Display a maintenance mode page and allow invited visitors to bypass the functionality to preview the site.
Category Scores
Top Issues by Category
i18n173
security155
maintainability47
Issues Details
376 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_SERVER["REQUEST_URI"]'.
Detected usage of a possibly undefined superglobal array index: $_POST['wpjf3_mr_active_tab']. Check that the array index exists before using it.
$_GET['wpjf3_mr_temp_access_key'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_GET['wpjf3_mr_temp_access_key']
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 218.
Processing form data without nonce verification.
Processing form data without nonce verification.
Unescaped parameter $option_name used in $wpdb->query()\n$option_name assigned unsafely at line 6.
Attempting a database schema change is discouraged.
Use placeholders and $wpdb->prepare(); found interpolated variable $tbl at "SHOW TABLES LIKE '$tbl'"
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$ajax_nonce".
rand() is discouraged. Use the far less predictable wp_rand() instead.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Stylesheets must be registered/enqueued via wp_enqueue_style()
A function call to esc_html__() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Mismatched "Tested up to": 7.0 != 6.9. The "Tested up to" value in the readme file must match the "Tested up to" value in the plugin header. If the plugin header has a "Tested up to" value, it will override the readme value, which can cause confusion.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 172 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_SERVER["REQUEST_URI"]'. | 38 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['wpjf3_mr_active_tab']. Check that the array index exists before using it. | 24 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['wpjf3_mr_temp_access_key'] not unslashed before sanitization. Use wp_unslash() or similar | 23 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['wpjf3_mr_temp_access_key'] | 21 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 18 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 18 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 218. | 14 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $sql | 14 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 8 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 5 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $option_name used in $wpdb->query()\n$option_name assigned unsafely at line 6. | 4 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 4 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $tbl at "SHOW TABLES LIKE '$tbl'" | 4 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$ajax_nonce". | 3 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 1 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 1 |
| WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet | ERROR | Stylesheets must be registered/enqueued via wp_enqueue_style() | 1 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to esc_html__() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 1 |
| mismatched_tested_up_to_header | ERROR | Mismatched "Tested up to": 7.0 != 6.9. The "Tested up to" value in the readme file must match the "Tested up to" value in the plugin header. If the plugin header has a "Tested up to" value, it will override the readme value, which can cause confusion. | 1 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 1 |
Latest Snapshot
Findings
376
Errors
244
Warnings
132
Score History
First score snapshot
First scan completed Jun 20, 2026
v2.2.1 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v2.2.1
38
Latest
- Findings
- 376
- Errors
- 244
- Warnings
- 132
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 38 | 376 | 244 | 132 | v2.2.1 | 2.0.0 | 2026.06-mvp-static-v2 |
