| #1 | Contact Form 7 | 69 | 56 | 39 | 10m+ | | Missing direct file access protection |
| #2 | Elementor Website Builder – more than just a page builder | 35 | 46 | 428 | 10m+ | | Non-prefixed global variable |
| #3 | Yoast SEO – Advanced SEO with real-time guidance and built-in AI | 24 | 159 | 386 | 10m+ | | Non-prefixed global variable |
| #4 | Classic Editor | 63 | 17 | 7 | 9m+ | | Unsafe printing function |
| #5 | LiteSpeed Cache | 35 | 286 | 893 | 7m+ | | Non-prefixed global variable |
| #6 | WooCommerce | 22 | 1,355 | 6,129 | 7m+ | | Non-prefixed global variable |
| #7 | Akismet Anti-spam: Spam Protection | 35 | 33 | 99 | 6m+ | | Non-prefixed global variable |
| #8 | All-in-One WP Migration and Backup | 40 | 28 | 61 | 5m+ | | Missing nonce verification |
| #9 | Site Kit by Google – Analytics, Search Console, AdSense, Speed | 25 | 1,304 | 242 | 5m+ | | Missing direct file access protection |
| #10 | Wordfence Security – Firewall, Malware Scan, and Login Security | 21 | 1,592 | 2,973 | 5m+ | | Output is not escaped |
| #11 | WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More | 31 | 165 | 271 | 5m+ | | Non-prefixed global variable |
| #12 | Yoast Duplicate Post | 70 | 8 | 88 | 4m+ | | Nonce verification recommended |
| #13 | Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | 31 | 45 | 373 | 4m+ | | Non-prefixed global variable |
| #14 | WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin | 36 | 18 | 146 | 4m+ | | Direct Query |
| #15 | All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | 97 | 19 | 3 | 3m+ | | wp function not compatible with requires wp |
| #16 | Duplicate Page | 40 | 39 | 43 | 3m+ | | Unsafe printing function |
| #17 | Hostinger Tools | 81 | 14 | 22 | 3m+ | | wp function not compatible with requires wp |
| #18 | WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager | 89 | 21 | 30 | 3m+ | | wp function not compatible with requires wp |
| #19 | Jetpack – WP Security, Backup, Speed, & Growth | 23 | 2,821 | 1,303 | 3m+ | | Text Domain Mismatch |
| #20 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | | Missing Translators Comment |
| #21 | UpdraftPlus: WP Backup & Migration Plugin | 24 | 277 | 299 | 3m+ | | Non-prefixed global variable |
| #22 | Advanced Custom Fields (ACF®) | 23 | 2,456 | 1,218 | 2m+ | | Text Domain Mismatch |
| #23 | Classic Widgets | 97 | 2 | 3 | 2m+ | | outdated tested upto header |
| #24 | Essential Addons for Elementor – Popular Elementor Templates & Widgets | 63 | 78 | 185 | 2m+ | | wp function not compatible with requires wp |
| #25 | MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) | 25 | 116 | 441 | 2m+ | | Nonce verification recommended |
| #26 | Ultimate Addons for Elementor | 35 | 70 | 226 | 2m+ | | Non-prefixed hook name |
| #27 | Redirection | 34 | 32 | 293 | 2m+ | | Non-prefixed class |
| #28 | WordPress Importer | 25 | 238 | 110 | 2m+ | | Output is not escaped |
| #29 | WPS Hide Login | 41 | 34 | 72 | 2m+ | | Nonce verification recommended |
| #30 | All-In-One Security (AIOS) – Security and Firewall | 24 | 552 | 1,228 | 1m+ | | Non-prefixed global variable |
| #31 | Starter Templates – AI-Powered Templates for Elementor & Gutenberg | 24 | 125 | 396 | 1m+ | | Non-prefixed hook name |
| #32 | Better Search Replace | 39 | 96 | 43 | 1m+ | | Unsafe printing function |
| #33 | Code Snippets | 36 | 34 | 203 | 1m+ | | Nonce verification recommended |
| #34 | Complianz – GDPR/CCPA Cookie Consent | 24 | 487 | 403 | 1m+ | | Missing Arg Domain |
| #35 | CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice) | 87 | 1 | 291 | 1m+ | | Non-prefixed global variable |
| #36 | Custom Post Type UI | 53 | 16 | 23 | 1m+ | | Output is not escaped |
| #37 | Disable Comments – Remove Comments & Stop Spam [Multi-Site Support] | 53 | 15 | 46 | 1m+ | | Non-prefixed global variable |
| #38 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | | Output is not escaped |
| #39 | ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor | 40 | 72 | 348 | 1m+ | | Non-prefixed global variable |
| #40 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | | Direct Query |
| #41 | XML Sitemap Generator for Google | 37 | 43 | 79 | 1m+ | | Input is not validated |
| #42 | Hostinger Reach – AI-Powered Email Marketing for WordPress | 40 | 9 | 46 | 1m+ | | Direct Query |
| #43 | Image Optimizer – Optimize Images and Convert to WebP or AVIF | 87 | 14 | 24 | 1m+ | | Missing Translators Comment |
| #44 | Imagify: Optimize Images for Top Speed (Compress & Convert to WebP/AVIF) | 21 | 420 | 861 | 1m+ | | Non-prefixed global variable |
| #45 | Smash Balloon Social Photo Feed – Easy Social Feeds Plugin | 25 | 449 | 1,300 | 1m+ | | Interpolated SQL is not prepared |
| #46 | Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force Prevention | 25 | 621 | 602 | 1m+ | | Unsafe printing function |
| #47 | Loco Translate | 26 | 454 | 242 | 1m+ | | Output is not escaped |
| #48 | Loginizer | 25 | 814 | 504 | 1m+ | | Output is not escaped |
| #49 | MC4WP: Mailchimp for WordPress | 57 | | 238 | 1m+ | | Non-prefixed global variable |
| #50 | Maintenance | 99 | 3 | 0 | 1m+ | | strip tags strip tags |
