WordPress.Security.SafeRedirect.wp_redirect_wp_redirect
wp redirect wp redirect
Plugin Check reported a security-sensitive coding pattern that needs review.
Why It Shows Up
The finding came from a security-focused WordPress coding standard or Plugin Check rule.
Why It Matters
Security findings often involve trust boundaries: request input, browser output, redirects, database access, capabilities, or filesystem behavior.
How to Fix
- Identify the untrusted value or privileged action involved.
- Add validation, sanitization, escaping, nonce checks, capability checks, or prepared SQL as appropriate.
- Rerun Plugin Check after the code path is fixed.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1 | Themify Builder | 9 | 5,210 | 2,122 | 5k+ | Text Domain Mismatch | ||
| #2 | JetBackup – Backup, Restore & Migrate | 10 | 1,563 | 149 | 200k+ | Exception output is not escaped | ||
| #3 | MDTF – Meta Data and Taxonomies Filter | 16 | 1,550 | 1,956 | 1k+ | Non-prefixed global variable | ||
| #4 | AnyComment | 17 | 445 | 449 | 5k+ | Output is not escaped | ||
| #5 | Efí Bank | 17 | 886 | 553 | 400 | Exception output is not escaped | ||
| #6 | WPtouch – Make your WordPress Website Mobile-Friendly | 17 | 1,466 | 325 | 50k+ | Text Domain Mismatch | ||
| #7 | Prime Slider Addons for Elementor | 18 | 3,500 | 229 | 100k+ | Text Domain Mismatch | ||
| #8 | Podlove Podcast Publisher | 18 | 2,333 | 1,435 | 3k+ | Output is not escaped | ||
| #9 | Property Hive | 18 | 1,957 | 6,027 | 3k+ | Missing nonce verification | ||
| #10 | Realtyna Organic IDX plugin + WPL Real Estate | 18 | 930 | 3,636 | 2k+ | Non-prefixed global variable | ||
| #11 | Shopping Cart & eCommerce Store | 18 | 5,541 | 17,397 | 4k+ | Non-prefixed global variable | ||
| #12 | Block Slider – Responsive Image Slider, Video Slider & Post Slider | 19 | 555 | 1,291 | 3k+ | Non-prefixed global variable | ||
| #13 | Download Monitor | 19 | 424 | 1,362 | 80k+ | Non-prefixed hook name | ||
| #14 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | Exception output is not escaped | ||
| #15 | Go Fetch Jobs (for WP Job Manager) | 19 | 1,410 | 1,741 | 700 | Non-prefixed global variable | ||
| #16 | AI Infographic Maker | 19 | 1,517 | 599 | 600 | Output is not escaped | ||
| #17 | Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) | 19 | 3,275 | 3,228 | 10k+ | Output is not escaped | ||
| #18 | Netgsm | 19 | 334 | 308 | 1k+ | Setting is missing a sanitization callback | ||
| #19 | Razorpay Payment Button Plugin | 19 | 486 | 98 | 2k+ | Exception output is not escaped | ||
| #20 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 540 | 389 | 3m+ | Missing Translators Comment | ||
| #21 | Membership Plugin – Kadence Memberships | 19 | 5,082 | 2,982 | 9k+ | Text Domain Mismatch | ||
| #22 | Scrollsequence – Cinematic Scroll Image Animation Plugin | 19 | 878 | 1,528 | 4k+ | Non-prefixed global variable | ||
| #23 | SendPress Newsletters | 19 | 2,293 | 1,422 | 2k+ | Output is not escaped | ||
| #24 | WP Directory Kit | 19 | 1,526 | 2,621 | 2k+ | Non-prefixed global variable | ||
| #25 | WPJAM Basic | 19 | 323 | 348 | 4k+ | Output is not escaped | ||
| #26 | Brizy – Page Builder | 20 | 589 | 720 | 70k+ | Output is not escaped | ||
| #27 | Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) | 20 | 736 | 2,112 | 900 | Non-prefixed global variable | ||
| #28 | DMCA Protection Badge | 20 | 4,425 | 217 | 1k+ | Output is not escaped | ||
| #29 | Event Espresso – Event Registration & Ticketing Sales | 20 | 12,698 | 2,135 | 600 | Text Domain Mismatch | ||
| #30 | Event Organiser | 20 | 1,104 | 544 | 20k+ | Text Domain Mismatch | ||
| #31 | Filter Everything — WordPress & WooCommerce Filters | 20 | 568 | 730 | 50k+ | Output is not escaped | ||
| #32 | GiveWP – Donation Plugin and Fundraising Platform | 20 | 3,428 | 3,559 | 100k+ | Output is not escaped | ||
| #33 | GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership | 20 | 1,832 | 720 | 800 | Non Singular String Literal Domain | ||
| #34 | Leaky Paywall | 20 | 320 | 782 | 700 | Nonce verification recommended | ||
| #35 | Link Library | 20 | 1,941 | 1,397 | 10k+ | Unsafe printing function | ||
| #36 | MBE eShip | 20 | 527 | 740 | 1k+ | Non-prefixed global variable | ||
| #37 | Brevo – Email, SMS, Web Push, Chat, and more. | 20 | 460 | 646 | 100k+ | Request data is not unslashed | ||
| #38 | MAS Videos | 20 | 519 | 1,693 | 1k+ | Non-prefixed global variable | ||
| #39 | Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | 20 | 1,297 | 2,680 | 9k+ | Output is not escaped | ||
| #40 | Microthemer Lite – Visual Editor to Customize CSS | 20 | 1,004 | 1,699 | 10k+ | Non-prefixed global variable | ||
| #41 | Shipping for Nova Poshta | 20 | 598 | 923 | 500 | Output is not escaped | ||
| #42 | پلاگین پرداخت دلخواه | 20 | 584 | 446 | 900 | Text Domain Mismatch | ||
| #43 | Quill Forms | Conversational Multi Step Forms, Surveys & quizzes | 20 | 401 | 368 | 3k+ | Text Domain Mismatch | ||
| #44 | Razorpay Payment Button Elementor Plugin | 20 | 479 | 62 | 1k+ | Exception output is not escaped | ||
| #45 | Remove Add to Cart WooCommerce | 20 | 616 | 1,378 | 4k+ | Non-prefixed global variable | ||
| #46 | Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF | 20 | 557 | 541 | 100k+ | Output is not escaped | ||
| #47 | Events Manager – OpenStreetMaps | 20 | 559 | 444 | 700 | Output is not escaped | ||
| #48 | Trace My IP – Visitor IP Tracker, Stats Analytics & Page Views Counter with Email Alerts | 20 | 866 | 338 | 1k+ | wp function not compatible with requires wp | ||
| #49 | Razorpay for WooCommerce | 20 | 974 | 855 | 100k+ | Non-prefixed function | ||
| #50 | Premium Packages – Sell Digital Products Securely | 20 | 2,032 | 2,232 | 3k+ | Non-prefixed global variable |