XML Sitemaps

File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '__'.

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 254:\n $sql = "\n\t\t\tSELECT\tposts.ID,\n\t\t\t\t\tposts.post_author,\n\t\t\t\t\tposts.post_name,\n\t\t\t\t\tposts.post_type,\n\t\t\t\t\tposts.post_status,\n\t\t\t\t\tposts.post_parent,\n\t\t\t\t\tposts.post_date,\n\t\t\t\t\tposts.post_modified,\n\t\t\t\t\tCAST(posts.post_modified AS DATE) as lastmod,\n\t\t\t\t\tCASE COUNT(DISTINCT CAST(revisions.post_date AS DATE))\n\t\t\t\t\tWHEN 0\n\t\t\t\t\tTHEN\n\t\t\t\t\t\t0\n\t\t\t\t\tELSE\n\t\t\t\t\t\tDATEDIFF(CAST(NOW() AS DATE), CAST(posts.post_date AS DATE))\n\t\t\t\t\t\t/ COUNT(DISTINCT CAST(revisions.post_date AS DATE))\n\t\t\t\t\tEND as changefreq,\n\t\t\t\t\tCASE\n\t\t\t\t\tWHEN posts.post_parent = 0 OR COALESCE(COUNT(DISTINCT children.ID), 0) <> 0\n\t\t\t\t\tTHEN\n\t\t\t\t\t\t.4\n\t\t\t\t\tELSE\n\t\t\t\t\t\t.8\n\t\t\t\t\tEND as priority\n\t\t\tFROM\t$wpdb->posts as posts\n\t\t\tLEFT JOIN $wpdb->posts as revisions\n\t\t\tON\t\trevisions.post_parent = posts.ID\n\t\t\tAND\t\trevisions.post_type = 'revision'\n\t\t\tAND\t\tDATEDIFF(CAST(revisions.post_date AS DATE), CAST(posts.post_date AS DATE)) > 2\n\t\t\tAND\t\tDATE_SUB(CAST(NOW() AS DATE), INTERVAL 1 YEAR) < CAST(revisions.post_date AS DATE)\n\t\t\tLEFT JOIN $wpdb->posts as children\n\t\t\tON\t\tchildren.post_parent = posts.ID\n\t\t\tAND\t\tchildren.post_type = 'page'\n\t\t\tAND\t\tchildren.post_status = 'publish'\n\t\t\tLEFT JOIN $wpdb->postmeta as redirect_url\n\t\t\tON\t\tredirect_url.post_id = posts.ID\n\t\t\tAND\t\tredirect_url.meta_key = '_redirect_url'\n\t\t\tLEFT JOIN $wpdb->postmeta as widgets_exclude\n\t\t\tON\t\twidgets_exclude.post_id = posts.ID\n\t\t\tAND\t\twidgets_exclude.meta_key = '_widgets_exclude'\n\t\t\tLEFT JOIN $wpdb->postmeta as widgets_exception\n\t\t\tON\t\twidgets_exception.post_id = posts.ID\n\t\t\tAND\t\twidgets_exception.meta_key = '_widgets_exception'\n\t\t\tWHERE\tposts.post_type = 'page'\n\t\t\tAND\t\tposts.post_status = 'publish'\n\t\t\tAND\t\tposts.post_password = ''\n\t\t\tAND\t\tredirect_url.post_id IS NULL\n\t\t\tAND\t\t( widgets_exclude.post_id IS NULL OR widgets_exception.post_id IS NOT NULL )"\n\t\t . ( ! empty( $exclude )\n\t\t\t\t? " AND posts.ID NOT IN ({$exclude}) "\n\t\t\t\t: "" )\n\t\t . ( $this->front_page_id\n\t\t\t\t? "\n\t\t\tAND\t\tposts.ID <> $this->front_page_id\n\t\t\t\t"\n\t\t\t\t: ''\n\t\t )\n\t\t . ( $this->blog_page_id\n\t\t\t\t? "\n\t\t\tAND\t\tposts.ID <> $this->blog_page_id\n\t\t\t\t"\n\t\t\t\t: ''\n\t\t ) . "\n\t\t\tGROUP BY posts.ID\n\t\t\tORDER BY posts.post_parent, posts.ID\n\t\t\t"

Use placeholders and $wpdb->prepare(); found $sql

Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "the_permalink".

File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir().

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '__'.

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 352:\n $sql = "\n\t\t\tSELECT\tposts.ID,\n\t\t\t\t\tposts.post_author,\n\t\t\t\t\tposts.post_name,\n\t\t\t\t\tposts.post_type,\n\t\t\t\t\tposts.post_status,\n\t\t\t\t\tposts.post_parent,\n\t\t\t\t\tposts.post_date,\n\t\t\t\t\tposts.post_modified,\n\t\t\t\t\tCAST(posts.post_modified AS DATE) as lastmod,\n\t\t\t\t\tCASE COUNT(DISTINCT CAST(revisions.post_date AS DATE))\n\t\t\t\t\tWHEN 0\n\t\t\t\t\tTHEN\n\t\t\t\t\t\t0\n\t\t\t\t\tELSE\n\t\t\t\t\t\tDATEDIFF(CAST(NOW() AS DATE), CAST(posts.post_date AS DATE))\n\t\t\t\t\t\t/ COUNT(DISTINCT CAST(revisions.post_date AS DATE))\n\t\t\t\t\tEND as changefreq\n\t\t\tFROM\t$wpdb->posts as posts\n\t\t\tLEFT JOIN $wpdb->posts as revisions\n\t\t\tON\t\trevisions.post_parent = posts.ID\n\t\t\tAND\t\trevisions.post_type = 'revision'\n\t\t\tAND\t\tDATEDIFF(CAST(revisions.post_date AS DATE), CAST(posts.post_date AS DATE)) > 2\n\t\t\tAND\t\tDATE_SUB(CAST(NOW() AS DATE), INTERVAL 1 YEAR) < CAST(revisions.post_date AS DATE)\n\t\t\tLEFT JOIN $wpdb->postmeta as redirect_url\n\t\t\tON\t\tredirect_url.post_id = posts.ID\n\t\t\tAND\t\tredirect_url.meta_key = '_redirect_url'\n\t\t\tLEFT JOIN $wpdb->postmeta as widgets_exclude\n\t\t\tON\t\twidgets_exclude.post_id = posts.ID\n\t\t\tAND\t\twidgets_exclude.meta_key = '_widgets_exclude'\n\t\t\tLEFT JOIN $wpdb->postmeta as widgets_exception\n\t\t\tON\t\twidgets_exception.post_id = posts.ID\n\t\t\tAND\t\twidgets_exception.meta_key = '_widgets_exception'\n\t\t\tWHERE\tposts.post_type = '$post_type'\n\t\t\tAND\t\tposts.post_status = 'publish'\n\t\t\tAND\t\tposts.post_password = ''\n\t\t\tAND\t\tredirect_url.post_id IS NULL\n\t\t\tAND\t\t( widgets_exclude.post_id IS NULL OR widgets_exception.post_id IS NOT NULL )"\n\t\t . ( ! empty( $exclude )\n\t\t\t\t? " AND posts.ID NOT IN ({$exclude}) "\n\t\t\t\t: "" )\n\t\t . "GROUP BY posts.ID\n\t\t\tORDER BY posts.post_parent, posts.ID\n\t\t\t"\n$exclude used without escaping.

Use placeholders and $wpdb->prepare(); found $sql

Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "the_permalink".