Subscribe to Comments allows commenters on an entry to subscribe to e-mail notifications for subsequent comments.
Category Scores
Top Issues by Category
security182
maintainability72
Issues Details
292 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<li>($ccount) <a href='"'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_COOKIE['comment_author_email_'. COOKIEHASH]
$_COOKIE['comment_author_email_'. COOKIEHASH] not unslashed before sanitization. Use wp_unslash() or similar
Use placeholders and $wpdb->prepare(); found interpolated variable $post->post_author at "SELECT * FROM $wpdb->users WHERE ID = $post->post_author"
Processing form data without nonce verification.
Unescaped parameter $this->ms_table used in $wpdb->get_col()
Detected usage of a possibly undefined superglobal array index: $_GET['subscribeid']. Check that the array index exists before using it.
rand() is discouraged. Use the far less predictable wp_rand() instead.
get_currentuserinfo() has been deprecated since WordPress version 4.5.0. Use wp_get_current_user() instead.
Function "add_settings_error()" requires WordPress 3.0.0, but your plugin minimum supported version is WordPress 2.9.0.
Unescaped parameter $post->post_author used in $wpdb->get_row()\n$post->post_author used without escaping.
Detected usage of meta_value, possible slow query.
screen_icon() has been deprecated since WordPress version 3.8.0.
Attempting a database schema change is discouraged.
Detected usage of meta_key, possible slow query.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
query_posts() is discouraged. Use WP_Query instead.
Translatable string should not be wrapped in HTML. Found: '<strong>Error: </strong>'
Mismatched text domain. Expected 'subscribe-to-comments' but got 'subscribe_to_comments'.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<li>($ccount) <a href='"'. | 54 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 27 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 27 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 26 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 25 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 20 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE['comment_author_email_'. COOKIEHASH] | 17 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE['comment_author_email_'. COOKIEHASH] not unslashed before sanitization. Use wp_unslash() or similar | 16 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $post->post_author at "SELECT * FROM $wpdb->users WHERE ID = $post->post_author" | 13 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 13 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $this->ms_table used in $wpdb->get_col() | 9 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['subscribeid']. Check that the array index exists before using it. | 9 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 6 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 5 |
| WordPress.WP.DeprecatedFunctions.get_currentuserinfoFound | WARNING | get_currentuserinfo() has been deprecated since WordPress version 4.5.0. Use wp_get_current_user() instead. | 4 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "add_settings_error()" requires WordPress 3.0.0, but your plugin minimum supported version is WordPress 2.9.0. | 4 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $post->post_author used in $wpdb->get_row()\n$post->post_author used without escaping. | 3 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 2 |
| WordPress.WP.DeprecatedFunctions.screen_iconFound | WARNING | screen_icon() has been deprecated since WordPress version 3.8.0. | 2 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 1 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 1 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 1 |
| WordPress.WP.DiscouragedFunctions.query_posts_query_posts | WARNING | query_posts() is discouraged. Use WP_Query instead. | 1 |
| WordPress.WP.I18n.NoHtmlWrappedStrings | WARNING | Translatable string should not be wrapped in HTML. Found: '<strong>Error: </strong>' | 1 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'subscribe-to-comments' but got 'subscribe_to_comments'. | 1 |
Latest Snapshot
Findings
292
Errors
129
Warnings
163
Score History
First score snapshot
First scan completed Jun 20, 2026
v2.3.1 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v2.3.1
36
Latest
- Findings
- 292
- Errors
- 129
- Warnings
- 163
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 36 | 292 | 129 | 163 | v2.3.1 | 2.0.0 | 2026.06-mvp-static-v2 |
