Use Advanced File Manager to manage WordPress files, create archives, and build document libraries—all directly from your WordPress dashboard!
Category Scores
Top Issues by Category
security968
maintainability922
Issues Details
2,119 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"'$directory' could not be created."'.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "access".
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "FMA_Controller".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"{$image_path}/bottom-left.png"'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$key".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
$_GET['code'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_ENV['PHPUNIT_RESULT_CACHE']
Processing form data without nonce verification.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
Detected usage of a possibly undefined superglobal array index: $_FILES['content']['tmp_name']. Check that the array index exists before using it.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread().
var_export() found. Debug code should not normally be used in production.
error_reporting() can lead to full path disclosure.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Processing form data without nonce verification.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"'$directory' could not be created."'. | 463 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "access". | 193 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "FMA_Controller". | 191 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"{$image_path}/bottom-left.png"'. | 118 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 112 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$key". | 84 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 82 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['code'] not unslashed before sanitization. Use wp_unslash() or similar | 79 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_ENV['PHPUNIT_RESULT_CACHE'] | 68 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 61 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 52 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['content']['tmp_name']. Check that the array index exists before using it. | 45 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 44 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 39 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 33 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fread | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread(). | 32 |
| WordPress.PHP.DevelopmentFunctions.error_log_var_export | WARNING | var_export() found. Debug code should not normally be used in production. | 28 |
| WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_error_reporting | WARNING | error_reporting() can lead to full path disclosure. | 26 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 26 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 25 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 22 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 18 |
| Generic.PHP.ForbiddenFunctions.Found | ERROR | The use of function eval() is forbidden | 17 |
| WordPress.WP.AlternativeFunctions.curl_curl_init | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 16 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt_array | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 16 |
Latest Snapshot
Findings
2,119
Errors
1,218
Warnings
901
Score History
First score snapshot
First scan completed Jun 19, 2026
v5.4.12 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v5.4.12
19
Latest
- Findings
- 2,119
- Errors
- 1,218
- Warnings
- 901
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 19 | 2,119 | 1,218 | 901 | v5.4.12 | 2.0.0 | 2026.06-mvp-static-v2 |
