Security Issues

Issue Codes

39 normalized finding codes in this category.

Output is not escaped

WordPress.Security.EscapeOutput.OutputNotEscaped

Dynamic data is printed to the page without an escaping function for the output context.

critical

Request data is not unslashed

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical

Input is not sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Request data is used without being cleaned for the expected type or format.

critical

Nonce verification recommended

WordPress.Security.NonceVerification.Recommended

The code reads request data in a place where Plugin Check recommends a nonce check.

critical

Input is not validated

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Request data is used without checking that it is allowed for the operation.

critical

Missing nonce verification

WordPress.Security.NonceVerification.Missing

A request handler uses request data without verifying that the request was intentionally created by WordPress.

critical

Unsafe printing function

WordPress.Security.EscapeOutput.UnsafePrintingFunction

A printing function is outputting dynamic content without proving that the content is escaped.

critical

Database parameter is not escaped

PluginCheck.Security.DirectDB.UnescapedDBParameter

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical

wp redirect wp redirect

WordPress.Security.SafeRedirect.wp_redirect_wp_redirect

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

SQL query is not prepared

WordPress.DB.PreparedSQL.NotPrepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical

Exception output is not escaped

WordPress.Security.EscapeOutput.ExceptionNotEscaped

An exception message or related exception value is printed without escaping.

critical

Interpolated SQL is not prepared

WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Variables are interpolated into a SQL string before the query is prepared.

critical

Setting is missing a sanitization callback

PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing

A registered setting does not define a sanitization callback.

critical

Unfinished Prepare

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Simple Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Replacements Wrong Number

WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Input is not validated or sanitized

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Request data is used without both cleanup and an allowability check.

critical

Plugin menu slug uses FILE

WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Like Wildcards In Query

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Heredoc Output Not Escaped

WordPress.Security.EscapeOutput.HeredocOutputNotEscaped

A value reaches browser output without clear escaping for the final HTML context.

critical

Unquoted Complex Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unnecessary Prepare

WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Like Wildcards In Query With Placeholder

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Unsupported Placeholder

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

mysql mysqli real escape string

WordPress.DB.RestrictedFunctions.mysql_mysqli_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Like Without Wildcards

WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Quoted Dynamic Placeholder Generation

WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: like_escape

WordPress.WP.DeprecatedFunctions.like_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

mysql mysql real escape string

WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical

Deprecated function: attribute_escape

WordPress.WP.DeprecatedFunctions.attribute_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Unescaped Literal

WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Missing Replacements

WordPress.DB.PreparedSQLPlaceholders.MissingReplacements

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

curl curl escape

WordPress.WP.AlternativeFunctions.curl_curl_escape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

curl curl unescape

WordPress.WP.AlternativeFunctions.curl_curl_unescape

The plugin uses raw cURL functions instead of the WordPress HTTP API.

critical

Deprecated function: js_escape

WordPress.WP.DeprecatedFunctions.js_escapeFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

register setting Invalid

PluginCheck.CodeAnalysis.SettingSanitization.register_settingInvalid

Plugin Check reported a security-sensitive coding pattern that needs review.

critical

Quoted Identifier Placeholder

WordPress.DB.PreparedSQLPlaceholders.QuotedIdentifierPlaceholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical

Deprecated function: sanitize_user_object

WordPress.WP.DeprecatedFunctions.sanitize_user_objectFound

The plugin uses a WordPress API, parameter, class, or value that has been deprecated.

critical

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Updated	Top Issue
#4901	Simple Spoiler	95	1	8	2k+	1 year ago	Non-prefixed global variable
#4902	WCBoost – Variation Swatches	95	1	11	50k+	21 days ago	Non-prefixed hook name
#4903	WebMan Templates	95	1	3	1k+	6 months ago	Non-prefixed global variable
#4904	WP Remove Category Base	95	1	4	8k+	9 years ago	trademarked term
#4905	WPC Buy Now Button for WooCommerce	95		18	10k+	6 days ago	Non-prefixed class
#4906	ActiveLayer Anti-Spam: Spam Protection for Forms & Comments	96		2	1k+	5 days ago	Database parameter is not escaped
#4907	Add Featured Image Column	96	1	1	3k+	1 year ago	Nonce verification recommended
#4908	Advanced Import	96		3	90k+	14 days ago	Nonce verification recommended
#4909	Catch Themes Demo Import	96	1	5	5k+	2 days ago	Non-prefixed hook name
#4910	Customer Reviews Collector for WooCommerce	96	5	1	5k+	26 days ago	Missing direct file access protection
#4911	Disable Author Archives	96	1	2	10k+	1 month ago	Nonce verification recommended
#4912	FAQly – Ultimate FAQ	96		2	1k+	21 days ago	Nonce verification recommended
#4913	FormLayer	96		2	40k+	19 days ago	Nonce verification recommended
#4914	KOMOJU Payments	96		8	1k+	yesterday	Non-prefixed class
#4915	WP Post Page Clone	96		5	80k+	1 month ago	trademarked term
#4916	WPB Product Slider for WooCommerce – Responsive Product Carousel & Showcase	96		5	4k+	2 days ago	trademarked term
#4917	WPVulnerability	96		4	10k+	21 days ago	trademarked term
#4918	All-in-One Sticky Anything – Click to Call, Fixed Widget, Sticky Header, Menu & Sidebar	97		3	1k+	1 month ago	Discouraged text-domain loading
#4919	Pinyin Slugs	97		1	3k+	7 days ago	Plugin menu slug uses __FILE__

Security Issues

Issue Codes

Output is not escaped

Request data is not unslashed

Input is not sanitized

Nonce verification recommended

Input is not validated

Missing nonce verification

Unsafe printing function

Database parameter is not escaped

wp redirect wp redirect

SQL query is not prepared

Exception output is not escaped

Interpolated SQL is not prepared

Setting is missing a sanitization callback

Unfinished Prepare

Quoted Simple Placeholder

Replacements Wrong Number

Input is not validated or sanitized

Plugin menu slug uses __FILE__

Like Wildcards In Query

Heredoc Output Not Escaped

Unquoted Complex Placeholder

Unsupported Identifier Placeholder

Unnecessary Prepare

Like Wildcards In Query With Placeholder

Unsupported Placeholder

mysql mysqli real escape string

Like Without Wildcards

Quoted Dynamic Placeholder Generation

Deprecated function: like_escape

mysql mysql real escape string

Deprecated function: attribute_escape

Unescaped Literal

Missing Replacements

curl curl escape

curl curl unescape

Deprecated function: js_escape

register setting Invalid

Quoted Identifier Placeholder

Deprecated function: sanitize_user_object

Affected Plugins

Plugin menu slug uses FILE