Easily accept payments on your WordPress site via Stripe payment gateway.
Category Scores
Top Issues by Category
security732
maintainability450
i18n22
supply_chain5
Issues Details
1,255 issues found in latest scan
Processing form data without nonce verification.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'asp_product_edit_output_product_type_' . $type".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$action_nonce'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$a".
$_COOKIE['asp_transient_id'] not unslashed before sanitization. Use wp_unslash() or similar
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Cannot save property `{$key}` containing an API resource of type "'.
Detected usage of a non-sanitized input variable: $_COOKIE['asp_transient_id']
All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "ASPMain".
Processing form data without nonce verification.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Detected usage of a possibly undefined superglobal array index: $_GET['page']. Check that the array index exists before using it.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "ASP_MANAGEMENT_PERMISSION".
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Detected usage of meta_key, possible slow query.
Detected usage of meta_value, possible slow query.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
Resource version not set in call to wp_register_script(). This means new versions of the script may not always be loaded due to browser caching.
Scripts must be registered/enqueued via wp_enqueue_script()
The $text parameter must be a single text string literal. Found: $pay_btn_text
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "asp_apply_dynamic_tags_on_email_body".
trigger_error() found. Debug code should not normally be used in production.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 211 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'asp_product_edit_output_product_type_' . $type". | 204 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$action_nonce'. | 147 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$a". | 140 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE['asp_transient_id'] not unslashed before sanitization. Use wp_unslash() or similar | 132 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Cannot save property `{$key}` containing an API resource of type "'. | 67 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE['asp_transient_id'] | 66 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'. | 57 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "ASPMain". | 31 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 31 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 27 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['page']. Check that the array index exists before using it. | 21 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 11 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "ASP_MANAGEMENT_PERMISSION". | 9 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 7 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 7 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 6 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 6 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 5 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_register_script(). This means new versions of the script may not always be loaded due to browser caching. | 5 |
| hidden_files | ERROR | Hidden files are not permitted. | 5 |
| WordPress.WP.EnqueuedResources.NonEnqueuedScript | ERROR | Scripts must be registered/enqueued via wp_enqueue_script() | 4 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $pay_btn_text | 4 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "asp_apply_dynamic_tags_on_email_body". | 3 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 3 |
Latest Snapshot
Findings
1,255
Errors
373
Warnings
882
Score History
First score snapshot
First scan completed Jun 20, 2026
v2.0.99 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v2.0.99
21
Latest
- Findings
- 1,255
- Errors
- 373
- Warnings
- 882
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 21 | 1,255 | 373 | 882 | v2.0.99 | 2.0.0 | 2026.06-mvp-static-v2 |
