Theme Editor allows you to edit theme files, create folder, upload files and remove any file and folder in themes and plugins.
Category Scores
Top Issues by Category
security938
maintainability312
Issues Details
1,483 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$a_theme'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$a_plugin".
Mismatched text domain. Expected 'theme-editor' but got 'te-editor'.
$_GET['error'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a possibly undefined superglobal array index: $_FILES['ms_theme_screenshot']['name']. Check that the array index exists before using it.
Detected usage of a non-sanitized input variable: $_FILES['ms_theme_screenshot']['name']
Processing form data without nonce verification.
Processing form data without nonce verification.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "mk_theme_editor_child_file_delete".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Scripts must be registered/enqueued via wp_enqueue_script()
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "LF".
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "InsufficientDataException".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "https_local_ssl_verify".
Namespaces declared by a theme/plugin should start with the theme/plugin prefix. Found: "te\app\cnt".
Stylesheets must be registered/enqueued via wp_enqueue_style()
print_r() found. Debug code should not normally be used in production.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$c'.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$a_theme'. | 283 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 232 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$a_plugin". | 200 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'theme-editor' but got 'te-editor'. | 176 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['error'] not unslashed before sanitization. Use wp_unslash() or similar | 127 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['ms_theme_screenshot']['name']. Check that the array index exists before using it. | 111 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['ms_theme_screenshot']['name'] | 71 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 70 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 34 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "mk_theme_editor_child_file_delete". | 22 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 16 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 14 |
| WordPress.WP.EnqueuedResources.NonEnqueuedScript | ERROR | Scripts must be registered/enqueued via wp_enqueue_script() | 12 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "LF". | 11 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "InsufficientDataException". | 8 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 8 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 6 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 6 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 6 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "https_local_ssl_verify". | 5 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedNamespaceFound | WARNING | Namespaces declared by a theme/plugin should start with the theme/plugin prefix. Found: "te\app\cnt". | 5 |
| WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet | ERROR | Stylesheets must be registered/enqueued via wp_enqueue_style() | 5 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 4 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$c'. | 4 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 4 |
Latest Snapshot
Findings
1,483
Errors
798
Warnings
685
Score History
First score snapshot
First scan completed
v3.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v3.2
22
Latest
- Findings
- 1,483
- Errors
- 798
- Warnings
- 685
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 22 | 1,483 | 798 | 685 | v3.2 | 2.0.0 | 2026.06-mvp-static-v2 |
