blacklist Updater4245151k+Output is not escaped
#4454Comment Reply Email422123500Unsafe printing function
#4455Companion Revision Manager – Revision Control4218284k+Unsafe printing function
#4456Confetti42136173k+Unsafe printing function
#4457Contact Form 7 add confirm42315150k+Text Domain Mismatch
#4458Contador de Visitas423725500SQL query is not prepared
#4459Cookie Notify421554400Input is not validated
#4460CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance)4233493k+Output is not escaped
#4461Cronjob Scheduler4220361k+Input is not sanitized
#4462Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin42472181400Text Domain Mismatch
#4463Custom Fields for Gutenberg4224241k+Output is not escaped
#4464Custom Login423611610k+Non-prefixed global variable
#4465Custom Taxonomy Order42205650k+Output is not escaped
#4466Simpliest Social Share423722600Unsafe printing function
#4467CWW connector Lite – Connect Contact Form 7 & ActiveCampaign423921400Output is not escaped
#4468Dashboard Notes422734600Missing Arg Domain
#4469Dashboard Sticky Notes4220172k+Missing nonce verification
#4470Delete Expired Transients4249655k+Direct Query
#4471Disable Comments424419100k+Unsafe printing function
#4472Disable Recaptcha – CF7427352k+Output is not escaped
#4473Disable User Login4225195k+Unsafe printing function
#4474Display Categories Widget429043k+Output is not escaped
#4475Simple HTML Sitemap4242201k+Text Domain Mismatch
#4476Storefront Online Ordering by DoorDash427610600Output is not escaped
#4477Duplicate Page or Post42122119k+Text Domain Mismatch
#4478Easy Demo Import for Omega Themes423341400Output is not escaped
#4479Easy Video Player42202020k+Output is not escaped
#4480Embedly4217382k+Output is not escaped
#4481Enable Classic Editor & Widgets4210662k+Non Singular String Literal Domain
#4482Etsy Shop4258213k+Unsafe printing function
#4483Exclude Pages42311420k+Non Singular String Literal Domain
#4484Exit Popup425151k+Output is not escaped
#4485FCM Push Notification from WP424316500Non Singular String Literal Domain
#4486File Media Renamer4216422k+Input is not sanitized
#4487First payment date for WooCommerce Subscriptions424219400Output is not escaped
#4488Flamix: Bitrix24 and Contact Form 7 integrations427941k+Output is not escaped
#4489Flexible Editor Panel for Elementor421544220k+Text Domain Mismatch
#4490Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution421111720k+Exception output is not escaped
#4491FooTable428671k+Output is not escaped
#4492FormCraft – Form Builder421861562k+Text Domain Mismatch
#4493Lock Down Admin4230203k+Unsafe printing function
#4494Fusion Page Builder : Extension – Gallery422930600Output is not escaped
#4495GA Google Analytics – Connect Google Analytics to WordPress424630400k+Output is not escaped
#4496Gelato Integration for WooCommerce4236325k+Output is not escaped
#4497Geo Blocker – Control Site Access by Region and IP4210641k+Direct Query
#4498Goolytics – Simple Google Analytics423754k+Unsafe printing function
#4499hCaptcha for WP421151870k+Exception output is not escaped
#4500Hide Cart Functions4212503k+Nonce verification recommended