The most popular lightbox plugin and responsive gallery builder for WordPress.
Category Scores
Top Issues by Category
security311
maintainability233
i18n76
Issues Details
652 issues found in latest scan
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "attachment_fields_to_save".
Processing form data without nonce verification.
Processing form data without nonce verification.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$checked'.
Detected usage of a non-sanitized input variable: $_GET['page']
$_GET['plugin'] not unslashed before sanitization. Use wp_unslash() or similar
Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "rl_add_lightbox".
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
Detected usage of tax_query, possible slow query.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$this->prefix . '_configuration_updated'".
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of a possibly undefined superglobal array index: $_POST['gallery_id']. Check that the array index exists before using it.
The $text parameter must be a single text string literal. Found: $button1
Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching.
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'If you are having problems with this plugin, please browse it\'s %s or talk about them in the %s.'.
Detected usage of meta_query, possible slow query.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "attachment_fields_to_save". | 157 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 108 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 84 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 50 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$checked'. | 38 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['page'] | 36 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['plugin'] not unslashed before sanitization. Use wp_unslash() or similar | 34 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude | WARNING | Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 18 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 16 |
| Internal.LineEndings.Mixed | WARNING | File has mixed line endings; this may cause incorrect results | 11 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "rl_add_lightbox". | 11 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 11 |
| WordPress.DB.SlowDBQuery.slow_db_query_tax_query | WARNING | Detected usage of tax_query, possible slow query. | 7 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$this->prefix . '_configuration_updated'". | 7 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 6 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 6 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['gallery_id']. Check that the array index exists before using it. | 6 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $button1 | 6 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $groupby | 5 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching. | 5 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'If you are having problems with this plugin, please browse it\'s %s or talk about them in the %s.'. | 4 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 4 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 3 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 3 |
| five_star_reviews_detected | ERROR | Linking directly to 5 stars reviews is not allowed. | 2 |
Latest Snapshot
Findings
652
Errors
139
Warnings
513
Score History
First score snapshot
First scan completed Jun 19, 2026
v2.7.8 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v2.7.8
28
Latest
- Findings
- 652
- Errors
- 139
- Warnings
- 513
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 28 | 652 | 139 | 513 | v2.7.8 | 2.0.0 | 2026.06-mvp-static-v2 |
