Automatically publishes blogposts to profiles/pages/groups on Twitter, Google+, Pinterest, LinkedIn, Blogger, Tumblr ... 22 more
Category Scores
Top Issues by Category
security2,700
maintainability564
Issues Details
3,541 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"</b> at char $i without open tag: REMOVED</div>"'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Processing form data without nonce verification.
print_r() found. Debug code should not normally be used in production.
$_GET['acc'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a possibly undefined superglobal array index: $_FILES['impFileSettings_button']['tmp_name']. Check that the array index exists before using it.
Detected usage of a non-sanitized input variable: $_ENV['CONTENT_TYPE']
Processing form data without nonce verification.
The $text parameter must be a single text string literal. Found: 'Authorize Your '.$ntInfo['name'].' Account'
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Mismatched text domain. Expected 'social-networks-auto-poster-facebook-twitter-g' but got "default".
rand() is discouraged. Use the far less predictable wp_rand() instead.
mt_rand() is discouraged. Use the far less predictable wp_rand() instead.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Expired timestamp, yours $timestamp, ours $now"'.
Use placeholders and $wpdb->prepare(); found interpolated variable $options_table at "DELETE FROM $options_table WHERE option_name LIKE %s"
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"</b> at char $i without open tag: REMOVED</div>"'. | 987 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 884 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 201 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 198 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['acc'] not unslashed before sanitization. Use wp_unslash() or similar | 190 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['impFileSettings_button']['tmp_name']. Check that the array index exists before using it. | 145 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_ENV['CONTENT_TYPE'] | 136 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 124 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: 'Authorize Your '.$ntInfo['name'].' Account' | 105 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 92 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 77 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 60 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 56 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 51 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 46 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'social-networks-auto-poster-facebook-twitter-g' but got "default". | 41 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $dupe | 22 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 13 |
| WordPress.WP.AlternativeFunctions.rand_mt_rand | ERROR | mt_rand() is discouraged. Use the far less predictable wp_rand() instead. | 10 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 10 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 7 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 7 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 7 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Expired timestamp, yours $timestamp, ours $now"'. | 6 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $options_table at "DELETE FROM $options_table WHERE option_name LIKE %s" | 5 |
Latest Snapshot
Findings
3,541
Errors
2,408
Warnings
1,133
Score History
First score snapshot
First scan completed Jun 20, 2026
v4.4.7 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v4.4.7
22
Latest
- Findings
- 3,541
- Errors
- 2,408
- Warnings
- 1,133
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 22 | 3,541 | 2,408 | 1,133 | v4.4.7 | 2.0.0 | 2026.06-mvp-static-v2 |
