Freeform page builder & website builder for WordPress. Infinite canvas for complex, interactive websites. Built-in forms, animations & Customizer.
Category Scores
Top Issues by Category
security592
maintainability173
performance4
Issues Details
775 issues found in latest scan
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_FILES[$name]['size']
$_COOKIE['kirki_session_id'] not unslashed before sanitization. Use wp_unslash() or similar
Processing form data without nonce verification.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$attributes".
Use placeholders and $wpdb->prepare(); found interpolated variable $comments_table at \t\t\t\tSELECT %d, id FROM $comments_table \n
Complex placeholders used for values in the query string in $wpdb->prepare() will NOT be quoted automagically. Found: %1s.
Unescaped parameter $count_query used in $wpdb->get_results()\n$count_query assigned unsafely at line 142.
Detected usage of a possibly undefined superglobal array index: $_FILES[$name]['size']. Check that the array index exists before using it.
Detected usage of meta_key, possible slow query.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "active_plugins".
Detected usage of meta_value, possible slow query.
Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
Detected usage of tax_query, possible slow query.
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
Detected usage of meta_query, possible slow query.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "FS_METHOD".
error_reporting() can lead to full path disclosure.
Attempting a database schema change is discouraged.
Replacement variables found, but no valid placeholders found in the query.
It is not necessary to prepare a query which doesn't use variable replacement.
debug_backtrace() found. Debug code should not normally be used in production.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 147 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES[$name]['size'] | 126 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE['kirki_session_id'] not unslashed before sanitization. Use wp_unslash() or similar | 121 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 96 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 53 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 49 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$attributes". | 38 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $comments_table at \t\t\t\tSELECT %d, id FROM $comments_table \n | 36 |
| WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder | WARNING | Complex placeholders used for values in the query string in $wpdb->prepare() will NOT be quoted automagically. Found: %1s. | 36 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $count_query used in $wpdb->get_results()\n$count_query assigned unsafely at line 142. | 20 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES[$name]['size']. Check that the array index exists before using it. | 8 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 6 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "active_plugins". | 6 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 5 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 5 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | WARNING | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 4 |
| WordPress.DB.SlowDBQuery.slow_db_query_tax_query | WARNING | Detected usage of tax_query, possible slow query. | 3 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 2 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "FS_METHOD". | 2 |
| WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_error_reporting | WARNING | error_reporting() can lead to full path disclosure. | 2 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 1 |
| WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare | WARNING | Replacement variables found, but no valid placeholders found in the query. | 1 |
| WordPress.DB.PreparedSQLPlaceholders.UnnecessaryPrepare | WARNING | It is not necessary to prepare a query which doesn't use variable replacement. | 1 |
| WordPress.PHP.DevelopmentFunctions.error_log_debug_backtrace | WARNING | debug_backtrace() found. Debug code should not normally be used in production. | 1 |
Latest Snapshot
Findings
775
Errors
0
Warnings
775
Score History
First score snapshot
First scan completed Jun 19, 2026
v6.0.11 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v6.0.11
35
Latest
- Findings
- 775
- Errors
- 0
- Warnings
- 775
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 35 | 775 | 0 | 775 | v6.0.11 | 2.0.0 | 2026.06-mvp-static-v2 |
