This File Management & Digital Store plugin will help you to control file downloads & sell digital products from your WP site.
Category Scores
Top Issues by Category
security2,261
maintainability1,042
Issues Details
3,591 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$atname='$atval' "'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$APIKEY".
All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'.
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_COOKIE['__wpdm_client']
$_COOKIE['__wpdm_client'] not unslashed before sanitization. Use wp_unslash() or similar
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Short PHP opening tag used with echo; expected "<?php echo $class ..." but found "<?= $class ..."
Use placeholders and $wpdb->prepare(); found interpolated variable $column at "SHOW COLUMNS FROM `{$wpdb->prefix}{$table}` LIKE '$column'"
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
The $domain parameter must be a single text string literal. Found: WPDM_TEXT_DOMAIN
Detected usage of a possibly undefined superglobal array index: $_FILES['package_file']['tmp_name']. Check that the array index exists before using it.
Processing form data without nonce verification.
Scripts must be registered/enqueued via wp_enqueue_script()
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "__is_url".
Stylesheets must be registered/enqueued via wp_enqueue_style()
Unescaped parameter $ID used in $wpdb->get_results()\n$ID used without escaping.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them.
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$atname='$atval' "'. | 1,257 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$APIKEY". | 617 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'. | 596 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 112 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 76 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE['__wpdm_client'] | 73 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE['__wpdm_client'] not unslashed before sanitization. Use wp_unslash() or similar | 73 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 70 |
| Generic.PHP.DisallowShortOpenTag.EchoFound | ERROR | Short PHP opening tag used with echo; expected "<?php echo $class ..." but found "<?= $class ..." | 67 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $column at "SHOW COLUMNS FROM `{$wpdb->prefix}{$table}` LIKE '$column'" | 60 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 50 |
| WordPress.WP.I18n.NonSingularStringLiteralDomain | ERROR | The $domain parameter must be a single text string literal. Found: WPDM_TEXT_DOMAIN | 45 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 38 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['package_file']['tmp_name']. Check that the array index exists before using it. | 36 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 32 |
| WordPress.WP.EnqueuedResources.NonEnqueuedScript | ERROR | Scripts must be registered/enqueued via wp_enqueue_script() | 26 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 24 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "__is_url". | 23 |
| WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet | ERROR | Stylesheets must be registered/enqueued via wp_enqueue_style() | 23 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $ID used in $wpdb->get_results()\n$ID used without escaping. | 22 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 22 |
| Internal.NoCodeFound | WARNING | No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them. | 20 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 17 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 15 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 14 |
Latest Snapshot
Findings
3,591
Errors
2,290
Warnings
1,301
Score History
First score snapshot
First scan completed
v3.3.58 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v3.3.58
22
Latest
- Findings
- 3,591
- Errors
- 2,290
- Warnings
- 1,301
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 22 | 3,591 | 2,290 | 1,301 | v3.3.58 | 2.0.0 | 2026.06-mvp-static-v2 |
