| #1 | Podlove Podcast Publisher | 18 | 2,326 | 1,429 | 3k+ | | | Output is not escaped |
| #2 | RestroPress – Online Food Ordering System | 18 | 521 | 3,083 | 1k+ | | | Non-prefixed global variable |
| #3 | WPPizza – A Restaurant Plugin | 18 | 4,689 | 2,703 | 1k+ | | | Text Domain Mismatch |
| #4 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | | | Exception output is not escaped |
| #5 | Matomo Analytics – Powerful, Privacy-First Insights for WordPress | 19 | 1,909 | 878 | 100k+ | | | Exception output is not escaped |
| #6 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | | | Missing Translators Comment |
| #7 | Membership Plugin – Kadence Memberships | 19 | 5,082 | 2,982 | 9k+ | | | Text Domain Mismatch |
| #8 | SendPress Newsletters | 19 | 2,293 | 1,422 | 2k+ | | | Output is not escaped |
| #9 | WP Email Template | 19 | 342 | 350 | 2k+ | | | Exception output is not escaped |
| #10 | WP Import Export Lite | 19 | 737 | 979 | 40k+ | | | Non-prefixed global variable |
| #11 | Broadstreet | 20 | 434 | 273 | 700 | | | Output is not escaped |
| #12 | DMCA Protection Badge | 20 | 4,425 | 217 | 1k+ | | | Output is not escaped |
| #13 | Event Espresso – Event Registration & Ticketing Sales | 20 | 12,698 | 2,135 | 600 | | | Text Domain Mismatch |
| #14 | Filter Everything — WordPress & WooCommerce Filters | 20 | 568 | 730 | 50k+ | | | Output is not escaped |
| #15 | GiveWP – Donation Plugin and Fundraising Platform | 20 | 3,437 | 3,577 | 100k+ | | | Output is not escaped |
| #16 | Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | 20 | 1,292 | 2,683 | 9k+ | | | Output is not escaped |
| #17 | Microthemer Lite – Visual Editor to Customize CSS | 20 | 1,004 | 1,699 | 10k+ | | | Non-prefixed global variable |
| #18 | Nimble Page Builder | 20 | 1,591 | 1,684 | 30k+ | | | Missing Arg Domain |
| #19 | Pix por Piggly (para Woocommerce) | 20 | 547 | 195 | 4k+ | | | Exception output is not escaped |
| #20 | Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF | 20 | 557 | 541 | 100k+ | | | Output is not escaped |
| #21 | Trace My IP – Visitor IP Tracker, Stats Analytics & Page Views Counter with Email Alerts | 20 | 866 | 338 | 1k+ | | | wp function not compatible with requires wp |
| #22 | Razorpay for WooCommerce | 20 | 974 | 855 | 100k+ | | | Non-prefixed function |
| #23 | WP Minify Fix | 20 | 306 | 380 | 800 | | | Output is not escaped |
| #24 | WPJAM Basic | 20 | 328 | 356 | 4k+ | | | Output is not escaped |
| #25 | Backup Migration | 21 | 981 | 1,093 | 80k+ | | | Non-prefixed global variable |
| #26 | Smart Grid-Layout Design for Contact Form 7 | 21 | 1,126 | 734 | 10k+ | | | Output is not escaped |
| #27 | SMS Extension for Contact Form 7 | 21 | 720 | 1,387 | 400 | | | Non-prefixed global variable |
| #28 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | | | Output is not escaped |
| #29 | Ebook Store | 21 | 666 | 1,087 | 800 | | | Non-prefixed global variable |
| #30 | Packeta | 21 | 802 | 333 | 8k+ | | | Exception output is not escaped |
| #31 | Five Star Restaurant Reservations – WordPress Booking Plugin | 21 | 1,099 | 1,147 | 10k+ | | | Output is not escaped |
| #32 | ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin | 21 | 190 | 660 | 30k+ | | | Non-prefixed global variable |
| #33 | Buckaroo Woocommerce Payments Plugin | 21 | 584 | 326 | 2k+ | | | Exception output is not escaped |
| #34 | Paysera Payment Gateway for WooCommerce | 21 | 1,866 | 195 | 7k+ | | | Exception output is not escaped |
| #35 | Pay For Post with WooCommerce | 21 | 960 | 1,474 | 1k+ | | | Non-prefixed global variable |
| #36 | Wordfence Security – Firewall, Malware Scan, and Login Security | 21 | 1,592 | 2,973 | 5m+ | | | Output is not escaped |
| #37 | WP Compress – Instant Performance & Speed Optimization | 21 | 3,349 | 3,218 | 10k+ | | | Non Singular String Literal Domain |
| #38 | WP-Lister Lite for eBay | 21 | 6,697 | 5,129 | 2k+ | | | Output is not escaped |
| #39 | WP phpMyAdmin | 21 | 4,528 | 6,435 | 50k+ | | | Missing Arg Domain |
| #40 | wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin | 21 | 1,811 | 1,432 | 70k+ | | | Output is not escaped |
| #41 | Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots | 22 | 1,607 | 2,018 | 10k+ | | | Direct Query |
| #42 | Better WordPress Minify | 22 | 412 | 484 | 8k+ | | | Non Singular String Literal Domain |
| #43 | Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms | 22 | 493 | 295 | 10k+ | | | Text Domain Mismatch |
| #44 | Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer | 22 | 2,858 | 1,270 | 50k+ | | | Text Domain Mismatch |
| #45 | Code Profiler – WordPress Performance Profiling and Debugging Made Easy | 22 | 265 | 400 | 8k+ | | | Non-prefixed global variable |
| #46 | Data Tables Generator by Supsystic | 22 | 157 | 150 | 10k+ | | | Exception output is not escaped |
| #47 | Dynamic QR Code – generator | 22 | 238 | 208 | 6k+ | | | Missing direct file access protection |
| #48 | Five Star Restaurant Menu and Food Ordering | 22 | 752 | 609 | 5k+ | | | Output is not escaped |
| #49 | Heureka | 22 | 557 | 254 | 400 | | | Exception output is not escaped |
| #50 | InfiniteWP Client | 22 | 2,286 | 1,812 | 200k+ | | | Exception output is not escaped |
