Form Maker is a user-friendly contact form builder that allows to create forms for any purpose, from a simple contact form to multi page survey forms
Category Scores
Top Issues by Category
security2,833
i18n2,128
maintainability962
Issues Details
6,025 issues found in latest scan
The $domain parameter must be a single text string literal. Found: $prefix
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$action['title']'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Mismatched text domain. Expected 'form-maker' but got "form_maker".
Processing form data without nonce verification.
Attempting a database schema change is discouraged.
Unescaped parameter $col used in $wpdb->get_var()\n$col used without escaping.
$_COOKIE[self::$cookie_name] not unslashed before sanitization. Use wp_unslash() or similar
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_COOKIE[self::$cookie_name]
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Detected usage of a possibly undefined superglobal array index: $_POST[$wd_options->prefix . '_save_form_fild']. Check that the array index exists before using it.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
rand() is discouraged. Use the far less predictable wp_rand() instead.
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%d'.
SQL wildcards for a LIKE query should be passed in through a replacement parameter. Found: LIKE "%%.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$f, %3$f", but got "%s, %f, %f" in 'The %s value must be between %f - %f'.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.WP.I18n.NonSingularStringLiteralDomain | ERROR | The $domain parameter must be a single text string literal. Found: $prefix | 1,912 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$action['title']'. | 1,401 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 641 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 356 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 334 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found ! | 289 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'form-maker' but got "form_maker". | 146 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 126 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 117 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $col used in $wpdb->get_var()\n$col used without escaping. | 102 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE[self::$cookie_name] not unslashed before sanitization. Use wp_unslash() or similar | 87 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 70 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE[self::$cookie_name] | 64 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 60 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 60 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST[$wd_options->prefix . '_save_form_fild']. Check that the array index exists before using it. | 28 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 26 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 24 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 17 |
| WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder | ERROR | Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%d'. | 14 |
| WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery | ERROR | SQL wildcards for a LIKE query should be passed in through a replacement parameter. Found: LIKE "%%. | 11 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 10 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$f, %3$f", but got "%s, %f, %f" in 'The %s value must be between %f - %f'. | 10 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 9 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 9 |
Latest Snapshot
Findings
6,025
Errors
4,746
Warnings
1,279
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.15.44 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.15.44
23
Latest
- Findings
- 6,025
- Errors
- 4,746
- Warnings
- 1,279
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 23 | 6,025 | 4,746 | 1,279 | v1.15.44 | 2.0.0 | 2026.06-mvp-static-v2 |
