The official companion plugin for Peregrine Themes. Adds widgets, customization options, Elementor widgets, and demo import features.
Category Scores
Top Issues by Category
security168
maintainability126
i18n34
Issues Details
356 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Since $package $version: "'.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$base'.
Namespaces declared by a theme/plugin should start with the theme/plugin prefix. Found: "Psr\EventDispatcher".
All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'.
Function "_wp_has_noncharacters_fallback()" requires WordPress 6.9.0, but your plugin minimum supported version is WordPress 5.9.0.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Processing form data without nonce verification.
Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
var_export() found. Debug code should not normally be used in production.
Processing form data without nonce verification.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
Do not use Localhost/127.0.0.1/*.local in your code. Found: http://localhost/
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "normalizer_is_normalized".
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DS".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
The parameter "$cat_args" at position #2 of get_terms() has been deprecated since WordPress version 4.5.0. Instead do not pass the parameter.
Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$section_priority".
Mismatched text domain. Expected 'hester-core' but got 'data-liberation'.
Detected usage of tax_query, possible slow query.
trigger_error() found. Debug code should not normally be used in production.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Since $package $version: "'. | 86 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$base'. | 38 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedNamespaceFound | WARNING | Namespaces declared by a theme/plugin should start with the theme/plugin prefix. Found: "Psr\EventDispatcher". | 37 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 31 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'. | 25 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "_wp_has_noncharacters_fallback()" requires WordPress 6.9.0, but your plugin minimum supported version is WordPress 5.9.0. | 17 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 16 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 11 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | WARNING | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 10 |
| WordPress.PHP.DevelopmentFunctions.error_log_var_export | WARNING | var_export() found. Debug code should not normally be used in production. | 8 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 8 |
| Generic.PHP.DiscourageGoto.Found | ERROR | The "goto" language construct should not be used. | 7 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 7 |
| PluginCheck.CodeAnalysis.Localhost.Found | ERROR | Do not use Localhost/127.0.0.1/*.local in your code. Found: http://localhost/ | 5 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "normalizer_is_normalized". | 5 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DS". | 4 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 4 |
| WordPress.WP.DeprecatedParameters.Get_termsParam2Found | ERROR | The parameter "$cat_args" at position #2 of get_terms() has been deprecated since WordPress version 4.5.0. Instead do not pass the parameter. | 4 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude | WARNING | Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 4 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$section_priority". | 3 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'hester-core' but got 'data-liberation'. | 3 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_tax_query | WARNING | Detected usage of tax_query, possible slow query. | 2 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 2 |
Latest Snapshot
Findings
356
Errors
253
Warnings
103
Score History
2 score snapshots
Jun 20, 2026
v1.1.9
27
Latest
- Findings
- 356
- Errors
- 253
- Warnings
- 103
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
Jun 20, 2026
v1.1.6
27
Score
- Findings
- 356
- Errors
- 253
- Warnings
- 103
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 27 | 356 | 253 | 103 | v1.1.9 | 2.0.0 | 2026.06-mvp-static-v2 |
| Jun 20, 2026 | 27 | 356 | 253 | 103 | v1.1.6 | 2.0.0 | 2026.06-mvp-static-v2 |
