file manager provides you ability to edit, delete, upload, download, copy and paste files and folders.
Category Scores
Top Issues by Category
maintainability566
security489
Issues Details
1,260 issues found in latest scan
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
$_GET['code'] not unslashed before sanitization. Use wp_unslash() or similar
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$access_folder".
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_FILES['content']['tmp_name']
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$access_folder'.
Detected usage of a possibly undefined superglobal array index: $_FILES['content']['tmp_name']. Check that the array index exists before using it.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
Function "register_rest_route()" requires WordPress 4.4.0, but your plugin minimum supported version is WordPress 4.0.0.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
error_reporting() can lead to full path disclosure.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$err'.
Processing form data without nonce verification.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 158 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 84 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['code'] not unslashed before sanitization. Use wp_unslash() or similar | 80 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 63 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$access_folder". | 61 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 59 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 58 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['content']['tmp_name'] | 57 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$access_folder'. | 54 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['content']['tmp_name']. Check that the array index exists before using it. | 53 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 46 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "register_rest_route()" requires WordPress 4.4.0, but your plugin minimum supported version is WordPress 4.0.0. | 36 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 34 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fread | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread(). | 28 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 27 |
| WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_error_reporting | WARNING | error_reporting() can lead to full path disclosure. | 19 |
| WordPress.WP.AlternativeFunctions.file_system_operations_mkdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir(). | 19 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 16 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt_array | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 16 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 15 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 15 |
| WordPress.WP.AlternativeFunctions.curl_curl_init | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 15 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 14 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$err'. | 14 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 14 |
Latest Snapshot
Findings
1,260
Errors
740
Warnings
520
Score History
First score snapshot
First scan completed Jun 19, 2026
v8.0.4 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v8.0.4
22
Latest
- Findings
- 1,260
- Errors
- 740
- Warnings
- 520
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 22 | 1,260 | 740 | 520 | v8.0.4 | 2.0.0 | 2026.06-mvp-static-v2 |
