Author: WP Sharks Author URI: https://cometcache.com Contributors: WebSharks, JasWSInc, raamdev, clavaque Donate link: https://cometcache.
Category Scores
Top Issues by Category
security756
i18n191
maintainability130
Issues Details
1,102 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_combined'.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_SERVER['REQUEST_URI']'.
$_GET[$short_name_lc.'ABC'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_FILES[GLOBAL_NS]['tmp_name']['import_options']
Processing form data without nonce verification.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$GLOBAL_NS".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
unlink() is discouraged. Use wp_delete_file() to delete a file.
The $text parameter must be a single text string literal. Found: $string
rename() is discouraged. Use WP_Filesystem::move() to rename a file.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir().
Translatable string should not be wrapped in HTML. Found: '<em>Note: Understanding the %1$s <a href="http://cometcache.com/r/kb-branched-cache-structure/" target="_blank">Branched Cache Structure</a> is a prerequisite to understanding how Dynamic Version Salts are added to the mix.</em>'
The use of function set_time_limit() is discouraged
Processing form data without nonce verification.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Detected usage of a possibly undefined superglobal array index: $_SERVER['REQUEST_URI']. Check that the array index exists before using it.
Function "get_site()" requires WordPress 4.6.0, but your plugin minimum supported version is WordPress 4.2.0.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_combined'. | 498 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 174 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_SERVER['REQUEST_URI']'. | 84 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET[$short_name_lc.'ABC'] not unslashed before sanitization. Use wp_unslash() or similar | 57 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES[GLOBAL_NS]['tmp_name']['import_options'] | 54 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 50 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$GLOBAL_NS". | 33 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 16 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 12 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $string | 11 |
| WordPress.WP.AlternativeFunctions.rename_rename | ERROR | rename() is discouraged. Use WP_Filesystem::move() to rename a file. | 10 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 9 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 9 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 9 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 6 |
| WordPress.WP.AlternativeFunctions.file_system_operations_rmdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir(). | 6 |
| WordPress.WP.I18n.NoHtmlWrappedStrings | WARNING | Translatable string should not be wrapped in HTML. Found: '<em>Note: Understanding the %1$s <a href="http://cometcache.com/r/kb-branched-cache-structure/" target="_blank">Branched Cache Structure</a> is a prerequisite to understanding how Dynamic Version Salts are added to the mix.</em>' | 6 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function set_time_limit() is discouraged | 5 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 5 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 5 |
| Generic.PHP.ForbiddenFunctions.Found | ERROR | The use of function create_function() is forbidden | 4 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 4 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 4 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_SERVER['REQUEST_URI']. Check that the array index exists before using it. | 3 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "get_site()" requires WordPress 4.6.0, but your plugin minimum supported version is WordPress 4.2.0. | 3 |
Latest Snapshot
Findings
1,102
Errors
857
Warnings
245
Score History
First score snapshot
First scan completed Jun 20, 2026
v170220 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v170220
21
Latest
- Findings
- 1,102
- Errors
- 857
- Warnings
- 245
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 21 | 1,102 | 857 | 245 | v170220 | 2.0.0 | 2026.06-mvp-static-v2 |