Security Issues
Issue Codes
39 normalized finding codes in this category.
Output is not escaped
WordPress.Security.EscapeOutput.OutputNotEscaped
Dynamic data is printed to the page without an escaping function for the output context.
Request data is not unslashed
WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Input is not sanitized
WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Request data is used without being cleaned for the expected type or format.
Nonce verification recommended
WordPress.Security.NonceVerification.Recommended
The code reads request data in a place where Plugin Check recommends a nonce check.
Input is not validated
WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Request data is used without checking that it is allowed for the operation.
Missing nonce verification
WordPress.Security.NonceVerification.Missing
A request handler uses request data without verifying that the request was intentionally created by WordPress.
Unsafe printing function
WordPress.Security.EscapeOutput.UnsafePrintingFunction
A printing function is outputting dynamic content without proving that the content is escaped.
Database parameter is not escaped
PluginCheck.Security.DirectDB.UnescapedDBParameter
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
wp redirect wp redirect
WordPress.Security.SafeRedirect.wp_redirect_wp_redirect
Plugin Check reported a security-sensitive coding pattern that needs review.
SQL query is not prepared
WordPress.DB.PreparedSQL.NotPrepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Exception output is not escaped
WordPress.Security.EscapeOutput.ExceptionNotEscaped
An exception message or related exception value is printed without escaping.
Interpolated SQL is not prepared
WordPress.DB.PreparedSQL.InterpolatedNotPrepared
Variables are interpolated into a SQL string before the query is prepared.
Setting is missing a sanitization callback
PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing
A registered setting does not define a sanitization callback.
Unfinished Prepare
WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Quoted Simple Placeholder
WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Replacements Wrong Number
WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Input is not validated or sanitized
WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized
Request data is used without both cleanup and an allowability check.
Plugin menu slug uses __FILE__
WordPress.Security.PluginMenuSlug.Using__FILE__
Plugin Check reported a security-sensitive coding pattern that needs review.
Like Wildcards In Query
WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Heredoc Output Not Escaped
WordPress.Security.EscapeOutput.HeredocOutputNotEscaped
A value reaches browser output without clear escaping for the final HTML context.
Unquoted Complex Placeholder
WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Unsupported Identifier Placeholder
WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Unnecessary Prepare
WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Like Wildcards In Query With Placeholder
WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Unsupported Placeholder
WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
mysql mysqli real escape string
WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string
The plugin uses a raw MySQL extension or class instead of WordPress database APIs.
Like Without Wildcards
WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Quoted Dynamic Placeholder Generation
WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Deprecated function: like_escape
WordPress.WP.DeprecatedFunctions.like_escapeFound
The plugin uses a WordPress API, parameter, class, or value that has been deprecated.
mysql mysql real escape string
WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string
The plugin uses a raw MySQL extension or class instead of WordPress database APIs.
Deprecated function: attribute_escape
WordPress.WP.DeprecatedFunctions.attribute_escapeFound
The plugin uses a WordPress API, parameter, class, or value that has been deprecated.
Unescaped Literal
WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Missing Replacements
WordPress.DB.PreparedSQLPlaceholders.MissingReplacements
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
curl curl escape
WordPress.WP.AlternativeFunctions.curl_curl_escape
The plugin uses raw cURL functions instead of the WordPress HTTP API.
curl curl unescape
WordPress.WP.AlternativeFunctions.curl_curl_unescape
The plugin uses raw cURL functions instead of the WordPress HTTP API.
Deprecated function: js_escape
WordPress.WP.DeprecatedFunctions.js_escapeFound
The plugin uses a WordPress API, parameter, class, or value that has been deprecated.
register setting Invalid
PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid
Plugin Check reported a security-sensitive coding pattern that needs review.
Quoted Identifier Placeholder
WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Deprecated function: sanitize_user_object
WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound
The plugin uses a WordPress API, parameter, class, or value that has been deprecated.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #4801 | External Permalinks Redux | 92 | 9 | 8 | 2k+ | Non-prefixed hook name | |
| #4802 | Mongoose Page Plugin | 92 | 4 | 17 | 10k+ | Non-prefixed global variable | |
| #4803 | FastBots | 92 | 3 | 2 | 1k+ | Non Enqueued Script | |
| #4804 | Fluent Forms Block | 92 | 4 | 18 | 2k+ | Non-prefixed global variable | |
| #4805 | Product Gallery Slider, Additional Variation Images, Product Video, Product Image Zoom and Lightbox for WooCommerce – WooGallery | 92 | 6 | 30 | 20k+ | Non-prefixed global variable | |
| #4806 | Grid Shortcodes | 92 | 3 | 2 | 2k+ | Missing Version | |
| #4807 | Health Endpoint | 92 | 3 | 2 | 3k+ | Missing Arg Domain | |
| #4808 | Hide Categories On Shop Page | 92 | 11 | 4 | 1k+ | Text Domain Mismatch | |
| #4809 | Import Export Menu | 92 | 7 | 1k+ | Input is not sanitized | ||
| #4810 | Lightweight Grid Columns | 92 | 4 | 2 | 10k+ | Missing Version | |
| #4811 | LitCommerce: Multi-channel Selling Tool For WooCommerce | 92 | 4 | 3 | 2k+ | Missing direct file access protection | |
| #4812 | Block for Apple Maps | 92 | 14 | 3 | 1k+ | Missing direct file access protection | |
| #4813 | Paste As Plain Text By Default | 92 | 2 | 5 | 2k+ | Nonce verification recommended | |
| #4814 | RTL Tester | 92 | 6 | 2 | 1k+ | Nonce verification recommended | |
| #4815 | MWW Scheduled Post Trigger | 92 | 4 | 2 | 60k+ | Direct Query | |
| #4816 | Greeklish Slugs | 92 | 12 | 2 | 3k+ | Text Domain Mismatch | |
| #4817 | User Access Shortcodes | 92 | 3 | 1 | 1k+ | Missing direct file access protection | |
| #4818 | Version Control for jQuery | 92 | 5 | 1 | 6k+ | Offloaded Content | |
| #4819 | Address Book for WooCommerce | 92 | 12 | 6 | 4k+ | Text Domain Mismatch | |
| #4820 | WooCommerce Accommodation Bookings | 92 | 1 | 91 | 1k+ | Non-prefixed global variable | |
| #4821 | Menu Cart for WooCommerce | 92 | 102 | 16 | 80k+ | Text Domain Mismatch | |
| #4822 | WOOF by Category | 92 | 3 | 7 | 1k+ | trademarked term | |
| #4823 | SFN Easy FAQ Manager | 92 | 127 | 14 | 2k+ | Text Domain Mismatch | |
| #4824 | WP Anything Downloader | 92 | 1 | 7 | 3k+ | Nonce verification recommended | |
| #4825 | WP Mautic | 92 | 3 | 5 | 6k+ | trademarked term | |
| #4826 | WP Quick Post Duplicator | 92 | 3 | 10 | 3k+ | trademarked term | |
| #4827 | WPC Price by Quantity for WooCommerce | 92 | 37 | 1k+ | Non-prefixed global variable | ||
| #4828 | Advanced Post Block – Showcase Posts with Grid, List, Card Layouts and Filters | 93 | 1 | 8 | 10k+ | Direct Query | |
| #4829 | Advanced Testimonial Carousel For Elementor | 93 | 3 | 6 | 2k+ | Nonce verification recommended | |
| #4830 | Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist | 93 | 2 | 4 | 10k+ | Missing Version | |
| #4831 | CF7 Mate – AI Form Builder, Styler & Multi-Step Forms for Contact Form 7 | 93 | 3 | 9 | 20k+ | Non-prefixed class | |
| #4832 | Clear Autoptimize Cache Automatically | 93 | 3 | 9 | 4k+ | Request data is not unslashed | |
| #4833 | Core Rollback | 93 | 5 | 2 | 10k+ | wp function not compatible with requires wp | |
| #4834 | Serious Slider | 93 | 6 | 2 | 20k+ | Missing Arg Domain | |
| #4835 | DCO Insert Analytics Code | 93 | 2 | 0 | 4k+ | Setting is missing a sanitization callback | |
| #4836 | Disable Blog | 93 | 2 | 22 | 10k+ | Non-prefixed global variable | |
| #4837 | Disable Auto Update Emails and Block Updates for Plugins, WP Core, and Themes | 93 | 10 | 7 | 3k+ | Missing direct file access protection | |
| #4838 | Disable WooCommerce Reviews | 93 | 2 | 4 | 2k+ | trademarked term | |
| #4839 | Disable WP REST API | 93 | 7 | 30k+ | Missing nonce verification | ||
| #4840 | Social Sharing (by Danny) | 93 | 9 | 8 | 2k+ | Missing direct file access protection | |
| #4841 | Easy Demo Importer – A Modern One-Click Demo Import Solution | 93 | 2 | 49 | 2k+ | Non-prefixed hook name | |
| #4842 | EasyMega | 93 | 1 | 22 | 6k+ | Non-prefixed hook name | |
| #4843 | Generate PDF using Contact Form 7 | 93 | 3 | 4k+ | Input is not sanitized | ||
| #4844 | Hide Updates | 93 | 3 | 4 | 6k+ | Nonce verification recommended | |
| #4845 | Image Carousel Module for Divi | 93 | 131 | 3 | 9k+ | Text Domain Mismatch | |
| #4846 | Lead Forensics | 93 | 1 | 5 | 5k+ | Non-prefixed hook name | |
| #4847 | League Table – WordPress Table Plugin | 93 | 10 | 9 | 2k+ | Missing direct file access protection | |
| #4848 | Leira Letter Avatar | 93 | 3 | 8 | 6k+ | Non-prefixed hook name | |
| #4849 | Local Google Fonts | 93 | 3 | 15 | 100k+ | Non-prefixed global variable | |
| #4850 | Modal Popup Box — Popup Maker & Popup Builder | 93 | 1 | 3 | 2k+ | Input is not sanitized |
