| ERROR | PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $base_query used in $wpdb->get_results($wpdb->prepare($base_query, $pagination_params))\n$base_query assigned unsafely at line 97:\n $base_query = "\r\n SELECT \r\n tl.log_id,\r\n tl.start_time,\r\n tl.end_time,\r\n tl.time_type,\r\n tl.activity,\r\n tl.priority,\r\n tl.work_description,\r\n tl.technician_id,\r\n tl.job_id,\r\n tl.device_data,\r\n tl.log_state,\r\n tl.total_minutes,\r\n tl.hourly_rate,\r\n tl.hourly_cost,\r\n tl.is_billable,\r\n tl.approved_by,\r\n tl.approved_at,\r\n tl.rejection_reason,\r\n tl.created_at,\r\n p.post_title as job_title,\r\n pm.meta_value as customer_id,\r\n u.display_name as technician_name,\r\n cu.display_name as customer_name,\r\n cu.user_email as customer_email\r\n FROM {$table_name} tl\r\n LEFT JOIN {$wpdb->posts} p ON tl.job_id = p.ID\r\n LEFT JOIN {$wpdb->postmeta} pm ON tl.job_id = pm.post_id AND pm.meta_key = '_customer'\r\n LEFT JOIN {$wpdb->users} u ON tl.technician_id = u.ID\r\n LEFT JOIN {$wpdb->users} cu ON pm.meta_value = cu.ID\r\n WHERE {$where_clause}\r\n ORDER BY tl.log_id DESC\r\n LIMIT %d OFFSET %d\r\n "\n$table_name assigned unsafely at line 17:\n $table_name = $wpdb->prefix . 'wc_cr_time_logs'\n$where_clause assigned unsafely at line 63:\n $where_clause = implode(' AND ', $where_conditions)\n$jobs_manager assigned unsafely at line 18:\n $jobs_manager = WCRB_JOBS_MANAGER::getInstance()\n$where_conditions assigned unsafely at line 59:\n $where_conditions[] = "DATE(tl.start_time) <= %s"\n$filter_date_to assigned unsafely at line 25:\n $filter_date_to = isset($_GET['date_to']) ? sanitize_text_field($_GET['date_to']) : ''\nNote: sanitize_text_field() is not a safe escaping function.\n$_GET['date_to'] used without escaping. | lib/includes/wc_timelogs.php:139:20 | Security |
| ERROR | WordPress.DB.PreparedSQL.NotPrepared | Use placeholders and $wpdb->prepare(); found $select_query | lib/includes/classes/class-maintenance_reminder.php:94:47 | Security |
| ERROR | WordPress.DB.PreparedSQL.NotPrepared | Use placeholders and $wpdb->prepare(); found $base_query | lib/includes/wc_timelogs.php:139:48 | Security |
| ERROR | WordPress.DB.PreparedSQL.NotPrepared | Use placeholders and $wpdb->prepare(); found $service_insert_query | lib/shortcodes/book_my_service.php:812:49 | Security |
| ERROR | WordPress.WP.I18n.MissingTranslatorsComment | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | lib/includes/classes/class-wcrb_myaccount_dashboard.php:188:44 | General |
| ERROR | WordPress.DateTime.RestrictedFunctions.date_date | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | lib/includes/classes/class-expense-manager.php:1286:31 | — |
| ERROR | WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "generate_expenses_csv". | lib/includes/classes/class-expense-manager.php:1295:1 | Plugin Repo |
| ERROR | WordPress.DB.PreparedSQL.NotPrepared | Use placeholders and $wpdb->prepare(); found $insert_query | lib/includes/wc_jobs.php:1302:21 | Security |
| ERROR | WordPress.WP.AlternativeFunctions.file_system_operations_fclose | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | lib/includes/classes/class-expense-manager.php:1354:5 | Plugin Repo |
| ERROR | WordPress.DB.PreparedSQL.NotPrepared | Use placeholders and $wpdb->prepare(); found $extra_insert_query | lib/includes/wc_jobs.php:1310:21 | Security |