The really fast and powerful Booking engine for theme/site developers to create any booking or rental sites (tours, cars, events, apartments, yachts)
Category Scores
Top Issues by Category
security1,475
maintainability399
Issues Details
2,270 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$a['desc']'.
Processing form data without nonce verification.
Use placeholders and $wpdb->prepare(); found $booking_obj_id
Mismatched text domain. Expected 'ba-book-everything' but got 'claue'.
$_GET[$ext_field_name] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_GET[$ext_field_name]
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Unescaped parameter $delete_prepared used in $wpdb->query()\n$delete_prepared assigned unsafely at line 660.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Processing form data without nonce verification.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "ajax_babe_booking_calculate_price".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$field'.
Attempting a database schema change is discouraged.
Detected usage of meta_query, possible slow query.
Detected usage of meta_key, possible slow query.
Detected usage of a possibly undefined superglobal array index: $_GET['post_type']. Check that the array index exists before using it.
Detected usage of meta_value, possible slow query.
print_r() found. Debug code should not normally be used in production.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
error_log() found. Debug code should not normally be used in production.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$a['desc']'. | 467 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 243 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $booking_obj_id | 221 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'ba-book-everything' but got 'claue'. | 221 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET[$ext_field_name] not unslashed before sanitization. Use wp_unslash() or similar | 191 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET[$ext_field_name] | 156 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 135 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 122 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $delete_prepared used in $wpdb->query()\n$delete_prepared assigned unsafely at line 660. | 94 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 92 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 79 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "ajax_babe_booking_calculate_price". | 74 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 36 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 13 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$field'. | 11 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 10 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 10 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 7 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['post_type']. Check that the array index exists before using it. | 7 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 6 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 6 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 6 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 6 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 5 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 5 |
Latest Snapshot
Findings
2,270
Errors
1,184
Warnings
1,086
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.8.24 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.8.24
23
Latest
- Findings
- 2,270
- Errors
- 1,184
- Warnings
- 1,086
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 23 | 2,270 | 1,184 | 1,086 | v1.8.24 | 2.0.0 | 2026.06-mvp-static-v2 |
