| #1 | Intercom | 0 | 60 | 71 | 6k+ | | Non-prefixed function |
| #2 | JetBackup – Backup, Restore & Migrate | 10 | 1,559 | 145 | 100k+ | | Exception output is not escaped |
| #3 | Visual Composer Website Builder | 16 | 82 | 320 | 40k+ | | Non-prefixed global variable |
| #4 | AnyComment | 17 | 445 | 449 | 5k+ | | Output is not escaped |
| #5 | Podlove Podcast Publisher | 18 | 2,326 | 1,429 | 3k+ | | Output is not escaped |
| #6 | Shopping Cart & eCommerce Store | 18 | 5,459 | 17,298 | 4k+ | | Non-prefixed global variable |
| #7 | Element Pack – Widgets, Templates & Addons for Elementor | 19 | 9,448 | 517 | 100k+ | | Text Domain Mismatch |
| #8 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | | Exception output is not escaped |
| #9 | Matomo Analytics – Powerful, Privacy-First Insights for WordPress | 19 | 1,909 | 878 | 100k+ | | Exception output is not escaped |
| #10 | Razorpay Payment Button Plugin | 19 | 486 | 98 | 2k+ | | Exception output is not escaped |
| #11 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | | Missing Translators Comment |
| #12 | SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments | 19 | 526 | 1,119 | 90k+ | | Non-prefixed global variable |
| #13 | BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot | 20 | 508 | 1,406 | 30k+ | | Non-prefixed global variable |
| #14 | Brizy – Page Builder | 20 | 589 | 720 | 70k+ | | Output is not escaped |
| #15 | DMCA Protection Badge | 20 | 4,425 | 217 | 1k+ | | Output is not escaped |
| #16 | Filter Everything — WordPress & WooCommerce Filters | 20 | 568 | 730 | 50k+ | | Output is not escaped |
| #17 | GiveWP – Donation Plugin and Fundraising Platform | 20 | 3,435 | 3,580 | 100k+ | | Output is not escaped |
| #18 | Brevo – Email, SMS, Web Push, Chat, and more. | 20 | 460 | 646 | 100k+ | | Request data is not unslashed |
| #19 | Razorpay for WooCommerce | 20 | 974 | 855 | 100k+ | | Non-prefixed function |
| #20 | WPJAM Basic | 20 | 328 | 356 | 4k+ | | Output is not escaped |
| #21 | Pinpoint Booking System – Version 2 | 21 | 634 | 328 | 3k+ | | Missing direct file access protection |
| #22 | Captcha Them All | 21 | 300 | 323 | 6k+ | | Output is not escaped |
| #23 | Smart Grid-Layout Design for Contact Form 7 | 21 | 1,126 | 734 | 10k+ | | Output is not escaped |
| #24 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | | Output is not escaped |
| #25 | ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support | 21 | 829 | 5,966 | 5k+ | | Direct Query |
| #26 | EventPrime – Events Calendar, Bookings and Tickets | 21 | 872 | 4,297 | 7k+ | | Non-prefixed global variable |
| #27 | Formidable Forms – WordPress Form Builder for Contact Forms, Calculators, Quizzes & More | 21 | 52 | 1,959 | 300k+ | | Non-prefixed global variable |
| #28 | If-So Dynamic Content – Elementor & All Page Builders Personalization | 21 | 889 | 725 | 7k+ | | Unsafe printing function |
| #29 | JCH Optimize | 21 | 953 | 133 | 4k+ | | Output is not escaped |
| #30 | Modular DS: Monitor, update, and backup multiple websites | 21 | 161 | 81 | 40k+ | | Exception output is not escaped |
| #31 | OneLogin SAML SSO | 21 | 508 | 330 | 7k+ | | wp function not compatible with requires wp |
| #32 | Packeta | 21 | 802 | 333 | 8k+ | | Exception output is not escaped |
| #33 | Razorpay Quick Payments | 21 | 399 | 63 | 3k+ | | Exception output is not escaped |
| #34 | Five Star Restaurant Reservations – WordPress Booking Plugin | 21 | 1,099 | 1,147 | 10k+ | | Output is not escaped |
| #35 | Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic | 21 | 327 | 181 | 10k+ | | Output is not escaped |
| #36 | Smart Forms – when you need more than just a contact form | 21 | 776 | 574 | 5k+ | | Output is not escaped |
| #37 | Revive Social – Social Media Auto Post and Scheduling Automation Plugin | 21 | 255 | 425 | 20k+ | | Non-prefixed hook name |
| #38 | WebP Express | 21 | 160 | 427 | 300k+ | | Non-prefixed global variable |
| #39 | Paysera Payment Gateway for WooCommerce | 21 | 1,866 | 195 | 7k+ | | Exception output is not escaped |
| #40 | Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools | 21 | 786 | 3,395 | 30k+ | | Non-prefixed global variable |
| #41 | Wordfence Security – Firewall, Malware Scan, and Login Security | 21 | 1,592 | 2,973 | 5m+ | | Output is not escaped |
| #42 | WP phpMyAdmin | 21 | 4,528 | 6,435 | 50k+ | | Missing Arg Domain |
| #43 | Premium Packages – Sell Digital Products Securely | 21 | 2,765 | 2,444 | 3k+ | | Output is not escaped |
| #44 | Frontend Admin by DynamiApps | 22 | 5,922 | 3,208 | 10k+ | | Text Domain Mismatch |
| #45 | Booking for Appointments and Events Calendar – Amelia | 22 | 1,489 | 480 | 90k+ | | Exception output is not escaped |
| #46 | BuddyPress | 22 | 583 | 9,008 | 100k+ | | Non-prefixed function |
| #47 | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | 22 | 3,654 | 5,061 | 8k+ | | Non-prefixed global variable |
| #48 | Directorist: AI-Powered Business Directory, Listings & Classified Ads | 22 | 443 | 2,129 | 20k+ | | Non-prefixed global variable |
| #49 | Dynamic QR Code – generator | 22 | 238 | 208 | 6k+ | | Missing direct file access protection |
| #50 | EleSpare – News, Magazine and Blog Addons for Elementor | 22 | 733 | 1,423 | 10k+ | | Non-prefixed global variable |
