Upload your own social media icons or choose from font-awesome. Use widget|shortcode to place icons anywhere(sidebar, header, footer, page) in theme.
Category Scores
Top Issues by Category
security239
maintainability73
Issues Details
340 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$aClass'.
$_GET['_wpnonce'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a possibly undefined superglobal array index: $_GET['_wpnonce']. Check that the array index exists before using it.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$err".
Sanitization missing for register_setting().
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_GET['_wpnonce']
No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Attempting a database schema change is discouraged.
Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 1661.
Use placeholders and $wpdb->prepare(); found interpolated variable $table_name at "show tables like '$table_name'"
In footer ($in_footer) is not set explicitly wp_register_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
Unescaped parameter $table_name used in $wpdb->get_var()\n$table_name assigned unsafely at line 975.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "allow_svg_uploads".
Function "get_sites()" requires WordPress 4.6.0, but your plugin minimum supported version is WordPress 3.5.0.
Plugin folders are deleted when upgraded. Do not save data to the plugin folder using unzip_file(). Detected usage of constant WP_PLUGIN_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead.
Replacement variables found, but no valid placeholders found in the query.
Mismatched text domain. Expected 'easy-social-icons' but got 'cpt'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$aClass'. | 100 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['_wpnonce'] not unslashed before sanitization. Use wp_unslash() or similar | 34 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['_wpnonce']. Check that the array index exists before using it. | 31 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 24 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 22 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 14 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$err". | 14 |
| PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing | ERROR | Sanitization missing for register_setting(). | 13 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 13 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 12 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['_wpnonce'] | 12 |
| Internal.NoCodeFound | WARNING | No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them. | 9 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 8 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 6 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 1661. | 4 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $table_name at "show tables like '$table_name'" | 4 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $sql | 4 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_register_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 3 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table_name used in $wpdb->get_var()\n$table_name assigned unsafely at line 975. | 2 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "allow_svg_uploads". | 2 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "get_sites()" requires WordPress 4.6.0, but your plugin minimum supported version is WordPress 3.5.0. | 2 |
| PluginCheck.CodeAnalysis.WriteFile.PluginDirectoryWrite | ERROR | Plugin folders are deleted when upgraded. Do not save data to the plugin folder using unzip_file(). Detected usage of constant WP_PLUGIN_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead. | 1 |
| WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare | WARNING | Replacement variables found, but no valid placeholders found in the query. | 1 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'easy-social-icons' but got 'cpt'. | 1 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 1 |
Latest Snapshot
Findings
340
Errors
182
Warnings
158
Score History
First score snapshot
First scan completed Jun 20, 2026
v4.0.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v4.0.2
35
Latest
- Findings
- 340
- Errors
- 182
- Warnings
- 158
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 35 | 340 | 182 | 158 | v4.0.2 | 2.0.0 | 2026.06-mvp-static-v2 |
