Easy to show posts, pages, custom posts in customizable grid, list, slider, accordion... Available as Widgets (for Elementor), Shortcode, and Blocks.
Category Scores
Top Issues by Category
maintainability504
i18n193
security169
Issues Details
893 issues found in latest scan
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "PT_CV_PREFIX_ . '2col_nowrap_fields'".
Mismatched text domain. Expected 'content-views-query-and-display-post-page' but got 'content-views-pro'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$caption_class".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<div class='$class'> $output </div> $style"'.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "cv_comp_action_before_query".
Processing form data without nonce verification.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "CVB_API_URL".
$_GET['id'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_GET['id']
Processing form data without nonce verification.
Function "has_blocks()" requires WordPress 5.0.0, but your plugin minimum supported version is WordPress 3.3.0.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "PT_CV_Asset".
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Detected usage of a possibly undefined superglobal array index: $_POST['page']. Check that the array index exists before using it.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "active_plugins".
Resource version not set in call to wp_register_script(). This means new versions of the script may not always be loaded due to browser caching.
Setting `suppress_filters` to `true` is prohibited.
Unescaped parameter $query used in $wpdb->get_results()\n$query assigned unsafely at line 184.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "PT_CV_PREFIX_ . '2col_nowrap_fields'". | 321 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'content-views-query-and-display-post-page' but got 'content-views-pro'. | 99 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$caption_class". | 84 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 83 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<div class='$class'> $output </div> $style"'. | 74 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "cv_comp_action_before_query". | 32 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 24 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "CVB_API_URL". | 22 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['id'] not unslashed before sanitization. Use wp_unslash() or similar | 20 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['id'] | 17 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 15 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "has_blocks()" requires WordPress 5.0.0, but your plugin minimum supported version is WordPress 3.3.0. | 15 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "PT_CV_Asset". | 12 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 11 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['page']. Check that the array index exists before using it. | 9 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 5 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 5 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 5 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | WARNING | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 5 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "active_plugins". | 3 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_register_script(). This means new versions of the script may not always be loaded due to browser caching. | 3 |
| WordPressVIPMinimum.Performance.WPQueryParams.SuppressFilters_suppress_filters | ERROR | Setting `suppress_filters` to `true` is prohibited. | 3 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $query used in $wpdb->get_results()\n$query assigned unsafely at line 184. | 2 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 2 |
Latest Snapshot
Findings
893
Errors
306
Warnings
587
Score History
First score snapshot
First scan completed Jun 19, 2026
v4.4 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v4.4
23
Latest
- Findings
- 893
- Errors
- 306
- Warnings
- 587
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 23 | 893 | 306 | 587 | v4.4 | 2.0.0 | 2026.06-mvp-static-v2 |
