WordPress.Security.PluginMenuSlug.Using__FILE__
Plugin menu slug uses __FILE__
Plugin Check reported a security-sensitive coding pattern that needs review.
Why It Shows Up
The finding came from a security-focused WordPress coding standard or Plugin Check rule.
Why It Matters
Security findings often involve trust boundaries: request input, browser output, redirects, database access, capabilities, or filesystem behavior.
How to Fix
- Identify the untrusted value or privileged action involved.
- Add validation, sanitization, escaping, nonce checks, capability checks, or prepared SQL as appropriate.
- Rerun Plugin Check after the code path is fixed.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1 | WPOSS阿里云对象存储 | 19 | 269 | 315 | 900 | Non-prefixed namespace | ||
| #2 | WPQiNiu七牛云对象存储 | 19 | 138 | 612 | 400 | Non-prefixed global variable | ||
| #3 | Smart Forms – when you need more than just a contact form | 21 | 776 | 574 | 5k+ | Output is not escaped | ||
| #4 | HeadSpace2 SEO | 22 | 940 | 360 | 3k+ | Text Domain Mismatch | ||
| #5 | History Log by click5 | 22 | 675 | 1,290 | 400 | Direct Query | ||
| #6 | Quick Contact Form | 22 | 260 | 623 | 1k+ | Non-prefixed function | ||
| #7 | Master Accordion ( Former WP Awesome FAQ Plugin ) | 22 | 1,774 | 1,286 | 700 | Non-prefixed global variable | ||
| #8 | BlossomThemes Email Newsletter | 23 | 337 | 239 | 20k+ | Output is not escaped | ||
| #9 | Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe | 23 | 9,315 | 26,644 | 1k+ | Non-prefixed global variable | ||
| #10 | SEO Redirection Plugin – 301 Redirect Manager | 23 | 272 | 727 | 10k+ | Non-prefixed global variable | ||
| #11 | WP Free SSL | 23 | 735 | 1,345 | 1k+ | Non-prefixed global variable | ||
| #12 | eCommerce Product Catalog Plugin for WordPress | 24 | 621 | 3,177 | 7k+ | Non-prefixed function | ||
| #13 | Product Catalog Simple | 24 | 1,555 | 1,982 | 1k+ | Output is not escaped | ||
| #14 | WP Meta and Date Remover | 24 | 665 | 1,314 | 90k+ | Non-prefixed global variable | ||
| #15 | WP Travel Engine – Tour Booking Plugin – Tour Operator Software | 24 | 2,012 | 5,689 | 20k+ | Non-prefixed global variable | ||
| #16 | xili-language | 24 | 1,501 | 523 | 600 | Output is not escaped | ||
| #17 | All 404 Redirect to Homepage | 25 | 140 | 301 | 200k+ | date date | ||
| #18 | Booking Package | 25 | 1,697 | 3,977 | 10k+ | Missing nonce verification | ||
| #19 | Sitemap by click5 | 25 | 286 | 132 | 6k+ | Unsafe printing function | ||
| #20 | PDF Builder for WooCommerce. Create invoices,packing slips and more | 25 | 372 | 503 | 2k+ | Non-prefixed global variable | ||
| #21 | iQ Block Country | 27 | 164 | 245 | 20k+ | Request data is not unslashed | ||
| #22 | Online Booking & Scheduling Calendar for WordPress by vcita | 27 | 473 | 161 | 1k+ | Output is not escaped | ||
| #23 | Stream Video Player | 27 | 220 | 135 | 600 | Output is not escaped | ||
| #24 | VOD Infomaniak | 27 | 797 | 385 | 20k+ | Output is not escaped | ||
| #25 | Geo Mashup | 28 | 775 | 232 | 1k+ | Text Domain Mismatch | ||
| #26 | Custom Field Template | 29 | 568 | 530 | 30k+ | wp function not compatible with requires wp | ||
| #27 | DB Cache Reloaded Fix | 29 | 133 | 42 | 2k+ | Output is not escaped | ||
| #28 | Epeken All Kurir for Woocommerce | 30 | 590 | 1,246 | 400 | Missing nonce verification | ||
| #29 | Widget Manager Light | 30 | 233 | 83 | 600 | Text Domain Mismatch | ||
| #30 | Widgetize Pages Light | 30 | 145 | 104 | 3k+ | Output is not escaped | ||
| #31 | Sidebar Manager Light | 31 | 221 | 76 | 1k+ | Text Domain Mismatch | ||
| #32 | WP Easy Uploader | 31 | 202 | 113 | 600 | Non Singular String Literal Domain | ||
| #33 | WP125 | 31 | 178 | 184 | 3k+ | Unsafe printing function | ||
| #34 | wpDirAuth | 32 | 250 | 135 | 500 | wp function not compatible with requires wp | ||
| #35 | Countdown Timer | 33 | 311 | 17 | 900 | Text Domain Mismatch | ||
| #36 | Inactive User Deleter | 33 | 453 | 170 | 800 | Output is not escaped | ||
| #37 | Janolaw AGB Hosting | 33 | 198 | 11 | 1k+ | Short PHP open tag found | ||
| #38 | Offen | 33 | 313 | 115 | 500 | Output is not escaped | ||
| #39 | AGCA – Custom Dashboard & Login Page | 34 | 350 | 44 | 20k+ | Unsafe printing function | ||
| #40 | Audit Trail | 34 | 90 | 107 | 10k+ | Unsafe printing function | ||
| #41 | Forms: 3rd-Party Integration | 34 | 234 | 112 | 5k+ | Output is not escaped | ||
| #42 | Hitsteps Web Analytics | 34 | 370 | 313 | 800 | Output is not escaped | ||
| #43 | HTML Import 2 | 34 | 273 | 26 | 5k+ | Unsafe printing function | ||
| #44 | Search Meter | 34 | 191 | 94 | 20k+ | Output is not escaped | ||
| #45 | Shift8 CDN | 34 | 81 | 25 | 600 | Output is not escaped | ||
| #46 | Xml Sitemap Generator | 34 | 72 | 47 | 400 | SQL query is not prepared | ||
| #47 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #48 | Pixeline's Email Protector | 35 | 77 | 5 | 800 | Unsafe printing function | ||
| #49 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non-prefixed global variable | ||
| #50 | Simple Header Footer HTML | 35 | 30 | 5 | 3k+ | Output is not escaped |