Real-time messaging and chat rooms for WordPress ecosystem: private conversations, public and private chat rooms, video & audio calls, and more.
Category Scores
Top Issues by Category
security1,847
maintainability1,369
Issues Details
3,623 issues found in latest scan
Use placeholders and $wpdb->prepare(); found $activity_sql
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Use placeholders and $wpdb->prepare(); found interpolated variable $base at "$base AND {$wpdb->posts}.post_type = %s ORDER BY meta_key ASC LIMIT %d"
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Since $package $version: "'.
Unescaped parameter $bulk_jobs_table used in $wpdb->get_row()\n$bulk_jobs_table assigned unsafely at line 133.
Unescaped parameter $ai_usage_table used in $wpdb->get_col()\n$ai_usage_table assigned unsafely at line 1948.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$name not found on class"'.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "after_wcfm_bpbm_messages".
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__composer_autoload_files".
$_GET['bm-unsubscribe'] not unslashed before sanitization. Use wp_unslash() or similar
Processing form data without nonce verification.
unlink() is discouraged. Use wp_delete_file() to delete a file.
Detected usage of a non-sanitized input variable: $_GET['plugin']
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Function "wp_register_ability()" requires WordPress 6.9.0, but your plugin minimum supported version is WordPress 5.9.0.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
Incorrect number of replacements passed to $wpdb->prepare(). Found 1 replacement parameters, expected 2.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'.
Writing files using ABSPATH may be problematic. Consider using wp_upload_dir() instead if storing user data or generated files.
Processing form data without nonce verification.
Attempting a database schema change is discouraged.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 535 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $activity_sql | 492 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 466 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $base at "$base AND {$wpdb->posts}.post_type = %s ORDER BY meta_key ASC LIMIT %d" | 342 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Since $package $version: "'. | 260 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $bulk_jobs_table used in $wpdb->get_row()\n$bulk_jobs_table assigned unsafely at line 133. | 248 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $ai_usage_table used in $wpdb->get_col()\n$ai_usage_table assigned unsafely at line 1948. | 159 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 155 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$name not found on class"'. | 154 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "after_wcfm_bpbm_messages". | 94 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__composer_autoload_files". | 68 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['bm-unsubscribe'] not unslashed before sanitization. Use wp_unslash() or similar | 50 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 43 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 43 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['plugin'] | 42 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 34 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "wp_register_ability()" requires WordPress 6.9.0, but your plugin minimum supported version is WordPress 5.9.0. | 28 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 26 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 22 |
| WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber | WARNING | Incorrect number of replacements passed to $wpdb->prepare(). Found 1 replacement parameters, expected 2. | 21 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 20 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'. | 19 |
| PluginCheck.CodeAnalysis.WriteFile.ABSPATHDetected | WARNING | Writing files using ABSPATH may be problematic. Consider using wp_upload_dir() instead if storing user data or generated files. | 17 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 17 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 16 |
Latest Snapshot
Findings
3,623
Errors
1,604
Warnings
2,019
Score History
First score snapshot
First scan completed Jun 20, 2026
v2.15.13 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v2.15.13
22
Latest
- Findings
- 3,623
- Errors
- 1,604
- Warnings
- 2,019
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 22 | 3,623 | 1,604 | 2,019 | v2.15.13 | 2.0.0 | 2026.06-mvp-static-v2 |
