High performance YouTube video, playlist and audio-only embeds which don't slow down your blog and offer optimal accessibility.
Category Scores
Top Issues by Category
security201
maintainability159
Issues Details
382 issues found in latest scan
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$cachekey".
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$PLClass'.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "excerpt_length".
$_GET['origThumbUrl'] not unslashed before sanitization. Use wp_unslash() or similar
Sanitization missing for register_setting().
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_GET['origThumbUrl']
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "getFutttaFeeds".
Detected usage of a possibly undefined superglobal array index: $_GET['origThumbUrl']. Check that the array index exists before using it.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
unlink() is discouraged. Use wp_delete_file() to delete a file.
The plugin name includes a restricted term. Your chosen plugin name - "WP YouTube Lyte" - contains the restricted term "wp" which cannot be used at all in your plugin name.
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Scripts must be registered/enqueued via wp_enqueue_script()
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Plugin folders are deleted when upgraded. Do not save data to the plugin folder using rename(). Detected usage of constant WP_CONTENT_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$cachekey". | 104 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 85 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$PLClass'. | 66 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "excerpt_length". | 12 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['origThumbUrl'] not unslashed before sanitization. Use wp_unslash() or similar | 12 |
| PluginCheck.CodeAnalysis.SettingSanitization.register_settingMissing | ERROR | Sanitization missing for register_setting(). | 10 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 10 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['origThumbUrl'] | 10 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "getFutttaFeeds". | 9 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['origThumbUrl']. Check that the array index exists before using it. | 8 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 6 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 5 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 4 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 4 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 4 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "WP YouTube Lyte" - contains the restricted term "wp" which cannot be used at all in your plugin name. | 3 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 2 |
| WordPress.WP.AlternativeFunctions.curl_curl_error | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 2 |
| WordPress.WP.AlternativeFunctions.curl_curl_exec | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 2 |
| WordPress.WP.EnqueuedResources.NonEnqueuedScript | ERROR | Scripts must be registered/enqueued via wp_enqueue_script() | 2 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 2 |
| PluginCheck.CodeAnalysis.WriteFile.PluginDirectoryWrite | ERROR | Plugin folders are deleted when upgraded. Do not save data to the plugin folder using rename(). Detected usage of constant WP_CONTENT_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead. | 1 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 1 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 1 |
Latest Snapshot
Findings
382
Errors
204
Warnings
178
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.7.30 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.7.30
28
Latest
- Findings
- 382
- Errors
- 204
- Warnings
- 178
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 28 | 382 | 204 | 178 | v1.7.30 | 2.0.0 | 2026.06-mvp-static-v2 |
