Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Plugin menu slug uses __FILE__

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4851Clear Cache for Me4758840k+Text Domain Mismatch
#4852Custom Background Changer4744141k+Non Singular String Literal Domain
#4853Customizer Export/Import471415100k+Unsafe printing function
#4854Delete Duplicate Posts4795010k+Direct Query
#4855Do Shortcodes for Rank Math SEO4711731k+Output is not escaped
#4856DPO Pay for WooCommerce4728411k+Non Singular String Literal Text
#4857EasyFonts – Host Google Fonts Locally, Fast & Auto-Optimize, GDPR Compliant475581k+Interpolated SQL is not prepared
#4858Show IDs by Echo4721132k+Output is not escaped
#4859Extended CRM for Users Insights471123400Missing nonce verification
#4860Flying Pages: Preload Pages for Faster Navigation & Improved User Experience47212120k+Missing direct file access protection
#4861FSM Custom Featured Image Caption4726275k+Output is not escaped
#4862G Meta Keywords4731810k+Unsafe printing function
#4863Gateway AqayePardakht for Woocommerce4772234k+Text Domain Mismatch
#4864Granular Controls For Elementor4756410k+Output is not escaped
#4865Groups 404 Redirect4735331k+Non Singular String Literal Domain
#4866Import Users from CSV47331210k+Unsafe printing function
#4867KCSG Kartra Pages473016500Heredoc Output Not Escaped
#4868Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator47448310k+Missing direct file access protection
#4869Log Emails4719296k+Non-prefixed global variable
#4870Product Categories/Tags Bottom Description for WooCommerce4760233k+Text Domain Mismatch
#4871Real Media Library: Media Library Folder & File Manager471365100k+Direct Query
#4872Restore PayPal Standard for WooCommerce4719533k+Nonce verification recommended
#4873Security Ninja For MainWP4724671500Text Domain Mismatch
#4874Showeblogin Social Plugin47595400Output is not escaped
#4875Simple Popup Plugin475351k+Output is not escaped
#4876Social Media Widget47513400Output is not escaped
#4877SportsPress for Baseball4711334900Text Domain Mismatch
#4878Store Locator for WordPress📍4751211k+Missing Arg Domain
#4879Tabby Checkout4733464k+Non-prefixed class
#4880Taxonomy Switcher4723362k+Nonce verification recommended
#4881The Tribal Plugin474362800Non-prefixed function
#4882Userback4713202k+Output is not escaped
#4883Simple Client Dashboard4738362k+Missing direct file access protection
#4884Website Article Monetization By MageNet47172410k+Output is not escaped
#4885Better Usability for WooCommerce472787800Non-prefixed hook name
#4886FedaPay Gateway for WooCommerce472411700Output is not escaped
#4887iControlWP4745591k+Missing direct file access protection
#4888WP Custom Author URL4716385k+Non-prefixed global variable
#48893CX Free Live Chat, Calls & Messaging472416100k+Output is not escaped
#4890WP PHP Console471824500Output is not escaped
#4891WP Prefix Changer472716900Missing Arg Domain
#4892QuadLayers TikTok Feed4778527k+Text Domain Mismatch
#4893Post Status Notifications4798411k+Text Domain Mismatch
#4894Compress, Resize & Lazy Load Images – WPvivid Image Optimization471075810k+Missing direct file access protection
#4895XML Sitemap & Google News47270224100k+Non-prefixed global variable
#4896Add-on WooCommerce – MailPoet 3483021600Output is not escaped
#4897Add Polylang support for Customizer4818202k+Nonce verification recommended
#4898Advanced Custom Fields – Location Field add-on48516900Output is not escaped
#4899AffiliateWP – Store Credit484721400Output is not escaped
#4900Ansar Import – One Click Starter Sites – for Elementor & Themes482711610k+Non-prefixed global variable