User Role Editor

User Role Editor WordPress plugin makes user roles and capabilities changing easy. Edit/add/delete WordPress user roles and capabilities.

v4.65Vladimir GaragulyaUpdated 1 month agoAdded 16 years ago700k+ installs90% rating0% support resolved

access editor role security user

Score

117

Errors

145

Warnings

Change

Category Scores

Security0

Repo100

Performance100

Maintainability91

Issues to Review

Prioritized issue groups from the latest Plugin Check scan

262 findings

Security

243

10 issue groups

Maintainability

4 issue groups

ERRORSecurityOutput Not EscapedAll output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$button_number'.100

Category: Security
Occurrences: 100
Severity: error

Sample message

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$button_number'.

WordPress.Security.EscapeOutput.OutputNotEscaped Reference

WARNINGSecurityMissingProcessing form data without nonce verification.46

Category: Security
Occurrences: 46
Severity: warning

Sample message

Processing form data without nonce verification.

WordPress.Security.NonceVerification.Missing

WARNINGSecurityRecommendedProcessing form data without nonce verification.28

Category: Security
Occurrences: 28
Severity: warning

Sample message

Processing form data without nonce verification.

WordPress.Security.NonceVerification.Recommended

WARNINGSecurityMissing Unslash$_GET[$var_name] not unslashed before sanitization. Use wp_unslash() or similar27

Category: Security
Occurrences: 27
Severity: warning

Sample message

$_GET[$var_name] not unslashed before sanitization. Use wp_unslash() or similar

WordPress.Security.ValidatedSanitizedInput.MissingUnslash

WARNINGSecurityInput Not SanitizedDetected usage of a non-sanitized input variable: $_GET[$var_name]22

Category: Security
Occurrences: 22
Severity: warning

Sample message

Detected usage of a non-sanitized input variable: $_GET[$var_name]

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

WARNINGMaintainabilityDirect QueryUse of a direct database call is discouraged.8

Category: Maintainability
Occurrences: 8
Severity: warning

Sample message

Use of a direct database call is discouraged.

WordPress.DB.DirectDatabaseQuery.DirectQuery

WARNINGMaintainabilityNo CachingDirect database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().8

Category: Maintainability
Occurrences: 8
Severity: warning

Sample message

Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().

WordPress.DB.DirectDatabaseQuery.NoCaching

ERRORSecurityNot PreparedUse placeholders and $wpdb->prepare(); found $query8

Category: Security
Occurrences: 8
Severity: error

Sample message

Use placeholders and $wpdb->prepare(); found $query

WordPress.DB.PreparedSQL.NotPrepared

ERRORSecurityUnescaped DBParameterUnescaped parameter $query used in $wpdb->get_col()\n$query assigned unsafely at line 148.4

Category: Security
Occurrences: 4
Severity: error

Sample message

Unescaped parameter $query used in $wpdb->get_col()\n$query assigned unsafely at line 148.

PluginCheck.Security.DirectDB.UnescapedDBParameter

ERRORSecurityQuoted Simple PlaceholderSimple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'.3

Category: Security
Occurrences: 3
Severity: error

Sample message

Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'.

WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder

Show 4 more

WARNINGSecurityInput Not Validated3

Category: Security
Occurrences: 3
Severity: warning

Sample message

Detected usage of a possibly undefined superglobal array index: $_POST['_wpnonce']. Check that the array index exists before using it.

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

ERRORSecurityUnsupported Identifier Placeholder2

Category: Security
Occurrences: 2
Severity: error

Sample message

The %i modifier is only supported in WP 6.2 or higher. Found: "%i".

WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder

WARNINGMaintainabilityerror log error log2

Category: Maintainability
Occurrences: 2
Severity: warning

Sample message

error_log() found. Debug code should not normally be used in production.

WordPress.PHP.DevelopmentFunctions.error_log_error_log

WARNINGMaintainabilityupgrade notice limit1

Category: Maintainability
Occurrences: 1
Severity: warning

Sample message

The upgrade notice for "[4.65] 21.05.2026" exceeds the limit of 300 characters.

upgrade_notice_limit

Score History

First score snapshot

2 days ago

v4.65

Latest

Findings: 262
Errors: 117
Warnings: 145
Check: 2.0.0

Scan	Score	Findings	Errors	Warnings	Plugin	Check
2 days agoLatest	43	262	117	145	v4.65	2.0.0

Related Plugins

10k+ active installs

100

Stop XML-RPC Attacks

6k+ active installs

100

Advanced Classic Editor

2k+ active installs

Block Navigation

3k+ active installs

BotBlocker Security – Firewall & Bot Protection

3k+ active installs

Emoji Toolbar

2k+ active installs