| #1 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | | | Missing Translators Comment |
| #2 | Scrollsequence – Cinematic Scroll Image Animation Plugin | 19 | 878 | 1,528 | 4k+ | | | Non-prefixed global variable |
| #3 | Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) | 20 | 736 | 2,112 | 900 | | | Non-prefixed global variable |
| #4 | DMCA Protection Badge | 20 | 4,425 | 217 | 1k+ | | | Output is not escaped |
| #5 | Event Espresso – Event Registration & Ticketing Sales | 20 | 12,698 | 2,135 | 600 | | | Text Domain Mismatch |
| #6 | MBE eShip | 20 | 527 | 740 | 1k+ | | | Non-prefixed global variable |
| #7 | Store Locator WordPress | 21 | 2,372 | 1,572 | 10k+ | | | Text Domain Mismatch |
| #8 | SMS Extension for Contact Form 7 | 21 | 720 | 1,387 | 400 | | | Non-prefixed global variable |
| #9 | DELUCKS SEO | 21 | 362 | 1,171 | 400 | | | Missing nonce verification |
| #10 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | | | Output is not escaped |
| #11 | ERP: Complete HR, Recruitment, Accounting & CRM Suite with WooCommerce CRM Support | 21 | 829 | 5,966 | 5k+ | | | Direct Query |
| #12 | If-So Dynamic Content – Elementor & All Page Builders Personalization | 21 | 889 | 725 | 7k+ | | | Unsafe printing function |
| #13 | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | 21 | 1,918 | 5,065 | 10k+ | | | Non-prefixed hook name |
| #14 | UPC/EAN/GTIN Barcode Generator/Importer | 21 | 776 | 311 | 500 | | | Exception output is not escaped |
| #15 | WP phpMyAdmin | 21 | 4,528 | 6,435 | 50k+ | | | Missing Arg Domain |
| #16 | Premium Packages – Sell Digital Products Securely | 21 | 2,765 | 2,444 | 3k+ | | | Output is not escaped |
| #17 | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | 22 | 3,654 | 5,061 | 8k+ | | | Non-prefixed global variable |
| #18 | Download Manager | 22 | 2,290 | 1,301 | 100k+ | | | Output is not escaped |
| #19 | Easy Social Feed – Social Photos Gallery and Post Feed for WordPress | 22 | 1,567 | 1,277 | 30k+ | | | Non-prefixed global variable |
| #20 | Events Manager – Calendar, Bookings, Tickets, and more! | 22 | 4,722 | 5,621 | 70k+ | | | Output is not escaped |
| #21 | Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms | 22 | 1,037 | 722 | 20k+ | | | Unsafe printing function |
| #22 | IMPress for IDX Broker | 22 | 1,085 | 636 | 7k+ | | | Text Domain Mismatch |
| #23 | Unlimited Elements Blocks Library | 22 | 708 | 1,822 | 400 | | | Non-prefixed global variable |
| #24 | Welcart e-Commerce | 22 | 10,377 | 10,896 | 10k+ | | | Text Domain Mismatch |
| #25 | WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell | 22 | 5,996 | 2,790 | 6k+ | | | Text Domain Mismatch |
| #26 | Geo Controller | 23 | 203 | 544 | 1k+ | | | Non-prefixed global variable |
| #27 | Anti-Malware Security and Brute-Force Firewall | 23 | 543 | 965 | 100k+ | | | Output is not escaped |
| #28 | Restaurant Menu and Food Ordering | 23 | 385 | 853 | 2k+ | | | Non-prefixed global variable |
| #29 | Nirweb support | 23 | 254 | 617 | 800 | | | Request data is not unslashed |
| #30 | PayPal Brasil para WooCommerce | 23 | 554 | 328 | 1k+ | | | Unsafe printing function |
| #31 | Postie | 23 | 407 | 261 | 10k+ | | | Output is not escaped |
| #32 | PowerPress Podcasting plugin by Blubrry | 23 | 4,807 | 2,394 | 20k+ | | | Output is not escaped |
| #33 | Smart Marketing SMS and Newsletters Forms | 23 | 2,221 | 1,022 | 1k+ | | | Text Domain Mismatch |
| #34 | teachPress | 23 | 744 | 1,587 | 2k+ | | | SQL query is not prepared |
| #35 | Legal Terms and Conditions Popup for User Login and WooCommerce Checkout | 23 | 524 | 237 | 700 | | | Output is not escaped |
| #36 | Checkout with Zelle on Woocommerce | 23 | 637 | 1,404 | 3k+ | | | Non-prefixed global variable |
| #37 | Widgets on Pages | 23 | 809 | 1,306 | 20k+ | | | Non-prefixed global variable |
| #38 | ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin | 23 | 7,423 | 2,181 | 90k+ | | | Text Domain Mismatch |
| #39 | WP Editor | 23 | 502 | 335 | 20k+ | | | Unsafe printing function |
| #40 | Photo Engine (Media Organizer & Lightroom) | 23 | 252 | 650 | 2k+ | | | Direct Query |
| #41 | Ivory Search – WordPress Search Plugin | 24 | 1,173 | 1,688 | 100k+ | | | Non-prefixed global variable |
| #42 | bBlocks – Essential Gutenberg Blocks & Patterns Collection | 24 | 656 | 1,511 | 700 | | | Non-prefixed global variable |
| #43 | Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) | 24 | 1,837 | 1,063 | 1k+ | | | Text Domain Mismatch |
| #44 | Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More | 24 | 342 | 930 | 6k+ | | | Non-prefixed global variable |
| #45 | CleanTalk Anti-Spam. Spam Firewall & Bot protection | 24 | 825 | 1,079 | 200k+ | | | Missing nonce verification |
| #46 | Doubly – Cross Domain Copy Paste for WordPress | 24 | 252 | 55 | 10k+ | | | Output is not escaped |
| #47 | FeedWordPress | 24 | 496 | 319 | 9k+ | | | Missing Arg Domain |
| #48 | Connector Wizard (formerly LC Wizard) | 24 | 248 | 464 | 1k+ | | | Non-prefixed function |
| #49 | MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails | 24 | 772 | 3,853 | 1k+ | | | Direct Query |
| #50 | MxChat – AI Chatbot & Content Generation for WordPress | 24 | 3,157 | 1,385 | 2k+ | | | Text Domain Mismatch |
