Uncanny Automator is the easiest and most powerful way to connect your WordPress plugins, sites and apps together with powerful automations.
Category Scores
Top Issues by Category
maintainability2,306
security413
i18n112
Issues Details
2,864 issues found in latest scan
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of meta_key, possible slow query.
Detected usage of meta_value, possible slow query.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__status".
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'stm_lms_quiz_' . $status".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Unescaped parameter $action_tbl used in $wpdb->get_col()\n$action_tbl assigned unsafely at line 153.
A function call to _n() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$action_name".
Use placeholders and $wpdb->prepare(); found interpolated variable $placeholders at "SELECT meta_value, post_id FROM $wpdb->postmeta WHERE meta_key = %s AND post_id IN ($placeholders)"
Function "str_contains()" requires WordPress 5.9.0, but your plugin minimum supported version is WordPress 5.8.0.
Detected usage of meta_query, possible slow query.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$column_name'.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "clear_cloudflare_cache".
Setting `suppress_filters` to `true` is prohibited.
The $text parameter must be a single text string literal. Found: $e->getMessage()
Detected usage of a non-sanitized input variable: $_GET['rest_route']
$_GET['rest_route'] not unslashed before sanitization. Use wp_unslash() or similar
Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
Attempting a database schema change is discouraged.
Incorrect number of replacements passed to $wpdb->prepare(). Found 1 replacement parameters, expected 2.
Replacement variables found, but no valid placeholders found in the query.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 424 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 407 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 378 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 363 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__status". | 330 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $action_id | 221 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'stm_lms_quiz_' . $status". | 175 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 149 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $action_tbl used in $wpdb->get_col()\n$action_tbl assigned unsafely at line 153. | 135 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to _n() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 105 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$action_name". | 29 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $placeholders at "SELECT meta_value, post_id FROM $wpdb->postmeta WHERE meta_key = %s AND post_id IN ($placeholders)" | 28 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "str_contains()" requires WordPress 5.9.0, but your plugin minimum supported version is WordPress 5.8.0. | 18 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 14 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$column_name'. | 13 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "clear_cloudflare_cache". | 12 |
| WordPressVIPMinimum.Performance.WPQueryParams.SuppressFilters_suppress_filters | ERROR | Setting `suppress_filters` to `true` is prohibited. | 9 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $e->getMessage() | 7 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['rest_route'] | 5 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['rest_route'] not unslashed before sanitization. Use wp_unslash() or similar | 5 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude | WARNING | Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 5 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 4 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 3 |
| WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber | WARNING | Incorrect number of replacements passed to $wpdb->prepare(). Found 1 replacement parameters, expected 2. | 3 |
| WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare | WARNING | Replacement variables found, but no valid placeholders found in the query. | 3 |
Latest Snapshot
Findings
2,864
Errors
530
Warnings
2,334
Score History
First score snapshot
First scan completed Jun 20, 2026
v7.3.1.3 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v7.3.1.3
22
Latest
- Findings
- 2,864
- Errors
- 530
- Warnings
- 2,334
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 22 | 2,864 | 530 | 2,334 | v7.3.1.3 | 2.0.0 | 2026.06-mvp-static-v2 |
