Add a PayPal or Stripe Donation Button to your website and start collecting donations today. No Coding Required. Official PayPal & Stripe Partner.
Category Scores
Top Issues by Category
security1,293
maintainability188
Issues Details
1,488 issues found in latest scan
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"[wpedon id=$post_id]"'.
$_GET['_wpnonce'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a possibly undefined superglobal array index: $_GET['button-id']. Check that the array index exists before using it.
Processing form data without nonce verification.
Processing form data without nonce verification.
Function "get_current_screen()" requires WordPress 3.1.0, but your plugin minimum supported version is WordPress 3.0.0.
Detected usage of a non-sanitized input variable: $_GET['_wpnonce']
Short PHP opening tag used with echo; expected "<?php echo $args ..." but found "<?= $args ..."
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$args".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Offloading images, js, css, and other scripts to your servers or any remote service is disallowed.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
error_log() found. Debug code should not normally be used in production.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of meta_query, possible slow query.
print_r() found. Debug code should not normally be used in production.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 594 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"[wpedon id=$post_id]"'. | 175 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['_wpnonce'] not unslashed before sanitization. Use wp_unslash() or similar | 163 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['button-id']. Check that the array index exists before using it. | 122 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 102 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 82 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "get_current_screen()" requires WordPress 3.1.0, but your plugin minimum supported version is WordPress 3.0.0. | 63 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['_wpnonce'] | 53 |
| Generic.PHP.DisallowShortOpenTag.EchoFound | ERROR | Short PHP opening tag used with echo; expected "<?php echo $args ..." but found "<?= $args ..." | 34 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$args". | 31 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 14 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 11 |
| PluginCheck.CodeAnalysis.Offloading.OffloadedContent | ERROR | Offloading images, js, css, and other scripts to your servers or any remote service is disallowed. | 7 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 6 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 5 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 3 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 3 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 2 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 2 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 2 |
| WordPress.WP.AlternativeFunctions.curl_curl_close | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 2 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 2 |
| Internal.NoCodeFound | WARNING | No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them. | 1 |
| WordPress.WP.AlternativeFunctions.curl_curl_errno | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 1 |
| WordPress.WP.AlternativeFunctions.curl_curl_error | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 1 |
Latest Snapshot
Findings
1,488
Errors
916
Warnings
572
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.5.5 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.5.5
26
Latest
- Findings
- 1,488
- Errors
- 916
- Warnings
- 572
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 26 | 1,488 | 916 | 572 | v1.5.5 | 2.0.0 | 2026.06-mvp-static-v2 |
