Speed up your website. Optimize your JPEG, PNG, and WebP images automatically with TinyPNG.
Category Scores
Top Issues by Category
security233
maintainability104
Issues Details
337 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$active['unconverted']'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$active".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$details['message']'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Detected usage of a non-sanitized input variable: $_GET['image_sizes_selected']
$_GET['image_sizes_selected'] not unslashed before sanitization. Use wp_unslash() or similar
Processing form data without nonce verification.
Processing form data without nonce verification.
Sanitization missing for register_setting().
Detected usage of a possibly undefined superglobal array index: $_GET['image_sizes_selected']. Check that the array index exists before using it.
Function "mb_strlen()" requires WordPress 4.2.0, but your plugin minimum supported version is WordPress 4.0.0.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'wp_ajax_' . $action".
error_log() found. Debug code should not normally be used in production.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
Unescaped parameter $query used in $wpdb->get_results()\n$query assigned unsafely at line 69.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$active['unconverted']'. | 130 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$active". | 65 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$details['message']'. | 24 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 22 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['image_sizes_selected'] | 19 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['image_sizes_selected'] not unslashed before sanitization. Use wp_unslash() or similar | 19 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 13 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 9 |
| PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing | ERROR | Sanitization missing for register_setting(). | 8 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['image_sizes_selected']. Check that the array index exists before using it. | 7 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "mb_strlen()" requires WordPress 4.2.0, but your plugin minimum supported version is WordPress 4.0.0. | 5 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'wp_ajax_' . $action". | 3 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 2 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 2 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $query used in $wpdb->get_results()\n$query assigned unsafely at line 69. | 1 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 1 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 1 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 1 |
Latest Snapshot
Findings
337
Errors
196
Warnings
141
Score History
First score snapshot
First scan completed Jun 19, 2026
v3.6.14 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v3.6.14
38
Latest
- Findings
- 337
- Errors
- 196
- Warnings
- 141
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 38 | 337 | 196 | 141 | v3.6.14 | 2.0.0 | 2026.06-mvp-static-v2 |
