Easily move, duplicate, backup and copy paste content and designs between your WordPress websites in seconds.
Category Scores
Top Issues by Category
security156
maintainability112
Issues Details
307 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$addSettingText'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Function "attachment_url_to_postid()" requires WordPress 4.0.0, but your plugin minimum supported version is WordPress 3.5.0.
Mismatched text domain. Expected 'doubly' but got "unlimited-elements-for-elementor".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$name doesn't exists"'.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "GlobalsDOUBLY".
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$currentFolder".
Processing form data without nonce verification.
Processing form data without nonce verification.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Detected usage of a non-sanitized input variable: $_GET[$name]
$_GET[$name] not unslashed before sanitization. Use wp_unslash() or similar
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
Unescaped parameter $query used in $wpdb->get_results()\n$query used without escaping.
Detected usage of meta_query, possible slow query.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "code_snippets/create_snippet".
print_r() found. Debug code should not normally be used in production.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$addSettingText'. | 90 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 32 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 28 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "attachment_url_to_postid()" requires WordPress 4.0.0, but your plugin minimum supported version is WordPress 3.5.0. | 25 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'doubly' but got "unlimited-elements-for-elementor". | 16 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$name doesn't exists"'. | 10 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "GlobalsDOUBLY". | 9 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 6 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$currentFolder". | 6 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 6 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 6 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 6 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 5 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 5 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 5 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET[$name] | 4 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET[$name] not unslashed before sanitization. Use wp_unslash() or similar | 4 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 4 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 4 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 3 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $query used in $wpdb->get_results()\n$query used without escaping. | 2 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 2 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "code_snippets/create_snippet". | 2 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 2 |
Latest Snapshot
Findings
307
Errors
252
Warnings
55
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.0.47 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.0.47
24
Latest
- Findings
- 307
- Errors
- 252
- Warnings
- 55
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 24 | 307 | 252 | 55 | v1.0.47 | 2.0.0 | 2026.06-mvp-static-v2 |
