WordPress.Security.PluginMenuSlug.Using__FILE__

Plugin menu slug uses __FILE__

Plugin Check reported a security-sensitive coding pattern that needs review.

critical weight

Why It Shows Up

The finding came from a security-focused WordPress coding standard or Plugin Check rule.

Why It Matters

Security findings often involve trust boundaries: request input, browser output, redirects, database access, capabilities, or filesystem behavior.

How to Fix

  • Identify the untrusted value or privileged action involved.
  • Add validation, sanitization, escaping, nonce checks, capability checks, or prepared SQL as appropriate.
  • Rerun Plugin Check after the code path is fixed.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#151ImageMagick Sharpen Resized Images542261k+Output is not escaped
#152WP Login Timeout Settings54277700Output is not escaped
#153WP Post Navigation5414231k+Output is not escaped
#154Ascending Posts by Fly Plugins552313500Text Domain Mismatch
#155Custom Upload Dir556375k+Missing Arg Domain
#156Virtual Robots.txt55102140k+Input is not validated
#157Admin Bar Fix564018400Text Domain Mismatch
#158BotPenguin – Generative AI Chatbot with Live Chat & ChatGPT56127700Unsafe printing function
#159Free Live Chat Support56920600Output is not escaped
#160WP Adsterra Dashboard572221400wp function not compatible with requires wp
#161WP Wrapper571329600Input is not validated
#162Remove CPT base58151610k+Input is not sanitized
#163Chat Button & Custom ChatGPT-Powered Bot by GetButton.io5826820k+Non-prefixed function
#164WP-SWFObject6014241k+Deprecated parameter: add_option parameter 3
#165Compact WP Audio Player61122120k+Non-prefixed function
#166jQuery Lightbox612231k+Output is not escaped
#167WP-UTF8-Excerpt611710800Unsafe printing function
#168WP YouTube Player6114171k+Output is not escaped
#169Zen Menu Logic621931k+Output is not escaped
#170Slightly troublesome permalink6324101k+Non Singular String Literal Domain
#171Evermore648121k+Input is not validated
#172Master Post Advert642641k+Unsafe printing function
#173TP Show Product Images on Checkout Page for WooCommerce64165500Setting is missing a sanitization callback
#174CP Media Player – Audio Player and Video Player66224483k+Text Domain Mismatch
#175Free Property Valuation (Lead Generator) / Kostenlose Immobilienbewertung66115600Unsafe printing function
#176WP Simple Adsense Insertion663293k+Input is not validated
#177Add Logo to Admin671437k+Unsafe printing function
#178Shoutcast Icecast HTML5 Radio Player6717101k+Input is not validated
#179WP Favicon68259500Non Singular String Literal Domain
#180Colorize Mobile Browser Address bar692631k+Output is not escaped
#181Dashboard Commander69132900Output is not escaped
#182Another Mailchimp Widget7128174k+Missing Translators Comment
#183Bootstrap Shortcodes7121115k+Missing direct file access protection
#184Social Chat Widget (⚡ by Callbell)71116600Output is not escaped
#185Customizer for WooCommerce721013800Nonce verification recommended
#186Albacross for WordPress731851k+Text Domain Mismatch
#187Block Plugin Update739106k+Missing direct file access protection
#188Freetobook Responsive Widget73514500Input is not sanitized
#189Datareporter Webcare741221700Non-prefixed global variable
#190Vello Booking Calendar74102500Unsafe printing function
#191FareHarbor for WordPress751899k+Output is not escaped
#192Logos Reftagger75121510k+Deprecated parameter: add_option parameter 3
#193wp-forecast752631175k+Missing Arg Domain
#194Custom Cursor For WP771071k+Setting is missing a sanitization callback
#195FD Footnotes Plugin772851k+Non Singular String Literal Domain
#196Modern Footnotes771866k+Output is not escaped
#197Tock Widget7869400Missing direct file access protection
#198WP Automatic Updates79507400Text Domain Mismatch
#199WP Updates Settings7978900Unsafe printing function
#200Fix Another Update In Progress80718k+Output is not escaped