Futurio Extra add extra features to Futurio theme like widgets, WooCommerce options, Elementor widgets, one click demo import and much more.
Category Scores
Top Issues by Category
i18n404
security334
maintainability224
Issues Details
992 issues found in latest scan
Mismatched text domain. Expected 'futurio-extra' but got 'dilaz-metabox'.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$api['init']'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$baseDir".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'metabox_option_filter_'. $prefix".
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
$_POST[$field['id']] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_POST[$field['id']]
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Processing form data without nonce verification.
Function "has_custom_logo()" requires WordPress 4.5.0, but your plugin minimum supported version is WordPress 4.4.0.
Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_enqueue_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "FWP_Demos_Helpers".
Detected usage of a possibly undefined superglobal array index: $_POST['futurio_import_demo_data_nonce']. Check that the array index exists before using it.
unlink() is discouraged. Use wp_delete_file() to delete a file.
Processing form data without nonce verification.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "FE_PATH".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$packageName'.
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
The $text parameter must be a single text string literal. Found: $off_text
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "addslashes_strings_only".
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'futurio-extra' but got 'dilaz-metabox'. | 364 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$api['init']'. | 234 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$baseDir". | 63 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 40 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'metabox_option_filter_'. $prefix". | 35 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 31 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 28 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_POST[$field['id']] not unslashed before sanitization. Use wp_unslash() or similar | 19 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_POST[$field['id']] | 17 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 15 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 14 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 12 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "has_custom_logo()" requires WordPress 4.5.0, but your plugin minimum supported version is WordPress 4.4.0. | 12 |
| WordPress.WP.EnqueuedResourceParameters.NoExplicitVersion | ERROR | Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_enqueue_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development. | 11 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "FWP_Demos_Helpers". | 9 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['futurio_import_demo_data_nonce']. Check that the array index exists before using it. | 9 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 8 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 7 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 7 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "FE_PATH". | 6 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$packageName'. | 5 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 5 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $off_text | 5 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "addslashes_strings_only". | 3 |
Latest Snapshot
Findings
992
Errors
787
Warnings
205
Score History
First score snapshot
First scan completed Jun 20, 2026
v2.0.23 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v2.0.23
23
Latest
- Findings
- 992
- Errors
- 787
- Warnings
- 205
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 23 | 992 | 787 | 205 | v2.0.23 | 2.0.0 | 2026.06-mvp-static-v2 |
