Ultimate user feedback plugin to ask questions, surveys, polls, from your website in seconds
Category Scores
Top Issues by Category
i18n305
maintainability230
security133
Issues Details
687 issues found in latest scan
Mismatched text domain. Expected 'userfeedback-lite' but got 'action-scheduler'.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"The bulk action $action does not have a callback method"'.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "admin_head".
Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$d", but got "%d, %d" in 'Response %d of %d'.
Unescaped parameter $column_name used in $wpdb->get_var()
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "as_enqueue_async_action".
Use placeholders and $wpdb->prepare(); found interpolated variable $table at FROM $table\n
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "CronExpression".
Processing form data without nonce verification.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$hook".
Plugin folders are deleted when upgraded. Do not save data to the plugin folder using unzip_file(). Detected usage of constant WP_CONTENT_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead.
Unescaped parameter $query used in $wpdb->get_var()\n$query assigned unsafely at line 77.
Attempting a database schema change is discouraged.
Complex placeholders used for values in the query string in $wpdb->prepare() will NOT be quoted automagically. Found: %1s.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "WP_ADMIN".
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$base".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
Translatable string should not be wrapped in HTML. Found: '<b>based upon custom targeting options</b>'
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'userfeedback-lite' but got 'action-scheduler'. | 221 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"The bulk action $action does not have a callback method"'. | 83 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 65 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 58 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 57 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "admin_head". | 26 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$d", but got "%d, %d" in 'Response %d of %d'. | 25 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $column_name used in $wpdb->get_var() | 23 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 23 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 14 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "as_enqueue_async_action". | 13 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $table at FROM $table\n | 12 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "CronExpression". | 11 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 7 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 5 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$hook". | 5 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 4 |
| PluginCheck.CodeAnalysis.WriteFile.PluginDirectoryWrite | ERROR | Plugin folders are deleted when upgraded. Do not save data to the plugin folder using unzip_file(). Detected usage of constant WP_CONTENT_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead. | 2 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $query used in $wpdb->get_var()\n$query assigned unsafely at line 77. | 2 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 2 |
| WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder | WARNING | Complex placeholders used for values in the query string in $wpdb->prepare() will NOT be quoted automagically. Found: %1s. | 2 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "WP_ADMIN". | 2 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$base". | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 2 |
| WordPress.WP.I18n.NoHtmlWrappedStrings | WARNING | Translatable string should not be wrapped in HTML. Found: '<b>based upon custom targeting options</b>' | 2 |
Latest Snapshot
Findings
687
Errors
444
Warnings
243
Score History
First score snapshot
First scan completed Jun 19, 2026
v1.11.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v1.11.2
22
Latest
- Findings
- 687
- Errors
- 444
- Warnings
- 243
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 22 | 687 | 444 | 243 | v1.11.2 | 2.0.0 | 2026.06-mvp-static-v2 |
