Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4601WPB Custom Tab Manager for WooCommerce – Add, Edit & Reorder Tabs429532500Output is not escaped
#4602WPFomo42459600Output is not escaped
#4603WPTerm4261893k+Output is not escaped
#4604Yandex.Metrika421520900Unsafe printing function
#4605Zotpress42104032k+Non-prefixed global variable
#4606AddFunc Head & Footer Code43281820k+Output is not escaped
#4607Admin Custom Login4323820k+Request data is not unslashed
#4608Admin Menu Tree Page View43176910k+Nonce verification recommended
#4609Advanced FAQ Manager438592k+Input is not sanitized
#4610Advanced TinyMCE Configuration4399810k+Text Domain Mismatch
#4611AdWords Conversion Tracking Code4326251k+Non Singular String Literal Domain
#4612AMP4363362400k+Non-prefixed hook name
#4613Animation Builder – An interface for adding scroll-triggered animations43767800Missing Version
#4614Anonymous Restricted Content4322241k+Unsafe printing function
#4615Anti-spam Reloaded4319192k+Output is not escaped
#4616Auto Alt Text4352134k+Exception output is not escaped
#4617Automatic Responsive Tables4367151k+Output is not escaped
#4618BMI Adult & Kid Calculator4333138700Request data is not unslashed
#4619Category Editor4354188k+Unsafe printing function
#4620Charla Live Chat433313500Output is not escaped
#4621Click to Call or Chat Buttons434761k+Output is not escaped
#4622Comment Reply Email Notification4344193k+Output is not escaped
#4623Simple Mortgage Calculator436731k+Text Domain Mismatch
#4624Custom Menu438311400wp function not compatible with requires wp
#4625Customize Login Image433293k+Unsafe printing function
#4626Customize Snapshots43942500Nonce verification recommended
#4627Database Addon For WPForms ( wpforms entries ) – WPFormsDB43175320k+Nonce verification recommended
#4628Directorist – WPML Integration4310134400Non-prefixed hook name
#4629Disable Gutenberg432347500k+Nonce verification recommended
#4630Disable WP Notification43742510k+Output is not escaped
#4631Easy PayPal Shopping Cart4319401k+Input is not sanitized
#4632Email Notification on Login433371k+Unsafe printing function
#4633F4 Total Stock Value for WooCommerce4327121k+Output is not escaped
#4634Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element4366109800Missing direct file access protection
#4635GD bbPress Tools4315611k+Input is not sanitized
#4636Good Old Twitter Feed Widget4311010400Text Domain Mismatch
#4637Per User Prompt for Google Authenticator43852400Nonce verification recommended
#4638Event Tracking for Gravity Forms43342520k+rand mt rand
#4639Insert Blocks Before or After Posts Content4342151k+Output is not escaped
#4640jQuery UI Widgets4313151k+Unsafe printing function
#4641Linker – URL shortener & track outbound link clicks4317172k+Output is not escaped
#4642Logo Slider WP – Responsive Logo Carousel, Logo Gallery & Logo Showcase432225510k+Non-prefixed global variable
#4643Make Tables Responsive43311026k+Input is not validated
#4644MembershipWorks Login Connector432881800Request data is not unslashed
#4645Lightbox432910700Unsafe printing function
#4646Opal Woo Custom Product Variation431116400Non-prefixed global variable
#4647Page Transition433930700Output is not escaped
#4648PE Panels431814500Output is not escaped
#4649Pods Gravity Forms Add-On43791k+Missing nonce verification
#4650Post Carousel Slider for Elementor43133233k+Text Domain Mismatch