Save and manage WPForms entries (WPForms database). It is a lightweight WPForms database plugin.
Category Scores
Top Issues by Category
security54
maintainability9
Issues Details
70 issues found in latest scan
Processing form data without nonce verification.
Detected usage of a possibly undefined superglobal array index: $_GET['fid']. Check that the array index exists before using it.
$_POST['_wpnonce'] not unslashed before sanitization. Use wp_unslash() or similar
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$df'.
Detected usage of a non-sanitized input variable: $_POST['contact_form']
Mismatched text domain. Expected 'database-for-wpforms' but got 'contact-form-WPFormsDB'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
The plugin name includes a restricted term. Your chosen plugin name - "Database Addon For WPForms ( wpforms entries ) - WPFormsDB" - contains the restricted term "wp" which cannot be used at all in your plugin name.
Processing form data without nonce verification.
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "bulk_actions-{$this->screen->id}".
unlink() is discouraged. Use wp_delete_file() to delete a file.
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s, %3$s, %4$s", but got "%s, %s, %s, %s" in 'Awesome, you\'ve been using <a href="%s" target="_blank">WPForms DB</a> for more than 1 week. May we ask you to give it a 5-star rating on WordPress? | <a href="%s" target="_blank">Ok, you deserved it</a> | <a href="%s">I already did</a> | <a href="%s">No, not good enough</a>'.
Plugin name "Database Addon For WPForms ( wpforms entries ) - WPFormsDB" is different from the name declared in plugin header "Database for WPforms".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 23 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['fid']. Check that the array index exists before using it. | 8 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_POST['_wpnonce'] not unslashed before sanitization. Use wp_unslash() or similar | 7 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$df'. | 6 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_POST['contact_form'] | 5 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'database-for-wpforms' but got 'contact-form-WPFormsDB'. | 5 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "Database Addon For WPForms ( wpforms entries ) - WPFormsDB" - contains the restricted term "wp" which cannot be used at all in your plugin name. | 3 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 2 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 1 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 1 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 1 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "bulk_actions-{$this->screen->id}". | 1 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 1 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s, %3$s, %4$s", but got "%s, %s, %s, %s" in 'Awesome, you\'ve been using <a href="%s" target="_blank">WPForms DB</a> for more than 1 week. May we ask you to give it a 5-star rating on WordPress? | <a href="%s" target="_blank">Ok, you deserved it</a> | <a href="%s">I already did</a> | <a href="%s">No, not good enough</a>'. | 1 |
| mismatched_plugin_name | WARNING | Plugin name "Database Addon For WPForms ( wpforms entries ) - WPFormsDB" is different from the name declared in plugin header "Database for WPforms". | 1 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 1 |
Latest Snapshot
Findings
70
Errors
17
Warnings
53
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.1.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.1.0
43
Latest
- Findings
- 70
- Errors
- 17
- Warnings
- 53
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 43 | 70 | 17 | 53 | v1.1.0 | 2.0.0 | 2026.06-mvp-static-v2 |
