The Feeds for YouTube plugin allows you to display customizable YouTube feeds from any YouTube channel.
Category Scores
Top Issues by Category
security889
maintainability561
Issues Details
1,536 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$active_plugin'.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$additional_atts".
Use placeholders and $wpdb->prepare(); found interpolated variable $cache_table_name at "UPDATE $cache_table_name\n
Processing form data without nonce verification.
Unescaped parameter $cache_table_name used in $wpdb->query()\n$cache_table_name assigned unsafely at line 148.
$_GET['page'] not unslashed before sanitization. Use wp_unslash() or similar
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "sb_customizer_feeds_table".
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Detected usage of a non-sanitized input variable: $_FILES['feedFile']['name']
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "sbi_settings_pages_capability".
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "CUSTOMIZER_ABSPATH".
Processing form data without nonce verification.
Detected usage of a possibly undefined superglobal array index: $_FILES['feedFile']['name']. Check that the array index exists before using it.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Attempting a database schema change is discouraged.
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'Due to your server configuration, an API key is required to update your feed. See %sthis FAQ%s to set up an API key.'.
Unescaped parameter $fifteen_minutes_ago used in $wpdb->get_var()\n$fifteen_minutes_ago assigned unsafely at line 144.
rand() is discouraged. Use the far less predictable wp_rand() instead.
Function "get_sites()" requires WordPress 4.6.0, but your plugin minimum supported version is WordPress 4.1.0.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$active_plugin'. | 353 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 116 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 114 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$additional_atts". | 111 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $cache_table_name at "UPDATE $cache_table_name\n | 110 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 87 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $cache_table_name used in $wpdb->query()\n$cache_table_name assigned unsafely at line 148. | 76 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['page'] not unslashed before sanitization. Use wp_unslash() or similar | 76 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "sb_customizer_feeds_table". | 65 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 56 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['feedFile']['name'] | 43 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "sbi_settings_pages_capability". | 39 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 38 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "CUSTOMIZER_ABSPATH". | 38 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 38 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['feedFile']['name']. Check that the array index exists before using it. | 30 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 29 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 17 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'Due to your server configuration, an API key is required to update your feed. See %sthis FAQ%s to set up an API key.'. | 11 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $fifteen_minutes_ago used in $wpdb->get_var()\n$fifteen_minutes_ago assigned unsafely at line 144. | 10 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 10 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 10 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "get_sites()" requires WordPress 4.6.0, but your plugin minimum supported version is WordPress 4.1.0. | 7 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 6 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 6 |
Latest Snapshot
Findings
1,536
Errors
558
Warnings
978
Score History
First score snapshot
First scan completed Jun 19, 2026
v2.7.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v2.7.0
21
Latest
- Findings
- 1,536
- Errors
- 558
- Warnings
- 978
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 21 | 1,536 | 558 | 978 | v2.7.0 | 2.0.0 | 2026.06-mvp-static-v2 |
