| #101 | Discount Rules and Dynamic Pricing for WooCommerce | 28 | 182 | 334 | 10k+ | | | Output is not escaped |
| #102 | Dynamic Product Gallery for WooCommerce | 28 | 414 | 303 | 1k+ | | | Output is not escaped |
| #103 | Email Inquiry & Cart Options for WooCommerce | 28 | 194 | 291 | 800 | | | Output is not escaped |
| #104 | Product Sort and Display for WooCommerce | 28 | 199 | 235 | 2k+ | | | Output is not escaped |
| #105 | WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce | 28 | 177 | 226 | 5k+ | | | Output is not escaped |
| #106 | Page View Count | 29 | 108 | 247 | 10k+ | | | Dynamic hook name |
| #107 | Security Ninja – WordPress Security & Firewall | 29 | 149 | 347 | 7k+ | | | Direct Query |
| #108 | Xpro Addons — 140+ Widgets for Elementor | 29 | 27 | 826 | 30k+ | | | Non-prefixed global variable |
| #109 | WooPayments: Integrated WooCommerce Payments | 30 | 182 | 308 | 900k+ | | | Exception output is not escaped |
| #110 | a3 Lazy Load | 31 | 83 | 240 | 90k+ | | | Dynamic hook name |
| #111 | cformsII | 31 | 777 | 536 | 4k+ | | | Unsafe printing function |
| #112 | MainWP Dashboard: Self-hosted WordPress Management for Agencies | 31 | 95 | 317 | 20k+ | | | Interpolated SQL is not prepared |
| #113 | Stackable – Page Builder Gutenberg Blocks | 31 | 477 | 90 | 100k+ | | | Non Singular String Literal Domain |
| #114 | MapPress Maps for WordPress | 32 | 695 | 133 | 30k+ | | | Missing Arg Domain |
| #115 | Mollie Payments for WooCommerce | 33 | 70 | 123 | 100k+ | | | Dynamic hook name |
| #116 | WP Social AutoConnect | 33 | 290 | 144 | 500 | | | Output is not escaped |
| #117 | Greenshift – animation and page builder blocks | 34 | 33 | 272 | 70k+ | | | Non-prefixed global variable |
| #118 | Easy Booking – WooCommerce Booking & Reservation Plugin | 34 | 138 | 172 | 4k+ | | | Output is not escaped |
| #119 | DesignSetGo | 35 | 7 | 1 | 4k+ | | | Hidden files included |
| #120 | Enlighter – Customizable Syntax Highlighter | 35 | 50 | 10 | 10k+ | | | Output is not escaped |
| #121 | Kustom Checkout for WooCommerce | 35 | 101 | 505 | 10k+ | | | Dynamic hook name |
| #122 | Order Delivery Date for WooCommerce | 35 | 2,060 | 73 | 10k+ | | | wp function not compatible with requires wp |
| #123 | s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions | 35 | 24 | 5 | 8k+ | | | Missing direct file access protection |
| #124 | Simple CAPTCHA with Cloudflare Turnstile | 35 | 82 | 148 | 100k+ | | | Output is not escaped |
| #125 | Simple History – Track, Log, and Audit WordPress Changes | 35 | 32 | 122 | 300k+ | | | Non-prefixed global variable |
| #126 | Two Factor Authentication | 35 | 108 | 139 | 20k+ | | | Output is not escaped |
| #127 | PDF Invoices & Packing Slips for WooCommerce | 35 | 35 | 964 | 300k+ | | | Non-prefixed hook name |
| #128 | CMB2 | 36 | 148 | 19 | 300k+ | | | Output is not escaped |
| #129 | Depicter — Popup & Slider Builder | 36 | 130 | 121 | 80k+ | | | Exception output is not escaped |
| #130 | Max Mega Menu | 37 | 249 | 174 | 300k+ | | | Output is not escaped |
| #131 | Oliver POS – WooCommerce POS for iPhone, iPad & Android | 37 | 15 | 242 | 800 | | | Interpolated SQL is not prepared |
| #132 | WooCommerce PayPal Payments | 37 | 194 | 110 | 800k+ | | | Exception output is not escaped |
| #133 | Jupiter X Core | 38 | 71 | 767 | 80k+ | | | Non-prefixed global variable |
| #134 | ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor | 39 | 73 | 350 | 1m+ | | | Non-prefixed global variable |
| #135 | Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid | 39 | 65 | 72 | 6k+ | | | block api version too low |
| #136 | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) | 42 | 2,583 | 1,823 | 10k+ | | | Text Domain Mismatch |
| #137 | YayMail – WooCommerce Email Customizer | 51 | 163 | 788 | 50k+ | | | Non-prefixed global variable |
| #138 | WP Table Builder – Drag & Drop Table Builder | 57 | 63 | 39 | 50k+ | | | Not Allowed |
| #139 | Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages | 62 | 81 | 100 | 40k+ | | | Missing direct file access protection |
| #140 | Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini | 64 | 6 | 34 | 6k+ | | | Interpolated SQL is not prepared |
| #141 | WordPress REST API (Version 2) | 82 | 476 | 13 | 10k+ | | | Missing Arg Domain |
| #142 | WP Ghost (Hide My WP Ghost) – Security & Firewall | 85 | 6 | 373 | 100k+ | | | Non-prefixed global variable |
| #143 | VK Blocks | 85 | 79 | 4 | 100k+ | | | Missing direct file access protection |
| #144 | Tickera – Sell Tickets & Manage Events | 87 | 7 | 54 | 2k+ | | | Non-prefixed hook name |
| #145 | WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce | 90 | | 20 | 20k+ | | | Non-prefixed function |
| #146 | OptionTree | 93 | 165 | 2 | 50k+ | | | Text Domain Mismatch |
| #147 | MyParcel | 94 | 2 | 84 | 8k+ | | | Non-prefixed global variable |
| #148 | Multibanco, MB WAY, Credit card, Apple Pay, Google Pay, Payshop, Cofidis Pay, and PIX (ifthenpay) for WooCommerce | 95 | | 86 | 8k+ | | | Non-prefixed function |
| #149 | Print Invoice & Delivery Notes for WooCommerce | 95 | 5 | 58 | 30k+ | | | Non-prefixed global variable |
| #150 | WP Offload Media Lite for Amazon S3, DigitalOcean Spaces, and Google Cloud Storage | 96 | 8 | 12 | 30k+ | | | Missing direct file access protection |