| ERROR | WordPress.Security.EscapeOutput.HeredocOutputNotEscaped | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found interpolation in unescaped heredoc. | backend/app/HTTP/Controllers/IframeController.php:36:1 | Security |
| ERROR | WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet | Stylesheets must be registered/enqueued via wp_enqueue_style() | backend/app/HTTP/Controllers/IframeController.php:36:1 | Performance |
| ERROR | PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $sql used in $wpdb->query($sql)\n$sql assigned unsafely at line 20:\n $sql = "ALTER TABLE $table_name MODIFY COLUMN custom_css LONGTEXT NULL;"\n$table_name assigned unsafely at line 19:\n $table_name = Config::withDBPrefix('widgets') | backend/db/Migrations/BASTUpdateCustomCssColumnInWidgetTableMigration.php:21:16 | Security |
| ERROR | WordPress.DB.PreparedSQL.NotPrepared | Use placeholders and $wpdb->prepare(); found $sql | backend/db/Migrations/BASTUpdateCustomCssColumnInWidgetTableMigration.php:21:22 | Security |
| ERROR | PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 148:\n $sql = $wpdb->prepare(\n "SELECT\n analytics.widget_id, widgets.name,\n SUM(CASE WHEN analytics.is_clicked = %d THEN %d ELSE %d END) AS visitor_count,\n SUM(CASE WHEN analytics.is_clicked = %d THEN %d ELSE %d END) AS click_count\n FROM \n {$wpdb->prefix}bit_assist_analytics analytics\n INNER JOIN \n {$wpdb->prefix}bit_assist_widgets widgets ON analytics.widget_id = widgets.id\n WHERE \n (analytics.channel_id IS NULL AND (analytics.is_clicked = %d OR analytics.is_clicked = %d))\n AND\n $dateCondition\n GROUP BY \n analytics.widget_id, widgets.name",\n $placeHolder\n )\n$dateCondition assigned unsafely at line 145:\n $dateCondition = 'DATE(analytics.created_at) IS NOT NULL'\n$dateCondition assigned unsafely at line 143:\n $dateCondition = 'DATE(analytics.created_at) = %s'\n$dateCondition assigned unsafely at line 139:\n $dateCondition = 'DATE(analytics.created_at) BETWEEN %s AND %s'\n$placeHolder assigned unsafely at line 142:\n $placeHolder[] = $startDate\n$isDate assigned unsafely at line 115:\n $isDate = preg_match($datePattern, $filterValue) === 1\n$dateRange assigned unsafely at line 122:\n $dateRange = explode(',', $filterValue)\n$startDate assigned unsafely at line 141:\n $startDate = $dateRange[0]\n$dateRange[0] used without escaping.\n$datePattern assigned unsafely at line 114:\n $datePattern = '/\\d{4}-\\d{2}-\\d{2}/'\n$filterValue used without escaping. | backend/app/HTTP/Controllers/AnalyticsController.php:166:39 | Security |
| ERROR | WordPress.DB.PreparedSQL.NotPrepared | Use placeholders and $wpdb->prepare(); found $sql | backend/app/HTTP/Controllers/AnalyticsController.php:166:51 | Security |
| ERROR | WordPress.DateTime.RestrictedFunctions.date_date | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | backend/app/HTTP/Controllers/AnalyticsController.php:180:22 | — |
| ERROR | WordPress.DateTime.RestrictedFunctions.date_date | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | backend/app/HTTP/Controllers/AnalyticsController.php:181:20 | — |
| ERROR | WordPress.Security.EscapeOutput.HeredocOutputNotEscaped | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found interpolation in unescaped heredoc. | backend/app/HTTP/Controllers/IframeController.php:35:1 | Security |
| ERROR | Squiz.PHP.Heredoc.NotAllowed | Use of heredoc and nowdoc syntax ("<<<") is not allowed; use standard strings or inline HTML instead | backend/app/Views/Layout.php:136:14 | — |
