Sumo is trusted by over 600,000 businesses — small and large — in growing their email lists, customer base, and revenue online.
Category Scores
Top Issues by Category
security37
maintainability36
Issues Details
75 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_COOKIE['__smToken']'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$is_authed".
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Detected usage of a non-sanitized input variable: $_COOKIE['__smToken']
$_COOKIE['__smToken'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a possibly undefined superglobal array index: $_COOKIE['__smToken']. Check that the array index exists before using it.
Processing form data without nonce verification.
Processing form data without nonce verification.
Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching.
No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "WP_Plugin_SumoMe".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
mt_rand() is discouraged. Use the far less predictable wp_rand() instead.
mt_srand() is discouraged. Rand seeding is not necessary when using the wp_rand() function (as you should).
Scripts must be registered/enqueued via wp_enqueue_script()
Stylesheets must be registered/enqueued via wp_enqueue_style()
Plugin name "Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation" is different from the name declared in plugin header "SumoMe".
Tested up to: 6.8 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress.
Missing "License" in Plugin Header. Please update your Plugin Header with a valid GPLv2 (or later) compatible license.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_COOKIE['__smToken']'. | 18 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 10 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$is_authed". | 8 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 5 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE['__smToken'] | 5 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE['__smToken'] not unslashed before sanitization. Use wp_unslash() or similar | 5 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_COOKIE['__smToken']. Check that the array index exists before using it. | 4 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 3 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 2 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching. | 2 |
| application_detected | ERROR | Application files are not permitted. | 2 |
| Internal.NoCodeFound | WARNING | No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them. | 1 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "WP_Plugin_SumoMe". | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 1 |
| WordPress.WP.AlternativeFunctions.rand_mt_rand | ERROR | mt_rand() is discouraged. Use the far less predictable wp_rand() instead. | 1 |
| WordPress.WP.AlternativeFunctions.rand_seeding_mt_srand | ERROR | mt_srand() is discouraged. Rand seeding is not necessary when using the wp_rand() function (as you should). | 1 |
| WordPress.WP.EnqueuedResources.NonEnqueuedScript | ERROR | Scripts must be registered/enqueued via wp_enqueue_script() | 1 |
| WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet | ERROR | Stylesheets must be registered/enqueued via wp_enqueue_style() | 1 |
| mismatched_plugin_name | WARNING | Plugin name "Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation" is different from the name declared in plugin header "SumoMe". | 1 |
| outdated_tested_upto_header | ERROR | Tested up to: 6.8 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress. | 1 |
| plugin_header_no_license | ERROR | Missing "License" in Plugin Header. Please update your Plugin Header with a valid GPLv2 (or later) compatible license. | 1 |
| upgrade_notice_limit | WARNING | The upgrade notice for "1.14" exceeds the limit of 300 characters. | 1 |
Latest Snapshot
Findings
75
Errors
42
Warnings
33
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.44 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.44
37
Latest
- Findings
- 75
- Errors
- 42
- Warnings
- 33
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 37 | 75 | 42 | 33 | v1.44 | 2.0.0 | 2026.06-mvp-static-v2 |
