Manage all updates on your WordPress site. Stay in the know with several optional e-mail notifications and logs. For free.
Category Scores
Top Issues by Category
security242
maintainability209
i18n5
repo_compliance1
Issues Details
457 issues found in latest scan
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$actualSlug'.
Use placeholders and $wpdb->prepare(); found interpolated variable $autoupdates at "ALTER TABLE $autoupdates CONVERT TO CHARACTER SET $db_charset"
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Unescaped parameter $autoupdates used in $wpdb->query()\n$autoupdates assigned unsafely at line 180.
$_GET[$identifier] not unslashed before sanitization. Use wp_unslash() or similar
Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'.
Detected usage of a possibly undefined superglobal array index: $_POST['core_schedule']. Check that the array index exists before using it.
Processing form data without nonce verification.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Attempting a database schema change is discouraged.
Detected usage of a non-sanitized input variable: $_GET[$identifier]
Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
The use of function _get_plugin_data_markup_translate() is forbidden
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
Using date_default_timezone_set() and similar isn't allowed, instead use WP internal timezone support.
print_r() found. Debug code should not normally be used in production.
The $text parameter must be a single text string literal. Found: $tab
Tested up to: 6.9 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress.
Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: auto_update_plugin
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 75 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 67 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$actualSlug'. | 62 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $autoupdates at "ALTER TABLE $autoupdates CONVERT TO CHARACTER SET $db_charset" | 54 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 49 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $autoupdates used in $wpdb->query()\n$autoupdates assigned unsafely at line 180. | 42 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET[$identifier] not unslashed before sanitization. Use wp_unslash() or similar | 38 |
| WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder | ERROR | Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'. | 17 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['core_schedule']. Check that the array index exists before using it. | 15 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 10 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 6 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 4 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET[$identifier] | 4 |
| Internal.LineEndings.Mixed | WARNING | File has mixed line endings; this may cause incorrect results | 2 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching. | 2 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 2 |
| Generic.PHP.ForbiddenFunctions.Found | ERROR | The use of function _get_plugin_data_markup_translate() is forbidden | 1 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 1 |
| WordPress.DateTime.RestrictedFunctions.timezone_change_date_default_timezone_set | ERROR | Using date_default_timezone_set() and similar isn't allowed, instead use WP internal timezone support. | 1 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 1 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to esc_attr__(). | 1 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $tab | 1 |
| outdated_tested_upto_header | ERROR | Tested up to: 6.9 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress. | 1 |
| update_modification_detected | WARNING | Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: auto_update_plugin | 1 |
Latest Snapshot
Findings
457
Errors
159
Warnings
298
Score History
First score snapshot
First scan completed Jun 20, 2026
v3.9.4 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v3.9.4
33
Latest
- Findings
- 457
- Errors
- 159
- Warnings
- 298
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 33 | 457 | 159 | 298 | v3.9.4 | 2.0.0 | 2026.06-mvp-static-v2 |
