Manage Google AdSense ads, banners, ad rotation, sticky widgets, AMP ads, ads.txt, tracking, header and footer code, PHP code, global custom fields
Category Scores
Top Issues by Category
security4,512
maintainability291
Issues Details
5,052 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" <option value='*$client*'>$client</option>\n"'.
All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'.
$_COOKIE[$ai_cookie_name] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_COOKIE[$ai_cookie_name]
Processing form data without nonce verification.
rand() is discouraged. Use the far less predictable wp_rand() instead.
Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$d", but got "%d, %d" in 'Warning: only exceptions for %d posts cleared, %d posts still have exceptions'.
Mismatched text domain. Expected 'ad-inserter' but got 'dst'.
Processing form data without nonce verification.
Scripts must be registered/enqueued via wp_enqueue_script()
Detected usage of a possibly undefined superglobal array index: $_GET['adsense-client-secret']. Check that the array index exists before using it.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Document with ID '{$id}' isn't loaded. Use phpQuery::newDocument(\$html) or phpQuery::newDocumentFile(\$file) first."'.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
mt_rand() is discouraged. Use the far less predictable wp_rand() instead.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
var_dump() found. Debug code should not normally be used in production.
error_reporting() can lead to full path disclosure.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Stylesheets must be registered/enqueued via wp_enqueue_style()
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" <option value='*$client*'>$client</option>\n"'. | 3,066 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'. | 676 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE[$ai_cookie_name] not unslashed before sanitization. Use wp_unslash() or similar | 238 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE[$ai_cookie_name] | 232 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 210 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 138 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$d", but got "%d, %d" in 'Warning: only exceptions for %d posts cleared, %d posts still have exceptions'. | 120 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'ad-inserter' but got 'dst'. | 35 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 34 |
| WordPress.WP.EnqueuedResources.NonEnqueuedScript | ERROR | Scripts must be registered/enqueued via wp_enqueue_script() | 28 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['adsense-client-secret']. Check that the array index exists before using it. | 26 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 25 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Document with ID '{$id}' isn't loaded. Use phpQuery::newDocument(\$html) or phpQuery::newDocumentFile(\$file) first."'. | 22 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 22 |
| WordPress.WP.AlternativeFunctions.rand_mt_rand | ERROR | mt_rand() is discouraged. Use the far less predictable wp_rand() instead. | 15 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 14 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 11 |
| WordPress.PHP.DevelopmentFunctions.error_log_var_dump | WARNING | var_dump() found. Debug code should not normally be used in production. | 10 |
| WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_error_reporting | WARNING | error_reporting() can lead to full path disclosure. | 10 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 9 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 8 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 8 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $block | 8 |
| WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet | ERROR | Stylesheets must be registered/enqueued via wp_enqueue_style() | 8 |
| five_star_reviews_detected | ERROR | Linking directly to 5 stars reviews is not allowed. | 7 |
Latest Snapshot
Findings
5,052
Errors
4,241
Warnings
811
Score History
First score snapshot
First scan completed Jun 19, 2026
v2.8.16 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v2.8.16
24
Latest
- Findings
- 5,052
- Errors
- 4,241
- Warnings
- 811
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 24 | 5,052 | 4,241 | 811 | v2.8.16 | 2.0.0 | 2026.06-mvp-static-v2 |
