| #1 | Plugin Check (PCP) | 0 | 128 | 132 | 10k+ | | | Exception output is not escaped |
| #2 | Easy WP SMTP – WordPress SMTP and Email Logs: Gmail SMTP, Office 365, Outlook, Custom SMTP, and more | 15 | 45 | 166 | 500k+ | | | Database parameter is not escaped |
| #3 | MDTF – Meta Data and Taxonomies Filter | 16 | 1,550 | 1,956 | 1k+ | | | Non-prefixed global variable |
| #4 | Efí Bank | 17 | 886 | 553 | 400 | | | Exception output is not escaped |
| #5 | wpForo Forum | 17 | 4,033 | 2,922 | 20k+ | | | Unsafe printing function |
| #6 | WPtouch – Make your WordPress Website Mobile-Friendly | 17 | 1,466 | 325 | 50k+ | | | Text Domain Mismatch |
| #7 | Pagopar – WooCommerce Gateway | 18 | 530 | 1,215 | 400 | | | Non-prefixed global variable |
| #8 | Podlove Podcast Publisher | 18 | 2,326 | 1,429 | 3k+ | | | Output is not escaped |
| #9 | Realtyna Organic IDX plugin + WPL Real Estate | 18 | 930 | 3,636 | 2k+ | | | Non-prefixed global variable |
| #10 | Shopping Cart & eCommerce Store | 18 | 5,459 | 17,298 | 4k+ | | | Non-prefixed global variable |
| #11 | WP Directory Kit | 18 | 2,119 | 2,617 | 2k+ | | | Non-prefixed global variable |
| #12 | WPPizza – A Restaurant Plugin | 18 | 4,689 | 2,703 | 1k+ | | | Text Domain Mismatch |
| #13 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | | | Exception output is not escaped |
| #14 | Go Fetch Jobs (for WP Job Manager) | 19 | 1,410 | 1,741 | 700 | | | Non-prefixed global variable |
| #15 | Matomo Analytics – Powerful, Privacy-First Insights for WordPress | 19 | 1,911 | 877 | 100k+ | | | Exception output is not escaped |
| #16 | Razorpay Payment Button Plugin | 19 | 486 | 98 | 2k+ | | | Exception output is not escaped |
| #17 | Membership Plugin – Kadence Memberships | 19 | 5,082 | 2,982 | 9k+ | | | Text Domain Mismatch |
| #18 | Scrollsequence – Cinematic Scroll Image Animation Plugin | 19 | 878 | 1,528 | 4k+ | | | Non-prefixed global variable |
| #19 | WP Email Template | 19 | 342 | 350 | 2k+ | | | Exception output is not escaped |
| #20 | WP Import Export Lite | 19 | 737 | 979 | 40k+ | | | Non-prefixed global variable |
| #21 | WPOSS阿里云对象存储 | 19 | 269 | 315 | 1k+ | | | Non-prefixed namespace |
| #22 | WPQiNiu七牛云对象存储 | 19 | 138 | 612 | 400 | | | Non-prefixed global variable |
| #23 | Filter Everything — WordPress & WooCommerce Filters | 20 | 568 | 730 | 50k+ | | | Output is not escaped |
| #24 | GiveWP – Donation Plugin and Fundraising Platform | 20 | 3,432 | 3,575 | 100k+ | | | Output is not escaped |
| #25 | Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | 20 | 1,292 | 2,683 | 9k+ | | | Output is not escaped |
| #26 | Pix por Piggly (para Woocommerce) | 20 | 547 | 195 | 4k+ | | | Exception output is not escaped |
| #27 | Powered Cache – Caching and Optimization for WordPress – Easily Improve PageSpeed & Web Vitals Score | 20 | 147 | 231 | 3k+ | | | Exception output is not escaped |
| #28 | Razorpay Payment Button Elementor Plugin | 20 | 479 | 62 | 1k+ | | | Exception output is not escaped |
| #29 | Remove Add to Cart WooCommerce | 20 | 616 | 1,378 | 4k+ | | | Non-prefixed global variable |
| #30 | Razorpay for WooCommerce | 20 | 974 | 855 | 100k+ | | | Non-prefixed function |
| #31 | WP Minify Fix | 20 | 306 | 380 | 800 | | | Output is not escaped |
| #32 | WPJAM Basic | 20 | 328 | 356 | 4k+ | | | Output is not escaped |
| #33 | School Management System – WPSchoolPress | 20 | 353 | 5,275 | 1k+ | | | Non-prefixed global variable |
| #34 | Store Locator WordPress | 21 | 2,372 | 1,572 | 10k+ | | | Text Domain Mismatch |
| #35 | Forumax – AI Powered Advanced Community Forum Plugin | 21 | 4,936 | 4,357 | 600 | | | Text Domain Mismatch |
| #36 | Booking Ultra Pro Appointments Booking Calendar Plugin | 21 | 761 | 2,083 | 400 | | | Request data is not unslashed |
| #37 | rtMedia for WordPress, BuddyPress and bbPress | 21 | 363 | 633 | 8k+ | | | Non-prefixed constant |
| #38 | CartFlows – Funnel Builder & Checkout Plugin for WooCommerce | 21 | 462 | 654 | 200k+ | | | Text Domain Mismatch |
| #39 | Free Downloads WooCommerce | 21 | 430 | 359 | 4k+ | | | Output is not escaped |
| #40 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | | | Output is not escaped |
| #41 | eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams | 21 | 186 | 437 | 9k+ | | | Non-prefixed global variable |
| #42 | Feeds for YouTube (YouTube video, channel, and gallery plugin) | 21 | 558 | 978 | 100k+ | | | Output is not escaped |
| #43 | FileOrganizer – WordPress File Manager | 21 | 536 | 241 | 200k+ | | | unlink unlink |
| #44 | Formidable Forms – WordPress Form Builder for Contact Forms, Calculators, Quizzes & More | 21 | 52 | 1,959 | 300k+ | | | Non-prefixed global variable |
| #45 | Campaign Monitor for WordPress | 21 | 386 | 461 | 2k+ | | | Non-prefixed global variable |
| #46 | MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder | 21 | 1,133 | 3,011 | 2k+ | | | Non-prefixed global variable |
| #47 | Mapster WP Maps | 21 | 3,440 | 2,903 | 3k+ | | | Text Domain Mismatch |
| #48 | Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages | 21 | 1,173 | 2,983 | 9k+ | | | Non-prefixed global variable |
| #49 | Five Star Restaurant Reservations – WordPress Booking Plugin | 21 | 1,099 | 1,147 | 10k+ | | | Output is not escaped |
| #50 | Accept Stripe Payments | 21 | 373 | 882 | 20k+ | | | Missing nonce verification |