Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.
Category Scores
Top Issues by Category
maintainability237
security158
Issues Details
408 issues found in latest scan
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$action_category".
Processing form data without nonce verification.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'themeisle_sdk_license_process_' . $slug".
Processing form data without nonce verification.
$_GET[$attrs['param']] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_GET[$attrs['param']]
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them.
print_r() found. Debug code should not normally be used in production.
Detected usage of meta_query, possible slow query.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "cf7r_tooltip".
rand() is discouraged. Use the far less predictable wp_rand() instead.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "Ext_Accessibe".
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "CF7_REDIRECT_DEBUG".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: _site_transient_update_plugins
Function "utf8_encode()" requires WordPress 6.9.0, but your plugin minimum supported version is WordPress 5.1.0.
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$loaded_hook".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$action_category". | 132 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 55 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'themeisle_sdk_license_process_' . $slug". | 41 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 41 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET[$attrs['param']] not unslashed before sanitization. Use wp_unslash() or similar | 37 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET[$attrs['param']] | 22 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 11 |
| Internal.NoCodeFound | WARNING | No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them. | 8 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 7 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 5 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "cf7r_tooltip". | 5 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 4 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 3 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 3 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 3 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 3 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "Ext_Accessibe". | 2 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "CF7_REDIRECT_DEBUG". | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 2 |
| update_modification_detected | WARNING | Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: _site_transient_update_plugins | 2 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "utf8_encode()" requires WordPress 6.9.0, but your plugin minimum supported version is WordPress 5.1.0. | 2 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 1 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$loaded_hook". | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 1 |
Latest Snapshot
Findings
408
Errors
34
Warnings
374
Score History
First score snapshot
First scan completed Jun 19, 2026
v3.2.10 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v3.2.10
27
Latest
- Findings
- 408
- Errors
- 34
- Warnings
- 374
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 27 | 408 | 34 | 374 | v3.2.10 | 2.0.0 | 2026.06-mvp-static-v2 |
