Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4551Simple Googlebot Visit4232671k+Non Singular String Literal Domain
#4552Simple Meta Tags422813700Output is not escaped
#4553Simple Sticky Footer425716600Missing Arg Domain
#4554SMTP Mailer42514970k+Unsafe printing function
#4555Social Icon Widget42906500Output is not escaped
#4556Speed Contact Bar4253204k+Output is not escaped
#4557Squelch Tabs and Accordions Shortcodes4257511k+Unsafe printing function
#4558Staffer428842600Output is not escaped
#4559Starter Sites4262251k+Output is not escaped
#4560Sticky Add To Cart Bar For WooCommerce424654600Output is not escaped
#4561Sticky Floating Button (Book Now, Contact, Call To Action…)429526900Missing Arg Domain
#4562StifLi Flex MCP – MCP Server with undo for ChatGPT, Claude & Gemini4221101k+Interpolated SQL is not prepared
#4563Combine Social Photos | Still BE4233281700Non-prefixed global variable
#4564SuperSaaS – online appointment scheduling4279101k+Text Domain Mismatch
#4565ThemeZee Widget Bundle42211585k+Output is not escaped
#4566Top Bar42751110k+Output is not escaped
#4567Transients Manager42455020k+Output is not escaped
#4568Two Factor421870100k+Nonce verification recommended
#4569Ultimate Category Excluder42222650k+Missing nonce verification
#4570Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page4215899k+Non-prefixed global variable
#4571UniConsent Cookie Consent CMP – Consent Manager42148181k+Unsafe printing function
#4572UPI QR Code Payment Gateway42179281k+Text Domain Mismatch
#4573Usermaven4236771k+Request data is not unslashed
#4574Vast Demo Import42180113600Text Domain Mismatch
#4575Vertical marquee post title4210968400Output is not escaped
#4576WC Price History4218214k+Database parameter is not escaped
#4577WC Speed Repair4234741k+Non-prefixed global variable
#4578Weather Widget Pro4229451k+Output is not escaped
#4579WebPlanex: GST Invoice India426363400Text Domain Mismatch
#4580Widget Contact Now42696500Output is not escaped
#4581Widget Visibility Time Scheduler4270341k+Output is not escaped
#4582Auto Coupons for WooCommerce4281684k+Output is not escaped
#4583WPC Order Notes for WooCommerce422441900Output is not escaped
#4584List Products By Category Widget for WooCommerce428451k+Output is not escaped
#4585TT Extra Fee Option for WooCommerce4237191k+Output is not escaped
#4586Dynamic Remarketing for Google Ads and WooCommerce4232152k+Output is not escaped
#4587WP Author Security424013500Output is not escaped
#4588WP Before After Image Slider – Interactive Image and Video Comparison Plugin for WordPress42112171k+Text Domain Mismatch
#4589WP Bulk Delete427130100k+Direct Query
#4590WP Child Theme Generator42356620k+Request data is not unslashed
#4591WP Content Copy Protection & No Right Click42126135100k+Unsafe printing function
#4592WP Cron Cleaner425138500Unsafe printing function
#4593WP Fingerprint4234479k+Direct Query
#4594WP Media Category Management42101766k+Nonce verification recommended
#4595WP Post Redirect4229173k+Unsafe printing function
#4596WP QuickLaTeX4241604k+Non-prefixed global variable
#4597WP Responsive Table4242106k+Output is not escaped
#4598Advanced All in One Admin Search by WP Spotlight422525900Missing Version
#4599WP Widget Clipboard – Duplicate widgets intuitively425119800Output is not escaped
#4600WPB Custom Tab Manager for WooCommerce – Add, Edit & Reorder Tabs429532500Output is not escaped