Add Google Calendar events to your WordPress site in minutes. Beautiful calendar displays. Mobile responsive.
Category Scores
Top Issues by Category
maintainability1,376
security1,146
Issues Details
2,626 issues found in latest scan
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"'{$expected}'"'.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"- To maintain the current behavior, use explicit cast: {$name}((int) \$value)\n"'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$advanced_card_title".
All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'.
Processing form data without nonce verification.
$_GET['page'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_ENV[$env]
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Processing form data without nonce verification.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Function "str_contains()" requires WordPress 5.9.0, but your plugin minimum supported version is WordPress 4.2.0.
trigger_error() found. Debug code should not normally be used in production.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "connect_settings_fields".
var_export() found. Debug code should not normally be used in production.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
mt_rand() is discouraged. Use the far less predictable wp_rand() instead.
set_error_handler() found. Debug code should not normally be used in production.
Detected usage of a possibly undefined superglobal array index: $_REQUEST['nonce_feed_actions']. Check that the array index exists before using it.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread().
| Code | Type | Message | Count |
|---|---|---|---|
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 946 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"'{$expected}'"'. | 393 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"- To maintain the current behavior, use explicit cast: {$name}((int) \$value)\n"'. | 345 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$advanced_card_title". | 232 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'. | 144 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 124 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['page'] not unslashed before sanitization. Use wp_unslash() or similar | 57 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_ENV[$env] | 50 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 47 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 28 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 26 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 24 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "str_contains()" requires WordPress 5.9.0, but your plugin minimum supported version is WordPress 4.2.0. | 24 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 23 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "connect_settings_fields". | 16 |
| WordPress.PHP.DevelopmentFunctions.error_log_var_export | WARNING | var_export() found. Debug code should not normally be used in production. | 11 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 8 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 8 |
| WordPress.WP.AlternativeFunctions.curl_curl_init | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 7 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 7 |
| WordPress.WP.AlternativeFunctions.rand_mt_rand | ERROR | mt_rand() is discouraged. Use the far less predictable wp_rand() instead. | 6 |
| WordPress.PHP.DevelopmentFunctions.error_log_set_error_handler | WARNING | set_error_handler() found. Debug code should not normally be used in production. | 5 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_REQUEST['nonce_feed_actions']. Check that the array index exists before using it. | 5 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 5 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fread | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread(). | 5 |
Latest Snapshot
Findings
2,626
Errors
2,035
Warnings
591
Score History
First score snapshot
First scan completed
v4.0.5 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v4.0.5
24
Latest
- Findings
- 2,626
- Errors
- 2,035
- Warnings
- 591
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 24 | 2,626 | 2,035 | 591 | v4.0.5 | 2.0.0 | 2026.06-mvp-static-v2 |
