Plugin Name: Traffic Stats Widget Plugin

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$options["wp_tsw_WidgetTitle"]'.

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$after_title'.

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$after_widget'.

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$options['wp_tsw_WidgetText_LastWeek']'.

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$options['wp_tsw_WidgetText_LastMonth']'.

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$options['wp_tsw_WidgetText_Online']'.

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$options['wp_tsw_WidgetTitle']'.

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$options['wp_tsw_WidgetText_Visitors']'.

Unescaped parameter $sql used in $wpdb->get_var($sql)\n$sql assigned unsafely at line 148:\n $sql .= ' AND IS_BOT <> 1'\n$sql assigned unsafely at line 145:\n $sql .= ' AND IS_HIT = 1 '\n$sql assigned unsafely at line 142:\n $sql = "SELECT COUNT(".($unique ? "DISTINCT IP" : "*").") FROM $table_name where Time > ".$stime\n$options['wp_tsw_WidgetText_bots_filter'] used without escaping.\n$table_name assigned unsafely at line 138:\n $table_name = $wpdb->prefix . "tsw_log"\n$options assigned unsafely at line 139:\n $options = get_tsw_options()

Use placeholders and $wpdb->prepare(); found $sql