Log, view, and resend all emails sent from your WordPress site. Great for resolving email sending issues or keeping a copy for auditing.
Category Scores
Top Issues by Category
security216
maintainability86
Issues Details
334 issues found in latest scan
Processing form data without nonce verification.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" data-wp-lists='list:$singular'"'.
$_GET['order'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_GET['order']
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "bulk_actions-{$this->screen->id}".
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Use placeholders and $wpdb->prepare(); found interpolated variable $tableName at CREATE TABLE IF NOT EXISTS `$tableName` (\n
Complex placeholders used for values in the query string in $wpdb->prepare() will NOT be quoted automagically. Found: %1$s.
Unescaped parameter $tableName used in $wpdb->get_results()\n$tableName assigned unsafely at line 118.
Attempting a database schema change is discouraged.
Detected usage of a possibly undefined superglobal array index: $_REQUEST[$this->_args['singular']]. Check that the array index exists before using it.
Processing form data without nonce verification.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Service '{$key}' is not registered"'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$loader".
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
The plugin name includes a restricted term. Your chosen plugin name - "WP Mail Logging" - contains the restricted term "wp" which cannot be used at all in your plugin name.
Unescaped parameter $query used in $wpdb->get_results()\n$query assigned unsafely at line 403.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "WP_MAIL_LOGGING_PLUGIN_DIR".
Missing singular placeholder, needed for some languages. See https://codex.wordpress.org/I18n_for_WordPress_Developers#Plurals
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 57 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" data-wp-lists='list:$singular'"'. | 35 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['order'] not unslashed before sanitization. Use wp_unslash() or similar | 29 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['order'] | 28 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "bulk_actions-{$this->screen->id}". | 24 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 20 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 19 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $tableName at CREATE TABLE IF NOT EXISTS `$tableName` (\n | 13 |
| WordPress.DB.PreparedSQLPlaceholders.UnquotedComplexPlaceholder | WARNING | Complex placeholders used for values in the query string in $wpdb->prepare() will NOT be quoted automagically. Found: %1$s. | 13 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $tableName used in $wpdb->get_results()\n$tableName assigned unsafely at line 118. | 11 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 9 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_REQUEST[$this->_args['singular']]. Check that the array index exists before using it. | 9 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 9 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 8 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 7 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Service '{$key}' is not registered"'. | 4 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 4 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$loader". | 3 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 3 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "WP Mail Logging" - contains the restricted term "wp" which cannot be used at all in your plugin name. | 3 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $query used in $wpdb->get_results()\n$query assigned unsafely at line 403. | 2 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "WP_MAIL_LOGGING_PLUGIN_DIR". | 2 |
| WordPress.WP.I18n.MissingSingularPlaceholder | ERROR | Missing singular placeholder, needed for some languages. See https://codex.wordpress.org/I18n_for_WordPress_Developers#Plurals | 2 |
Latest Snapshot
Findings
334
Errors
76
Warnings
258
Score History
First score snapshot
First scan completed Jun 19, 2026
v1.16.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v1.16.0
34
Latest
- Findings
- 334
- Errors
- 76
- Warnings
- 258
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 34 | 334 | 76 | 258 | v1.16.0 | 2.0.0 | 2026.06-mvp-static-v2 |
