Patchstack automatically identifies and mitigates security vulnerabilities in WordPress plugins, themes, and core.
Category Scores
Top Issues by Category
security350
maintainability211
Issues Details
596 issues found in latest scan
Processing form data without nonce verification.
$_GET['PatchstackNonce'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_GET['PatchstackNonce']
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$RandomCompatCOMtest".
Processing form data without nonce verification.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "Base32Static".
Detected usage of a possibly undefined superglobal array index: $_GET['site']. Check that the array index exists before using it.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$app_url'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DISALLOW_FILE_EDIT".
Unescaped parameter $prefix used in $wpdb->get_var()\n$prefix used without escaping.
The use of function set_time_limit() is discouraged
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "RandomCompat_intval".
mt_rand() is discouraged. Use the far less predictable wp_rand() instead.
Scripts must be registered/enqueued via wp_enqueue_script()
Function "get_site()" requires WordPress 4.6.0, but your plugin minimum supported version is WordPress 4.4.0.
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
Unescaped parameter $table used in $wpdb->get_results()
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
print_r() found. Debug code should not normally be used in production.
Mismatched text domain. Expected 'patchstack' but got 'disable-wp-rest-api'.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 77 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['PatchstackNonce'] not unslashed before sanitization. Use wp_unslash() or similar | 77 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['PatchstackNonce'] | 74 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$RandomCompatCOMtest". | 50 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 47 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 37 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 32 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "Base32Static". | 29 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['site']. Check that the array index exists before using it. | 24 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $prefix | 21 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$app_url'. | 16 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 15 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DISALLOW_FILE_EDIT". | 12 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $prefix used in $wpdb->get_var()\n$prefix used without escaping. | 11 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to esc_attr__(). | 7 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function set_time_limit() is discouraged | 6 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "RandomCompat_intval". | 5 |
| WordPress.WP.AlternativeFunctions.rand_mt_rand | ERROR | mt_rand() is discouraged. Use the far less predictable wp_rand() instead. | 5 |
| WordPress.WP.EnqueuedResources.NonEnqueuedScript | ERROR | Scripts must be registered/enqueued via wp_enqueue_script() | 5 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "get_site()" requires WordPress 4.6.0, but your plugin minimum supported version is WordPress 4.4.0. | 5 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 4 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table used in $wpdb->get_results() | 3 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 3 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 3 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'patchstack' but got 'disable-wp-rest-api'. | 3 |
Latest Snapshot
Findings
596
Errors
107
Warnings
489
Score History
First score snapshot
First scan completed Jun 20, 2026
v2.3.6 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v2.3.6
23
Latest
- Findings
- 596
- Errors
- 107
- Warnings
- 489
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 23 | 596 | 107 | 489 | v2.3.6 | 2.0.0 | 2026.06-mvp-static-v2 |
