A straight-forward multilingual plugin. No more double-digit custom DB tables or hidden HTML comments that could cause you headaches later on.
Category Scores
Top Issues by Category
security112
maintainability50
performance6
Issues Details
169 issues found in latest scan
$_GET['action'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_GET['action']
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Processing form data without nonce verification.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "get_the_excerpt".
Detected usage of a possibly undefined superglobal array index: $_REQUEST['page']. Check that the array index exists before using it.
Processing form data without nonce verification.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Use placeholders and $wpdb->prepare(); found interpolated variable $in_string at "SELECT ID, post_name, post_parent FROM %i LEFT JOIN %i AS postmeta ON ID = postmeta.post_id AND meta_key = '_locale' WHERE post_name IN ($in_string) AND (post_type = %s OR post_type = 'attachment') AND (meta_value LIKE %s OR meta_id IS NULL)"
Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
Unescaped parameter $in_string used in $wpdb->get_results()\n$in_string assigned unsafely at line 224.
Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
Detected usage of meta_key, possible slow query.
Detected usage of meta_value, possible slow query.
In footer ($in_footer) is not set explicitly wp_register_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
The "Plugin Name" header in the plugin file is not valid. It needs to contain at least 5 latin letters (a-Z) and/or numbers. This is necessary because the initial plugin slug is generated from the name.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['action'] not unslashed before sanitization. Use wp_unslash() or similar | 34 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['action'] | 33 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 27 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 24 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "get_the_excerpt". | 10 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_REQUEST['page']. Check that the array index exists before using it. | 8 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 7 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 5 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 5 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $in_string at "SELECT ID, post_name, post_parent FROM %i LEFT JOIN %i AS postmeta ON ID = postmeta.post_id AND meta_key = '_locale' WHERE post_name IN ($in_string) AND (post_type = %s OR post_type = 'attachment') AND (meta_value LIKE %s OR meta_id IS NULL)" | 4 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude | WARNING | Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 4 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $in_string used in $wpdb->get_results()\n$in_string assigned unsafely at line 224. | 2 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | WARNING | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 1 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 1 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_register_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 1 |
| plugin_header_unsupported_plugin_name | ERROR | The "Plugin Name" header in the plugin file is not valid. It needs to contain at least 5 latin letters (a-Z) and/or numbers. This is necessary because the initial plugin slug is generated from the name. | 1 |
Latest Snapshot
Findings
169
Errors
30
Warnings
139
Score History
First score snapshot
First scan completed Jun 20, 2026
v3.9.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v3.9.2
39
Latest
- Findings
- 169
- Errors
- 30
- Warnings
- 139
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 39 | 169 | 30 | 139 | v3.9.2 | 2.0.0 | 2026.06-mvp-static-v2 |
