WordPress.WP.AlternativeFunctions.parse_url_parse_url
parse url parse url
The plugin uses raw URL parsing where WordPress URL helpers may be safer or more compatible.
Why It Shows Up
Plugin Check found `parse_url()` in plugin code.
Why It Matters
URL parsing is easy to get subtly wrong, especially with relative URLs, encoded values, and malformed input.
How to Fix
- Use WordPress helpers such as `wp_parse_url()`, `esc_url_raw()`, `esc_url()`, and `wp_http_validate_url()` where they fit.
- Validate schemes and hosts before using parsed URL parts.
- Do not use parsed URLs to build redirects or requests without allowlisting.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #801 | bpost shipping | 36 | 97 | 43 | 700 | Output is not escaped | ||
| #802 | Contact Form 7 Gated Content | 36 | 122 | 36 | 800 | Short PHP open tag found | ||
| #803 | CP Blocks | 36 | 46 | 38 | 1k+ | wp function not compatible with requires wp | ||
| #804 | Drag and Drop Multiple File Upload for Contact Form 7 | 36 | 82 | 36 | 60k+ | wp function not compatible with requires wp | ||
| #805 | Dynamic Visibility for Elementor | 36 | 56 | 89 | 50k+ | Non-prefixed hook name | ||
| #806 | Product Carousel Slider for Elementor | 36 | 148 | 63 | 1k+ | Text Domain Mismatch | ||
| #807 | Email Before Download | 36 | 89 | 29 | 6k+ | Unsafe printing function | ||
| #808 | Friendly Functions for Welcart | 36 | 311 | 83 | 1k+ | Non Singular String Literal Domain | ||
| #809 | Google Webfont Optimizer | 36 | 45 | 49 | 700 | Output is not escaped | ||
| #810 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | Output is not escaped | ||
| #811 | HTTP Requests Manager | 36 | 98 | 90 | 1k+ | Output is not escaped | ||
| #812 | Italy Cookie Choices (for EU Cookie Law & Cookie Notice) | 36 | 115 | 77 | 10k+ | Unsafe printing function | ||
| #813 | Login as User | 36 | 101 | 64 | 30k+ | Output is not escaped | ||
| #814 | LocalWeb All In One | 36 | 34 | 297 | 5k+ | Non-prefixed global variable | ||
| #815 | M Chart | 36 | 29 | 155 | 3k+ | Non-prefixed global variable | ||
| #816 | News Ticker for Elementor | 36 | 76 | 57 | 2k+ | Text Domain Mismatch | ||
| #817 | Photoswipe Masonry Gallery | 36 | 57 | 47 | 6k+ | Non Singular String Literal Text | ||
| #818 | Quick 301 Redirects | 36 | 89 | 120 | 5k+ | Non-prefixed global variable | ||
| #819 | Rara One Click Demo Import | 36 | 122 | 98 | 20k+ | Missing Translators Comment | ||
| #820 | ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution | 36 | 63 | 667 | 100k+ | Non-prefixed global variable | ||
| #821 | Stripe Tax – Sales tax automation for WooCommerce | 36 | 97 | 61 | 30k+ | Exception output is not escaped | ||
| #822 | Supplier Order Email | 36 | 54 | 105 | 400 | Output is not escaped | ||
| #823 | TrustMate.io – WooCommerce integration | 36 | 251 | 97 | 3k+ | Output is not escaped | ||
| #824 | WP Better Permalinks | 36 | 110 | 59 | 1k+ | Output is not escaped | ||
| #825 | WP Hotel Booking WooCommerce | 36 | 93 | 99 | 1k+ | Output is not escaped | ||
| #826 | WP Socializer – Simple & Easy Social Media Share Icons | 36 | 214 | 51 | 10k+ | Output is not escaped | ||
| #827 | Yandex.Metrica | 36 | 76 | 30 | 60k+ | Output is not escaped | ||
| #828 | WPAvatar | 36 | 425 | 45 | 700 | Unsafe printing function | ||
| #829 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | ||
| #830 | Adaptive Images for WordPress | 37 | 51 | 75 | 3k+ | Output is not escaped | ||
| #831 | Add From Server | 37 | 52 | 20 | 60k+ | Output is not escaped | ||
| #832 | Add to Cart Redirect for WooCommerce | 37 | 215 | 141 | 8k+ | Text Domain Mismatch | ||
| #833 | Analytics Spam Blocker | 37 | 76 | 22 | 800 | Unsafe printing function | ||
| #834 | Before After Image Comparison Slider for Elementor | 37 | 90 | 41 | 10k+ | Text Domain Mismatch | ||
| #835 | Customize WordPress Emails and Alerts – Better Notifications for WP | 37 | 64 | 47 | 30k+ | Missing Arg Domain | ||
| #836 | bunny.net – WordPress CDN Plugin | 37 | 165 | 159 | 10k+ | Output is not escaped | ||
| #837 | Buying Buddy IDX CRM – Real Estate MLS Plugin | 37 | 70 | 236 | 500 | Request data is not unslashed | ||
| #838 | CDEKDelivery | 37 | 98 | 75 | 2k+ | Exception output is not escaped | ||
| #839 | ClickCease Click Fraud Protection | 37 | 30 | 58 | 10k+ | Non-prefixed class | ||
| #840 | CryptAPI Payment Gateway for WooCommerce | 37 | 187 | 29 | 400 | Text Domain Mismatch | ||
| #841 | EasyMe Connect | 37 | 130 | 45 | 500 | Text Domain Mismatch | ||
| #842 | 果果推送 | 37 | 31 | 56 | 1k+ | Nonce verification recommended | ||
| #843 | Gmail SMTP | 37 | 84 | 73 | 10k+ | Unsafe printing function | ||
| #844 | GoCache | 37 | 273 | 43 | 900 | Non Singular String Literal Domain | ||
| #845 | XML Sitemap Generator for Google | 37 | 43 | 79 | 1m+ | Input is not validated | ||
| #846 | Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs | 37 | 37 | 102 | 1k+ | Non-prefixed global variable | ||
| #847 | Language Switcher | 37 | 81 | 105 | 1k+ | Missing Translators Comment | ||
| #848 | Lightbox with PhotoSwipe | 37 | 179 | 24 | 20k+ | Output is not escaped | ||
| #849 | MailingBoss WP Plugin | 37 | 108 | 30 | 600 | Output is not escaped | ||
| #850 | MailMunch – Grow your Email List | 37 | 82 | 84 | 6k+ | Output is not escaped |
