User Role Editor WordPress plugin makes user roles and capabilities changing easy. Edit/add/delete WordPress user roles and capabilities.
Category Scores
Top Issues by Category
security243
Issues Details
262 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$button_number'.
Processing form data without nonce verification.
Processing form data without nonce verification.
$_GET[$var_name] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_GET[$var_name]
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Unescaped parameter $query used in $wpdb->get_col()\n$query assigned unsafely at line 148.
Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'.
Detected usage of a possibly undefined superglobal array index: $_POST['_wpnonce']. Check that the array index exists before using it.
The %i modifier is only supported in WP 6.2 or higher. Found: "%i".
error_log() found. Debug code should not normally be used in production.
The upgrade notice for "[4.65] 21.05.2026" exceeds the limit of 300 characters.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$button_number'. | 100 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 46 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 28 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET[$var_name] not unslashed before sanitization. Use wp_unslash() or similar | 27 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET[$var_name] | 22 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 8 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 8 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 8 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $query used in $wpdb->get_col()\n$query assigned unsafely at line 148. | 4 |
| WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder | ERROR | Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'. | 3 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['_wpnonce']. Check that the array index exists before using it. | 3 |
| WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder | ERROR | The %i modifier is only supported in WP 6.2 or higher. Found: "%i". | 2 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 2 |
| upgrade_notice_limit | WARNING | The upgrade notice for "[4.65] 21.05.2026" exceeds the limit of 300 characters. | 1 |
Latest Snapshot
Findings
262
Errors
117
Warnings
145
Score History
First score snapshot
First scan completed
v4.65 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v4.65
43
Latest
- Findings
- 262
- Errors
- 117
- Warnings
- 145
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 43 | 262 | 117 | 145 | v4.65 | 2.0.0 | 2026.06-mvp-static-v2 |
