| #1 | BulletProof Security | 0 | 5,048 | 4,949 | 20k+ | | | Output is not escaped |
| #2 | Intercom | 0 | 60 | 71 | 6k+ | | | Non-prefixed function |
| #3 | Live Shopping & Shoppable Videos For WooCommerce | 0 | 78 | 175 | 400 | | | Non-prefixed global variable |
| #4 | Themify Builder | 9 | 5,195 | 2,096 | 5k+ | | | Text Domain Mismatch |
| #5 | JetBackup – Backup, Restore & Migrate | 10 | 1,559 | 145 | 100k+ | | | Exception output is not escaped |
| #6 | WPtouch – Make your WordPress Website Mobile-Friendly | 17 | 1,466 | 325 | 50k+ | | | Text Domain Mismatch |
| #7 | Prime Slider Addons for Elementor | 18 | 3,500 | 230 | 100k+ | | | Text Domain Mismatch |
| #8 | Podlove Podcast Publisher | 18 | 2,326 | 1,429 | 3k+ | | | Output is not escaped |
| #9 | Download Monitor | 19 | 425 | 1,364 | 80k+ | | | Non-prefixed hook name |
| #10 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | | | Exception output is not escaped |
| #11 | Matomo Analytics – Powerful, Privacy-First Insights for WordPress | 19 | 1,909 | 878 | 100k+ | | | Exception output is not escaped |
| #12 | Realtyna Organic IDX plugin + WPL Real Estate | 19 | 947 | 3,653 | 2k+ | | | Non-prefixed global variable |
| #13 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | | | Missing Translators Comment |
| #14 | WordLift – AI powered SEO – Schema | 19 | 393 | 955 | 400 | | | Non-prefixed hook name |
| #15 | WP Import Export Lite | 19 | 737 | 979 | 40k+ | | | Non-prefixed global variable |
| #16 | MBE eShip | 20 | 527 | 740 | 1k+ | | | Non-prefixed global variable |
| #17 | Brevo – Email, SMS, Web Push, Chat, and more. | 20 | 460 | 646 | 100k+ | | | Request data is not unslashed |
| #18 | Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | 20 | 1,292 | 2,683 | 9k+ | | | Output is not escaped |
| #19 | Microthemer Lite – Visual Editor to Customize CSS | 20 | 1,004 | 1,699 | 10k+ | | | Non-prefixed global variable |
| #20 | Backup Migration | 21 | 981 | 1,093 | 80k+ | | | Non-prefixed global variable |
| #21 | rtMedia for WordPress, BuddyPress and bbPress | 21 | 363 | 633 | 8k+ | | | Non-prefixed constant |
| #22 | CartFlows – Funnel Builder & Checkout Plugin for WooCommerce | 21 | 462 | 654 | 200k+ | | | Text Domain Mismatch |
| #23 | Smart Grid-Layout Design for Contact Form 7 | 21 | 1,126 | 734 | 10k+ | | | Output is not escaped |
| #24 | Comet Cache | 21 | 857 | 245 | 20k+ | | | Output is not escaped |
| #25 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | | | Output is not escaped |
| #26 | Ebook Store | 21 | 666 | 1,087 | 700 | | | Non-prefixed global variable |
| #27 | eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams | 21 | 186 | 437 | 9k+ | | | Non-prefixed global variable |
| #28 | FileOrganizer – WordPress File Manager | 21 | 536 | 241 | 200k+ | | | unlink unlink |
| #29 | Mergado Pack | 21 | 2,323 | 588 | 700 | | | Output is not escaped |
| #30 | Packeta | 21 | 802 | 333 | 8k+ | | | Exception output is not escaped |
| #31 | User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor | 21 | 696 | 1,483 | 50k+ | | | Nonce verification recommended |
| #32 | Smart Forms – when you need more than just a contact form | 21 | 776 | 574 | 5k+ | | | Output is not escaped |
| #33 | UPC/EAN/GTIN Barcode Generator/Importer | 21 | 776 | 311 | 500 | | | Exception output is not escaped |
| #34 | WebP Express | 21 | 160 | 427 | 300k+ | | | Non-prefixed global variable |
| #35 | PPOM – Product Addons & Custom Fields for WooCommerce | 21 | 336 | 1,322 | 20k+ | | | Non-prefixed global variable |
| #36 | Wordfence Security – Firewall, Malware Scan, and Login Security | 21 | 1,592 | 2,973 | 5m+ | | | Output is not escaped |
| #37 | WP Compress – Instant Performance & Speed Optimization | 21 | 3,349 | 3,218 | 10k+ | | | Non Singular String Literal Domain |
| #38 | WP phpMyAdmin | 21 | 4,528 | 6,435 | 50k+ | | | Missing Arg Domain |
| #39 | wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin | 21 | 1,811 | 1,432 | 70k+ | | | Output is not escaped |
| #40 | WP Extended – The Ultimate WordPress Toolkit | 21 | 1,253 | 398 | 600 | | | Non Singular String Literal Domain |
| #41 | WebTotem Security | 21 | 1,110 | 213 | 900 | | | Text Domain Mismatch |
| #42 | Frontend Admin by DynamiApps | 22 | 5,922 | 3,208 | 10k+ | | | Text Domain Mismatch |
| #43 | Booking for Appointments and Events Calendar – Amelia | 22 | 1,489 | 480 | 90k+ | | | Exception output is not escaped |
| #44 | Borderless – Addons and Templates for Elementor | 22 | 438 | 1,388 | 5k+ | | | Non-prefixed global variable |
| #45 | Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots | 22 | 1,607 | 2,018 | 10k+ | | | Direct Query |
| #46 | BuddyPress | 22 | 583 | 9,008 | 100k+ | | | Non-prefixed function |
| #47 | Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer | 22 | 2,858 | 1,270 | 50k+ | | | Text Domain Mismatch |
| #48 | Code Profiler – WordPress Performance Profiling and Debugging Made Easy | 22 | 265 | 400 | 8k+ | | | Non-prefixed global variable |
| #49 | Directorist: AI-Powered Business Directory, Listings & Classified Ads | 22 | 443 | 2,129 | 20k+ | | | Non-prefixed global variable |
| #50 | Download Manager | 22 | 2,290 | 1,301 | 100k+ | | | Output is not escaped |
