| #1 | RestroPress – Online Food Ordering System | 18 | 521 | 3,083 | 1k+ | | | Non-prefixed global variable |
| #2 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | | | Exception output is not escaped |
| #3 | پلاگین پرداخت دلخواه | 20 | 584 | 446 | 900 | | | Text Domain Mismatch |
| #4 | WPJAM Basic | 20 | 328 | 356 | 4k+ | | | Output is not escaped |
| #5 | Backup Migration | 21 | 981 | 1,093 | 80k+ | | | Non-prefixed global variable |
| #6 | Captcha Them All | 21 | 300 | 323 | 6k+ | | | Output is not escaped |
| #7 | DELUCKS SEO | 21 | 362 | 1,171 | 400 | | | Missing nonce verification |
| #8 | Ebook Store | 21 | 666 | 1,087 | 700 | | | Non-prefixed global variable |
| #9 | EventPrime – Events Calendar, Bookings and Tickets | 21 | 872 | 4,297 | 7k+ | | | Non-prefixed global variable |
| #10 | FACTO – Facturación Electrónica | 21 | 220 | 245 | 400 | | | Request data is not unslashed |
| #11 | FileOrganizer – WordPress File Manager | 21 | 536 | 241 | 200k+ | | | unlink unlink |
| #12 | Mergado Pack | 21 | 2,323 | 588 | 700 | | | Output is not escaped |
| #13 | Mooberry Book Manager | 21 | 1,040 | 399 | 1k+ | | | Text Domain Mismatch |
| #14 | Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred | 21 | 1,469 | 3,333 | 10k+ | | | Non-prefixed global variable |
| #15 | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | 21 | 1,918 | 5,065 | 10k+ | | | Non-prefixed hook name |
| #16 | Smart Forms – when you need more than just a contact form | 21 | 776 | 574 | 5k+ | | | Output is not escaped |
| #17 | UPC/EAN/GTIN Barcode Generator/Importer | 21 | 776 | 311 | 500 | | | Exception output is not escaped |
| #18 | All-in-One Video Gallery | 22 | 911 | 2,892 | 20k+ | | | Non-prefixed global variable |
| #19 | Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer | 22 | 2,858 | 1,270 | 50k+ | | | Text Domain Mismatch |
| #20 | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | 22 | 3,654 | 5,061 | 8k+ | | | Non-prefixed global variable |
| #21 | File Manager Pro – Filester | 22 | 565 | 391 | 100k+ | | | Request data is not unslashed |
| #22 | FireBox Popups – Increase Sales and Grow Your Email List | 22 | 153 | 812 | 7k+ | | | Non-prefixed global variable |
| #23 | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | 22 | 409 | 236 | 700k+ | | | Text Domain Mismatch |
| #24 | InfiniteWP Client | 22 | 2,286 | 1,812 | 200k+ | | | Exception output is not escaped |
| #25 | Import WP – Export and Import CSV and XML files to WordPress | 22 | 580 | 330 | 4k+ | | | Exception output is not escaped |
| #26 | Newsletters | 22 | 2,968 | 2,248 | 2k+ | | | Text Domain Mismatch |
| #27 | Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | 22 | 1,581 | 2,326 | 300k+ | | | Non-prefixed global variable |
| #28 | NextScripts: Social Networks Auto-Poster | 22 | 2,408 | 1,133 | 30k+ | | | Output is not escaped |
| #29 | ManageWP Worker | 22 | 507 | 565 | 1m+ | | | Non-prefixed class |
| #30 | File Manager | 22 | 740 | 520 | 1m+ | | | Unsafe printing function |
| #31 | YaySMTP – WP Mail SMTP with Email Logs, Tracking & Reports | 22 | 654 | 435 | 10k+ | | | Exception output is not escaped |
| #32 | Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe | 23 | 9,310 | 26,642 | 1k+ | | | Non-prefixed global variable |
| #33 | FV Flowplayer Video Player | 23 | 1,311 | 1,454 | 20k+ | | | Output is not escaped |
| #34 | Groundhogg — CRM, Newsletters, and Marketing Automation | 23 | 136 | 911 | 2k+ | | | Non-prefixed global variable |
| #35 | Restaurant Menu and Food Ordering | 23 | 385 | 853 | 2k+ | | | Non-prefixed global variable |
| #36 | MPG – Multiple Page Generator, Bulk Landing Pages & Programmatic SEO | 23 | 488 | 580 | 2k+ | | | Missing nonce verification |
| #37 | MyWorks Sync for WooCommerce & QuickBooks Online | 23 | 2,292 | 9,101 | 5k+ | | | Non-prefixed global variable |
| #38 | RSVP and Event Management | 23 | 346 | 622 | 3k+ | | | Direct Query |
| #39 | Local Google Analytics for WordPress – caches external requests | 23 | 551 | 199 | 3k+ | | | Output is not escaped |
| #40 | Softaculous | 23 | 116 | 49 | 10k+ | | | file system operations fread |
| #41 | Lead Form Data Collection to CRM | 23 | 211 | 1,698 | 400 | | | Non-prefixed global variable |
| #42 | پارسی دیت – Parsi Date | 23 | 102 | 289 | 100k+ | | | Non-prefixed hook name |
| #43 | WP STAGING – WordPress Backup, Migration, Clone & Duplicate | 23 | 1,489 | 1,549 | 100k+ | | | Non-prefixed global variable |
| #44 | WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel | 23 | 1,119 | 3,516 | 20k+ | | | Interpolated SQL is not prepared |
| #45 | Zephyr Project Manager | 23 | 667 | 2,454 | 1k+ | | | Non-prefixed global variable |
| #46 | A2 Optimized WP – Turbocharge and secure your WordPress site | 24 | 271 | 231 | 60k+ | | | Missing Arg Domain |
| #47 | Backuply – Backup, Restore, Migrate and Clone | 24 | 704 | 551 | 700k+ | | | Non-prefixed global variable |
| #48 | WOLF – WordPress Posts Bulk Editor and Manager Professional | 24 | 485 | 623 | 4k+ | | | Output is not escaped |
| #49 | RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress | 24 | 828 | 3,665 | 500 | | | Request data is not unslashed |
| #50 | Custom CSS | 24 | 703 | 657 | 1k+ | | | Output is not escaped |
