| #1 | BulletProof Security | 0 | 5,048 | 4,949 | 20k+ | | | Output is not escaped |
| #2 | WPtouch – Make your WordPress Website Mobile-Friendly | 17 | 1,466 | 325 | 50k+ | | | Text Domain Mismatch |
| #3 | WPPizza – A Restaurant Plugin | 18 | 4,689 | 2,703 | 1k+ | | | Text Domain Mismatch |
| #4 | Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF | 20 | 557 | 541 | 100k+ | | | Output is not escaped |
| #5 | Booking Ultra Pro Appointments Booking Calendar Plugin | 21 | 761 | 2,083 | 400 | | | Request data is not unslashed |
| #6 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | | | Output is not escaped |
| #7 | Wordfence Security – Firewall, Malware Scan, and Login Security | 21 | 1,592 | 2,973 | 5m+ | | | Output is not escaped |
| #8 | Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer | 22 | 2,858 | 1,270 | 50k+ | | | Text Domain Mismatch |
| #9 | NextScripts: Social Networks Auto-Poster | 22 | 2,408 | 1,133 | 30k+ | | | Output is not escaped |
| #10 | SSL Zen — SSL Certificate Installer & HTTPS Redirects | 22 | 778 | 1,575 | 10k+ | | | Non-prefixed global variable |
| #11 | ManageWP Worker | 22 | 507 | 565 | 1m+ | | | Non-prefixed class |
| #12 | GAinWP Google Analytics Integration for WordPress | 23 | 525 | 176 | 8k+ | | | Output is not escaped |
| #13 | Next Active Directory Integration | 23 | 683 | 284 | 2k+ | | | Exception output is not escaped |
| #14 | AI Popup | 23 | 1,224 | 636 | 400 | | | Text Domain Mismatch |
| #15 | Local Google Analytics for WordPress – caches external requests | 23 | 551 | 199 | 3k+ | | | Output is not escaped |
| #16 | WP Migrate Lite – Migration Made Easy | 23 | 369 | 255 | 200k+ | | | Exception output is not escaped |
| #17 | Anti Spam and list cleaner – AcyChecker | 24 | 462 | 88 | 400 | | | Output is not escaped |
| #18 | AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress | 24 | 5,230 | 1,464 | 7k+ | | | Output is not escaped |
| #19 | Assets manager, dequeue scripts, dequeue styles for WordPress | 24 | 592 | 255 | 2k+ | | | Output is not escaped |
| #20 | Social Slider Feed – Social Media Feed & Gallery Widgets | 24 | 929 | 707 | 20k+ | | | Non-prefixed global variable |
| #21 | Disable Updates – Updates Manager, Disable Automatic Updates, Disable All Updates | 24 | 522 | 135 | 10k+ | | | Output is not escaped |
| #22 | Disable Comments & Delete All Comments | 25 | 503 | 185 | 9k+ | | | Output is not escaped |
| #23 | Cryptocurrency Payment Gateway | 25 | 1,963 | 589 | 400 | | | Text Domain Mismatch |
| #24 | Disable Admin Notices – Hide Dashboard Notifications | 25 | 465 | 195 | 100k+ | | | Output is not escaped |
| #25 | WP-DownloadManager | 25 | 607 | 508 | 3k+ | | | Unsafe printing function |
| #26 | WP-Polls | 25 | 618 | 639 | 40k+ | | | Unsafe printing function |
| #27 | WP Popups – WordPress Popup builder | 25 | 440 | 342 | 30k+ | | | Output is not escaped |
| #28 | Visitors Online by BestWebSoft | 26 | 512 | 269 | 1k+ | | | Text Domain Mismatch |
| #29 | BackUpWordPress | 27 | 245 | 271 | 90k+ | | | Non-prefixed global variable |
| #30 | Cyrlitera – Transliteration of Links and File Names | 27 | 453 | 204 | 40k+ | | | Output is not escaped |
| #31 | WP-DBManager | 27 | 386 | 304 | 60k+ | | | Non-prefixed global variable |
| #32 | Better Google Analytics | 29 | 376 | 869 | 2k+ | | | Non-prefixed global variable |
| #33 | Countdown, Coming Soon, Maintenance – Countdown & Clock | 29 | 1,735 | 143 | 10k+ | | | Non Singular String Literal Domain |
| #34 | WP-PostRatings | 29 | 425 | 384 | 30k+ | | | Output is not escaped |
| #35 | Analytics Insights – Google Analytics Dashboard for WordPress | 30 | 241 | 170 | 10k+ | | | Unsafe printing function |
| #36 | Popup Builder – Create highly converting, mobile friendly marketing popups. | 30 | 26 | 722 | 200k+ | | | Non-prefixed global variable |
| #37 | Rublon Multi-Factor Authentication (MFA) | 30 | 216 | 160 | 500 | | | Output is not escaped |
| #38 | User Avatar – Reloaded | 30 | 352 | 171 | 900 | | | Text Domain Mismatch |
| #39 | Affiliate Coupons – Coupon Display Manager – Excellent Tool for Affiliate Marketers | 32 | 183 | 61 | 1k+ | | | Output is not escaped |
| #40 | Quick Featured Images | 32 | 436 | 323 | 50k+ | | | Non-prefixed global variable |
| #41 | WP-Stats | 32 | 237 | 126 | 2k+ | | | Output is not escaped |
| #42 | Companion Sitemap Generator – Simple, Smart, and SEO-Ready | 33 | 118 | 57 | 7k+ | | | Missing Translators Comment |
| #43 | WP-UserOnline | 33 | 111 | 161 | 10k+ | | | Output is not escaped |
| #44 | Multi Step Form | 34 | 277 | 136 | 9k+ | | | Output is not escaped |
| #45 | One User Avatar | User Profile Picture | 34 | 68 | 190 | 100k+ | | | Non-prefixed global variable |
| #46 | Search Engine Insights for Google Search Console | 34 | 174 | 113 | 2k+ | | | Output is not escaped |
| #47 | Ultimate Post List | 35 | 186 | 84 | 2k+ | | | Missing Arg Domain |
| #48 | WP-PageNavi | 35 | 84 | 95 | 500k+ | | | Non Singular String Literal Domain |
| #49 | WP-PostViews | 35 | 132 | 64 | 100k+ | | | Unsafe printing function |
| #50 | WP-Print | 35 | 110 | 52 | 8k+ | | | Unsafe printing function |