wp-mpdf

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$nonceURL'.

Use placeholders and $wpdb->prepare(); found $sql

Unescaped parameter $sql used in $wpdb->query($wpdb->prepare( $sql, $db_id ))\n$sql assigned unsafely at line 384:\n $sql = 'UPDATE ' . $table_name . ' SET general=1 WHERE id=%d LIMIT 1'\n$sql assigned unsafely at line 381:\n $sql = 'INSERT INTO ' . $table_name . ' (post_type, post_id, general, login, pdfname, downloads) VALUES (%s, %d, 1, 0, "", 0)'\n$sql assigned unsafely at line 378:\n $sql = 'SELECT id FROM ' . $table_name . ' WHERE post_id=%d AND post_type=%s LIMIT 1'\n$db_id assigned unsafely at line 379:\n $db_id = $wpdb->get_var( $wpdb->prepare( $sql, $page->ID, $page->post_type ) )\n$page->post_type used without escaping.\n$page->ID used without escaping.

File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: mkdir().

Unescaped parameter $sql used in $wpdb->query($wpdb->prepare( $sql, $post->post_type, $post->ID, false, false, '' ))\n$sql assigned unsafely at line 488:\n $sql = 'INSERT INTO ' . $table_name . ' (post_type, post_id, general, login, pdfname, downloads) VALUES (%s, %d, %d, %d, %s, 1)'\n$sql assigned unsafely at line 472:\n $sql = 'SELECT id,general,login,pdfname FROM ' . $table_name . ' WHERE post_id=%d AND post_type=%s LIMIT 1'\n$post->post_type used without escaping.\n$post->ID used without escaping.\n$dsatz assigned unsafely at line 473:\n $dsatz = $wpdb->get_row( $wpdb->prepare( $sql, $post->ID, $post->post_type ) ) ?: _mpdf_default_post()

Use placeholders and $wpdb->prepare(); found $table_name

Use placeholders and $wpdb->prepare(); found $sql

Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "the_content".

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$wp_content'.

Use placeholders and $wpdb->prepare(); found $sql