The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.
Category Scores
Top Issues by Category
maintainability285
security149
Issues Details
436 issues found in latest scan
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$active_network_plugins".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'wpforms_datetime_format'.
Unescaped parameter $clause used in $wpdb->get_row()\n$clause used without escaping.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "https_local_ssl_verify".
Function "wp_get_sidebar()" requires WordPress 5.9.0, but your plugin minimum supported version is WordPress 5.5.0.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "_wpforms_get_hierarchical_object_flatten".
The plugin name includes a restricted term. Your chosen plugin name - "WPForms - Easy Form Builder for WordPress - Contact Forms, Payment Forms, Surveys, & More" - contains the restricted term "wordpress" which cannot be used at all in your plugin name.
The use of function wp_get_sidebars_widgets() is forbidden
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
Plugin folders are deleted when upgraded. Do not save data to the plugin folder using unzip_file(). Detected usage of constant WP_CONTENT_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead.
Plugin name "WPForms - Easy Form Builder for WordPress - Contact Forms, Payment Forms, Surveys, & More" is different from the name declared in plugin header "WPForms Lite".
The "/vendor" directory using composer exists, but "composer.json" file is missing.
The "Changelog" section is too long and was truncated. A maximum of 5000 characters is supported.
The "Short Description" section is too long and was truncated. A maximum of 150 characters is supported.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$active_network_plugins". | 188 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'wpforms_datetime_format'. | 90 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $clause used in $wpdb->get_row()\n$clause used without escaping. | 59 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 32 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 27 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "https_local_ssl_verify". | 14 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "wp_get_sidebar()" requires WordPress 5.9.0, but your plugin minimum supported version is WordPress 5.5.0. | 11 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "_wpforms_get_hierarchical_object_flatten". | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "WPForms - Easy Form Builder for WordPress - Contact Forms, Payment Forms, Surveys, & More" - contains the restricted term "wordpress" which cannot be used at all in your plugin name. | 3 |
| library_core_files | ERROR | Library files that are already in the WordPress core are not permitted. | 2 |
| Generic.PHP.ForbiddenFunctions.Found | ERROR | The use of function wp_get_sidebars_widgets() is forbidden | 1 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 1 |
| PluginCheck.CodeAnalysis.WriteFile.PluginDirectoryWrite | ERROR | Plugin folders are deleted when upgraded. Do not save data to the plugin folder using unzip_file(). Detected usage of constant WP_CONTENT_DIR. Use wp_upload_dir() to get the uploads directory path or save to the database instead. | 1 |
| mismatched_plugin_name | WARNING | Plugin name "WPForms - Easy Form Builder for WordPress - Contact Forms, Payment Forms, Surveys, & More" is different from the name declared in plugin header "WPForms Lite". | 1 |
| missing_composer_json_file | WARNING | The "/vendor" directory using composer exists, but "composer.json" file is missing. | 1 |
| readme_parser_warnings_trimmed_section_changelog | WARNING | The "Changelog" section is too long and was truncated. A maximum of 5000 characters is supported. | 1 |
| readme_parser_warnings_trimmed_short_description | WARNING | The "Short Description" section is too long and was truncated. A maximum of 150 characters is supported. | 1 |
Latest Snapshot
Findings
436
Errors
165
Warnings
271
Score History
First score snapshot
First scan completed Jun 19, 2026
v1.10.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v1.10.2
31
Latest
- Findings
- 436
- Errors
- 165
- Warnings
- 271
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 31 | 436 | 165 | 271 | v1.10.2 | 2.0.0 | 2026.06-mvp-static-v2 |
