Easy to use tools to help make your website GDPR-compliant. Fully documented, extendable and developer-friendly. Extensions to enterprise GDPR compli …
Category Scores
Top Issues by Category
security863
maintainability811
i18n101
Issues Details
1,804 issues found in latest scan
Short PHP opening tag used with echo; expected "<?php echo ! ..." but found "<?= ! ..."
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<a href='{$helpUrl}' target='_blank'>"'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Processing form data without nonce verification.
$_COOKIE['gdpr_key'] not unslashed before sanitization. Use wp_unslash() or similar
Processing form data without nonce verification.
Detected usage of a possibly undefined superglobal array index: $_GET['gdpr-step']. Check that the array index exists before using it.
The $text parameter must be a single text string literal. Found: $content
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of a non-sanitized input variable: $_COOKIE['gdpr_key']
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$arg".
Use placeholders and $wpdb->prepare(); found interpolated variable $column at "SELECT $column FROM $this->tableName WHERE $column_where = %s LIMIT 1;"
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Mismatched text domain. Expected 'gdpr-framework' but got '(Admin)'.
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'.
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'Go to %sTools > Data443 GDPR%s and make sure all fields are filled in.'.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'bs_db_post_insert_' . $type".
Unescaped parameter $table_name used in $wpdb->get_results()\n$table_name assigned unsafely at line 18.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "TermAndConditionWithPrivacyContent".
trigger_error() found. Debug code should not normally be used in production.
| Code | Type | Message | Count |
|---|---|---|---|
| Generic.PHP.DisallowShortOpenTag.EchoFound | ERROR | Short PHP opening tag used with echo; expected "<?php echo ! ..." but found "<?= ! ..." | 526 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<a href='{$helpUrl}' target='_blank'>"'. | 509 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 124 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 91 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE['gdpr_key'] not unslashed before sanitization. Use wp_unslash() or similar | 73 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 63 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['gdpr-step']. Check that the array index exists before using it. | 53 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 41 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $content | 38 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 36 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE['gdpr_key'] | 33 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$arg". | 26 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 24 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $column at "SELECT $column FROM $this->tableName WHERE $column_where = %s LIMIT 1;" | 23 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 18 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 15 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'gdpr-framework' but got '(Admin)'. | 13 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 12 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'. | 11 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'Go to %sTools > Data443 GDPR%s and make sure all fields are filled in.'. | 11 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'bs_db_post_insert_' . $type". | 10 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table_name used in $wpdb->get_results()\n$table_name assigned unsafely at line 18. | 7 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "TermAndConditionWithPrivacyContent". | 6 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 6 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 6 |
Latest Snapshot
Findings
1,804
Errors
1,287
Warnings
517
Score History
First score snapshot
First scan completed Jun 20, 2026
v2.3.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v2.3.0
23
Latest
- Findings
- 1,804
- Errors
- 1,287
- Warnings
- 517
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 23 | 1,804 | 1,287 | 517 | v2.3.0 | 2.0.0 | 2026.06-mvp-static-v2 |
