WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin menu slug uses __FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical weight

Why It Shows Up

The finding came from a security-focused WordPress coding standard or Plugin Check rule.

Why It Matters

Security findings often involve trust boundaries: request input, browser output, redirects, database access, capabilities, or filesystem behavior.

How to Fix

  • Identify the untrusted value or privileged action involved.
  • Add validation, sanitization, escaping, nonce checks, capability checks, or prepared SQL as appropriate.
  • Rerun Plugin Check after the code path is fixed.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1WPOSS阿里云对象存储19269315900Non-prefixed namespace
#2WPQiNiu七牛云对象存储19138612400Non-prefixed global variable
#3Smart Forms – when you need more than just a contact form217765745k+Output is not escaped
#4HeadSpace2 SEO229403603k+Text Domain Mismatch
#5History Log by click5226751,290400Direct Query
#6Quick Contact Form222606231k+Non-prefixed function
#7Master Accordion ( Former WP Awesome FAQ Plugin )221,7741,286700Non-prefixed global variable
#8BlossomThemes Email Newsletter2333723920k+Output is not escaped
#9Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe239,31526,6441k+Non-prefixed global variable
#10SEO Redirection Plugin – 301 Redirect Manager2327272710k+Non-prefixed global variable
#11WP Free SSL237351,3451k+Non-prefixed global variable
#12eCommerce Product Catalog Plugin for WordPress246213,1777k+Non-prefixed function
#13Product Catalog Simple241,5551,9821k+Output is not escaped
#14WP Meta and Date Remover246651,31490k+Non-prefixed global variable
#15WP Travel Engine – Tour Booking Plugin – Tour Operator Software242,0125,68920k+Non-prefixed global variable
#16xili-language241,501523600Output is not escaped
#17All 404 Redirect to Homepage25140301200k+date date
#18Booking Package251,6973,97710k+Missing nonce verification
#19Sitemap by click5252861326k+Unsafe printing function
#20PDF Builder for WooCommerce. Create invoices,packing slips and more253725032k+Non-prefixed global variable
#21iQ Block Country2716424520k+Request data is not unslashed
#22Online Booking & Scheduling Calendar for WordPress by vcita274731611k+Output is not escaped
#23Stream Video Player27220135600Output is not escaped
#24VOD Infomaniak2779738520k+Output is not escaped
#25Geo Mashup287752321k+Text Domain Mismatch
#26Custom Field Template2956853030k+wp function not compatible with requires wp
#27DB Cache Reloaded Fix29133422k+Output is not escaped
#28Epeken All Kurir for Woocommerce305901,246400Missing nonce verification
#29Widget Manager Light3023383600Text Domain Mismatch
#30Widgetize Pages Light301451043k+Output is not escaped
#31Sidebar Manager Light31221761k+Text Domain Mismatch
#32WP Easy Uploader31202113600Non Singular String Literal Domain
#33WP125311781843k+Unsafe printing function
#34wpDirAuth32250135500wp function not compatible with requires wp
#35Countdown Timer3331117900Text Domain Mismatch
#36Inactive User Deleter33453170800Output is not escaped
#37Janolaw AGB Hosting33198111k+Short PHP open tag found
#38Offen33313115500Output is not escaped
#39AGCA – Custom Dashboard & Login Page343504420k+Unsafe printing function
#40Audit Trail349010710k+Unsafe printing function
#41Forms: 3rd-Party Integration342341125k+Output is not escaped
#42Hitsteps Web Analytics34370313800Output is not escaped
#43HTML Import 234273265k+Unsafe printing function
#44Search Meter341919420k+Output is not escaped
#45Shift8 CDN348125600Output is not escaped
#46Xml Sitemap Generator347247400SQL query is not prepared
#47Kiyoh customer review3517368500Output is not escaped
#48Pixeline's Email Protector35775800Unsafe printing function
#49ReOrder Posts within Categories35392077k+Non-prefixed global variable
#50Simple Header Footer HTML353053k+Output is not escaped