Plugin check detects many many many errors

@primerpizza thank you for reporting this.

First of all, let’s take a sampling of what comes out from the Plugin Check Plugin (PCP) for 3+1 of the most popular plugins in ww.wp.xz.cn directory. The first 3 plugins are by independent developers and the last 1 is an official ww.wp.xz.cn plugin.

The following is just a small portion / sampling of errors found under the “Security” category in PCP plugin’s checks:

Elementor (10 million+ active installs):
https://www.imagebam.com/view/ME170D7Q

Yoast SEO (10 million+ active installs):
https://www.imagebam.com/view/ME170D8C

Contact Form 7 (10 million+ active installs):
https://www.imagebam.com/view/ME170D9W

Classic Editor (9 million+ active installs, an official ww.wp.xz.cn plugin):
https://www.imagebam.com/view/ME170DBY

Does this mean millions of WordPress are at high-risk from some form of security breach / vulnerability because of these errors?… most probably not, otherwise you would hear about it very quickly in various online communities / groups / articles / videos.

Let’s dive a little bit deeper. One example from classic-editor.php at line 449 is the following “Security” error:

All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.

The code in question looks like this:

<label for="classic-editor-allow"><?php _e( 'Yes', 'classic-editor' ); ?></label>

It basically tries to output an internationalized string ‘Yes’ in the UI, probably as part of the settings UI. Changing the _e() function to esc_html_e() function will solve the error warning in PCP, but to begin with, there is, as far as I know, no meaningful security implication whatsoever with the original code. Otherwise, security vulnerability disclosure platforms like Pathstack and Wordfence would be flooded with reports on this type of “Security” errors.

What you should be worried about is when you see a plugin having a security vulnerability with no fix being released. It means that a security researcher has responsibly disclosed the vulnerability to the plugin author/developer via Pathstack or Wordfence, but the developer has not responded with a fix after a set period, usually about 7-14 days.

When that happens Pathstack / Wordfence will disclose the vulnerability publicly and advise people to not use the plugin due to obvious and exploitable security vulnerability. They will also notify the ww.wp.xz.cn plugin team, which in turn, may decide to temporarily close down the plugin until a fix is released by the plugin author/developer. At this stage, the plugin will not turn up in searches, so WP users can not install it on their sites.

Now, as for ASE, if you look at the changelog over the years, there have been several such security vulnerabilities being responsibly disclosed, and they get fixed within 7 days, i.e. in the next release, as ASE has been consistent with the weekly release schedule (every Monday) since v1.0.

Do note that probably no plugins has been free of incidents involving responsible disclosures of security vulnerabilities, unless it’s a really simple plugin with just a few lines of code, e.g. Classic Widgets (2 million+ active installs with just 2 lines of code). Even WordPress core as recent as v6.8.2 has two ‘medium’ security vulnerabilites, namely CVE-2025-58246 and CVE-2025-58674 which were quickly patched in v6.8.3, which is the current/latest version of WP.

All of that being said, to your question, “will you take action?”, the answer is yes. Work has begun on addressing the errors raised by the PCP plugin checks, even before you raised the issue here. It’s just going to take a little while as it’s not of the highest priority.

Will ASE one day be free of all errors when run through PCP?… Hopefully, but most probably not. One thing for sure is that any security vulnerability, the kind that can actually be exploited and have real consequences, will always get the highest priority for a fix.

You could say that by doing the above, ASE is not being proactive and merely being reactive, which is somewhat true. You can probably also say the same about the plugins listed earlier with 9+ millions of active installs. It’s just how it is. Just like in life, with limited resources, you pick your battles wisely, and you usually don’t sweat too much about the small stuff.

Please also kindly remember that the free version of ASE at this point, v8.0.3, has probably taken more than 500 (unpaid) hours of my life (I lost track at some point), which is not insignificant. Developing a plugin for ww.wp.xz.cn is basically volunteer work, and my intent with (the free version) of ASE is to give back to the WordPress community.

So, the choice always remains in your hands…. to install ASE or not. So far though, many ASE users seems to be quite happy with it. One user who manages 500+ websites, probably part of an agency, seems to be quite happy with ASE so far. If you still think it’s too risky, that’s perfectly all right. I hope you find another plugin that meets your strict requirements.

Thanks again for bringing this up. I appreciate it.