| #4001 | HT Builder – WordPress Theme Builder for Elementor | 37 | 142 | 41 | 900 | | | Output is not escaped |
| #4002 | HT Contact Form – Drag & Drop Form Builder for WordPress | 25 | 160 | 594 | 10k+ | | | Non-prefixed global variable |
| #4003 | HT Easy GA4 – Google Analytics WordPress Plugin | 31 | 475 | 93 | 6k+ | | | Text Domain Mismatch |
| #4004 | HT Feed | 49 | 76 | 11 | 700 | | | Output is not escaped |
| #4005 | HT Mega Addons for Elementor – Elementor Widgets & Template Builder | 24 | 10,894 | 440 | 70k+ | | | Text Domain Mismatch |
| #4006 | HT Mega – Absolute Addons for WPBakery Page Builder | 31 | 2,740 | 115 | 900 | | | Text Domain Mismatch |
| #4007 | HT Menu – WordPress Mega Menu Builder for Elementor | 37 | 300 | 60 | 3k+ | | | Text Domain Mismatch |
| #4008 | HT Newsletter for Elementor | 86 | 53 | 3 | 700 | | | Text Domain Mismatch |
| #4009 | HT Slider For Elementor | 50 | 884 | 40 | 20k+ | | | Text Domain Mismatch |
| #4010 | WP Team – WordPress Team Member Plugin | 38 | 537 | 36 | 600 | | | Text Domain Mismatch |
| #4011 | HT Form Widget for Elementor and WPForms | 35 | 8 | 9 | 2k+ | | | Output is not escaped |
| #4012 | Htaccess File Editor – Easily Edit, Backup, Restore .htaccess file | 95 | 11 | 15 | 10k+ | | | Non-prefixed global variable |
| #4013 | HTACCESS IP Blocker | 65 | 5 | 14 | 2k+ | | | Missing nonce verification |
| #4014 | .htaccess Site Access Control | 37 | 54 | 67 | 800 | | | Input is not sanitized |
| #4015 | html after URL | 97 | 3 | 2 | 4k+ | | | Missing direct file access protection |
| #4016 | HTML Editor Syntax Highlighter | 42 | 30 | 21 | 50k+ | | | Output is not escaped |
| #4017 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | | | Output is not escaped |
| #4018 | HTML Page Sitemap (Block and Shortcode) | 98 | 3 | 4 | 10k+ | | | wp function not compatible with requires wp |
| #4019 | HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player | 100 | | 0 | 10k+ | | | No open findings |
| #4020 | HTML5 Cumulus | 39 | 132 | 33 | 1k+ | | | Output is not escaped |
| #4021 | HTML5 jQuery Audio Player | 32 | 251 | 153 | 1k+ | | | Unsafe printing function |
| #4022 | HTML5 Maps | 36 | 194 | 160 | 5k+ | | | Output is not escaped |
| #4023 | HTML5 Video Player – Embed and Play Videos in Custom Player | 99 | | 5 | 20k+ | | | Non-prefixed global variable |
| #4024 | HTTP Auth | 97 | 9 | 3 | 6k+ | | | wp function not compatible with requires wp |
| #4025 | HTTP Authentication | 35 | 23 | 6 | 600 | | | Output is not escaped |
| #4026 | HTTP Headers | 59 | 20 | 43 | 50k+ | | | Nonce verification recommended |
| #4027 | SSL Mixed Content Fix | 34 | 53 | 65 | 8k+ | | | Output is not escaped |
| #4028 | HTTP Requests Manager | 36 | 98 | 90 | 1k+ | | | Output is not escaped |
| #4029 | Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS | 36 | 68 | 33 | 6k+ | | | Output is not escaped |
| #4030 | HTTP/2 Server Push | 97 | 4 | 1 | 900 | | | Missing direct file access protection |
| #4031 | Hum | 75 | 8 | 2 | 600 | | | wp function not compatible with requires wp |
| #4032 | Humans TXT | 37 | 159 | 86 | 400 | | | Output is not escaped |
| #4033 | Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN | 24 | 3,410 | 866 | 70k+ | | | Text Domain Mismatch |
| #4034 | Csomagpontok és Címkék WooCommerce-hez | 22 | 2,001 | 769 | 7k+ | | | Text Domain Mismatch |
| #4035 | Hunk Companion | 23 | 2,547 | 687 | 6k+ | | | Text Domain Mismatch |
| #4036 | HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce | 32 | 396 | 142 | 20k+ | | | Output is not escaped |
| #4037 | Huurkalender WP | 93 | 3 | 7 | 800 | | | trademarked term |
| #4038 | Video Gallery by Huzzaz | 97 | 5 | 2 | 900 | | | Non Enqueued Script |
| #4039 | HW Image Widget | 39 | 138 | 41 | 1k+ | | | Output is not escaped |
| #4040 | Hydra Booking — Appointment Scheduling & Booking Calendar | 25 | 238 | 707 | 2k+ | | | Non-prefixed global variable |
| #4041 | Hydrogen Calendar Embeds | 99 | 1 | 0 | 900 | | | outdated tested upto header |
| #4042 | Hyper Cache | 45 | 36 | 100 | 8k+ | | | Non-prefixed global variable |
| #4043 | Hyperlink Group Block | 100 | 1 | 0 | 7k+ | | | Missing direct file access protection |
| #4044 | HyperPay Payments | 98 | 4 | 0 | 600 | | | Missing direct file access protection |
| #4045 | Hyve Lite – AI Chatbot, ChatGPT-Powered Conversational Support | 35 | 1 | 40 | 7k+ | | | Direct Query |
| #4046 | I Agree! Popups | 40 | 54 | 46 | 600 | | | Output is not escaped |
| #4047 | I Order Terms | 44 | 40 | 24 | 1k+ | | | Output is not escaped |
| #4048 | I Recommend This – Love/Like Button for WordPress Posts | 87 | 3 | 49 | 5k+ | | | Direct Query |
| #4049 | 우커머스 포트원 플러그인 (국내 모든 PG를 한 번에) | 34 | 36 | 181 | 700 | | | Nonce verification recommended |
| #4050 | Lawwwing | Textos legales web y Banner de cookies | 90 | 31 | 13 | 700 | | | Text Domain Mismatch |