update_modification_detected
update modification detected
The plugin appears to include its own update or modification mechanism.
Why It Shows Up
Plugin Check found updater code or code that modifies plugin files outside the normal WordPress.org update flow.
Why It Matters
Custom update mechanisms can bypass repository review, surprise site owners, or change executable code after installation.
How to Fix
- Remove custom updater code from WordPress.org releases when it is not needed.
- Do not rewrite plugin source files at runtime.
- If remote updates are intentional outside WordPress.org, document the trust model and protect it with strong validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #601 | Alma – Pay in installments or later for WooCommerce | 41 | 116 | 68 | 1k+ | Exception output is not escaped | ||
| #602 | Unbloater | 41 | 57 | 18 | 5k+ | Output is not escaped | ||
| #603 | WP Club Manager – WordPress Sports Club Plugin | 44 | 171 | 682 | 600 | Non-prefixed global variable | ||
| #604 | Jetpack Search | 45 | 925 | 426 | 5k+ | Text Domain Mismatch | ||
| #605 | Utimate Kit ( Styler ) for WPForms | 45 | 240 | 69 | 20k+ | Missing Arg Domain | ||
| #606 | VietQR | 45 | 32 | 39 | 5k+ | Text Domain Mismatch | ||
| #607 | iControlWP | 47 | 45 | 59 | 1k+ | Missing direct file access protection | ||
| #608 | Jetpack Social | 48 | 829 | 254 | 30k+ | Text Domain Mismatch | ||
| #609 | Easy Updates Manager | 48 | 13 | 182 | 300k+ | Non-prefixed global variable | ||
| #610 | Advanced Automatic Updates | 49 | 26 | 25 | 20k+ | Nonce verification recommended | ||
| #611 | Category Posts in Custom Menu | 49 | 19 | 18 | 2k+ | Output is not escaped | ||
| #612 | Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode | 49 | 148 | 176 | 100k+ | Non-prefixed global variable | ||
| #613 | Easy Property Listings | 49 | 60 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #614 | Booster for WPForms | 50 | 79 | 45 | 800 | Text Domain Mismatch | ||
| #615 | User Activity Tracking and Log | 50 | 30 | 259 | 3k+ | Non-prefixed global variable | ||
| #616 | Automattic For Agencies Client | 53 | 249 | 184 | 20k+ | Text Domain Mismatch | ||
| #617 | Connect Contact Form 7 and Mailchimp | 53 | 236 | 52 | 40k+ | Text Domain Mismatch | ||
| #618 | Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder | 55 | 54 | 692 | 700k+ | Non-prefixed hook name | ||
| #619 | Themeflection Numbers – Number Counter and Animated Numbers | 55 | 224 | 73 | 3k+ | Text Domain Mismatch | ||
| #620 | WP Ultimate Review | 55 | 23 | 381 | 70k+ | Non-prefixed global variable | ||
| #621 | Elementor Beta (Developer Edition) | 57 | 36 | 32 | 30k+ | Output is not escaped | ||
| #622 | Vibe AI – MCP Server for WordPress. Connect Claude, ChatGPT & Cursor | 57 | 11 | 51 | 2k+ | Interpolated SQL is not prepared | ||
| #623 | pensopay Payments v2 | 59 | 413 | 32 | 1k+ | Non Singular String Literal Domain | ||
| #624 | Material Design for WordPress | 60 | 51 | 207 | 800 | Non-prefixed global variable | ||
| #625 | Raptive Ads | 66 | 35 | 29 | 6k+ | Text Domain Mismatch | ||
| #626 | Disabler | 67 | 179 | 37 | 900 | Text Domain Mismatch | ||
| #627 | onOffice for WP-Websites | 67 | 5 | 507 | 1k+ | Non-prefixed global variable | ||
| #628 | Free Assets Library – Openverse/Pixabay 600+ Million Images | 68 | 44 | 36 | 4k+ | Text Domain Mismatch | ||
| #629 | POS Entegratör – Gurmehub Ödeme Eklentisi | 68 | 1,321 | 69 | 1k+ | Text Domain Mismatch | ||
| #630 | Russian Post and EMS for WooCommerce | 68 | 16 | 47 | 1k+ | Non-prefixed global variable | ||
| #631 | WP Disable Automatic Updates | 69 | 14 | 8 | 2k+ | Output is not escaped | ||
| #632 | Stitch Express | 70 | 9 | 6 | 400 | Output is not escaped | ||
| #633 | aapanel WP Toolkit | 71 | 20 | 18 | 2k+ | wp function not compatible with requires wp | ||
| #634 | WP Disables Updates | 75 | 19 | 7 | 800 | Text Domain Mismatch | ||
| #635 | Boxzilla – WordPress Popup Builder | 79 | 4 | 64 | 20k+ | Non-prefixed global variable | ||
| #636 | Klaviyo | 79 | 26 | 86 | 100k+ | Non-prefixed function | ||
| #637 | Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder | 79 | 94 | 733 | 10k+ | Non-prefixed global variable | ||
| #638 | WP Automatic Updates | 79 | 50 | 7 | 400 | Text Domain Mismatch | ||
| #639 | WP Updates Settings | 79 | 7 | 8 | 900 | Unsafe printing function | ||
| #640 | Stream | 81 | 5 | 80 | 80k+ | Direct Query | ||
| #641 | BlogVault Backup & Staging | 82 | 53 | 22 | 80k+ | Missing direct file access protection | ||
| #642 | MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall | 82 | 55 | 22 | 200k+ | Missing direct file access protection | ||
| #643 | The WP Remote WordPress Plugin | 82 | 51 | 24 | 30k+ | Missing direct file access protection | ||
| #644 | Web Stories | 84 | 12 | 63 | 60k+ | Non-prefixed global variable | ||
| #645 | Simple Automatic Updates | 85 | 18 | 1 | 2k+ | Missing Translators Comment | ||
| #646 | GTM Kit – Google Tag Manager & GA4 integration | 87 | 5 | 17 | 30k+ | Missing direct file access protection | ||
| #647 | WP Auto Updater | 87 | 5 | 19 | 7k+ | Database parameter is not escaped | ||
| #648 | Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More | 88 | 20 | 116 | 40k+ | Non-prefixed hook name | ||
| #649 | Piotnet Addons For Elementor | 88 | 744 | 26 | 30k+ | Text Domain Mismatch | ||
| #650 | Three Column Screen Layout | 90 | 5 | 8 | 1k+ | Direct Query |