Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4501Hide Featured Image42261210k+Unsafe printing function
#4502HTML Editor Syntax Highlighter42302150k+Output is not escaped
#4503Image Uploader for Welcart4227243k+Output is not escaped
#4504WP All Import – Import SEO Settings for Rank Math SEO4218447k+Nonce verification recommended
#4505iOS images fixer4222426k+Nonce verification recommended
#4506iyzico for WooCommerce42345410k+Unsafe printing function
#4507Lazy Social Comments4273101k+Unsafe printing function
#4508LeadSnap4214841k+Input is not validated
#4509LH Page Links To422538500Output is not escaped
#4510Image and Video Lightbox, Image PopUp4253151k+Output is not escaped
#4511Lightweight Social Icons4259130k+Output is not escaped
#4512LIQUID BLOCKS – Slider, Carousel, Accordion4250314k+Unsafe printing function
#4513List Custom Taxonomy Widget425259k+Output is not escaped
#4514Login No Captcha reCAPTCHA42452460k+Unsafe printing function
#4515Mailster Cool Captcha426528400Text Domain Mismatch
#4516Manage User Columns4215271k+Request data is not unslashed
#4517Mass Delete Unused Tags42219800Output is not escaped
#4518Medical Addon for Elementor4220081k+Text Domain Mismatch
#4519Message Popup For Contact Form 74230811k+Missing nonce verification
#4520Mobile CSS42597500Output is not escaped
#4521My Upload Images427448400Unsafe printing function
#4522Nav Menu Collapse4217393k+Missing nonce verification
#4523NS Remove Related Products for WooCommerce4295433k+Output is not escaped
#4524OG Tags42131342k+Non Singular String Literal Domain
#4525OnPay.io for WooCommerce42238371k+Text Domain Mismatch
#4526PageMenu4216291k+Missing nonce verification
#4527PAYDUNYA WOOCOMMERCE PAR425432600Text Domain Mismatch
#4528PDF Thumbnail Generator4226162k+Output is not escaped
#4529PE Easy Slider4219010800Output is not escaped
#4530Photo Galleria42785800Missing Arg Domain
#4531Polylang Theme Strings42119306k+Output is not escaped
#4532Post Types Order424543600k+wp function not compatible with requires wp
#4533WP Email Log – PostBox42281700Nonce verification recommended
#4534Posts Like Dislike42157395k+Non Singular String Literal Domain
#4535Prepare New Version4253246k+Output is not escaped
#4536Prismatic4261292k+Output is not escaped
#4537Product Price History for WooCommerce42101800Nonce verification recommended
#4538PuSHPress42116520k+Missing nonce verification
#4539reCAPTCHA for WooCommerce42803140k+Output is not escaped
#4540Recent Posts Widget Plus42683500Output is not escaped
#4541Rename wp-admin login4223388k+Output is not escaped
#4542Republish Old Posts4283242k+Output is not escaped
#4543WP Required Taxonomies – Categories and Tags Mandatory4243361k+Non-prefixed global variable
#4544Responsive Mortgage Calculator4238287k+Output is not escaped
#4545Reusable Blocks Extended42381520k+Output is not escaped
#4546RSS Just Better421362400Output is not escaped
#4547SALERT – Fake Sales Notification WooCommerce4241678k+Non-prefixed global variable
#4548Sendcloud Shipping4278565k+Output is not escaped
#4549SEO Backlink Monitor4286105700Output is not escaped
#4550Set All First Images As Featured424413700Text Domain Mismatch