Create and customize popups. Display messages, Call to actions, promotions, or announcements to engage visitors and boost interaction.
Category Scores
Top Issues by Category
security490
maintainability286
Issues Details
874 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<p><strong>$message</strong></p></div>"'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$activityDates".
Processing form data without nonce verification.
$_GET['cminds_action'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_FILES['importJSON']
Mismatched text domain. Expected 'cm-pop-up-banners' but got ''.
Processing form data without nonce verification.
Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$config['abbrev'] . '_after_config'".
Detected usage of a possibly undefined superglobal array index: $_FILES['importJSON']['tmp_name']. Check that the array index exists before using it.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "cm_popflyin_submenu_page".
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
Unescaped parameter $where used in $wpdb->get_results()\n$where assigned unsafely at line 1730.
rand() is discouraged. Use the far less predictable wp_rand() instead.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
Unescaped parameter $postIn used in $wpdb->get_results()\n$postIn assigned unsafely at line 1844.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<p><strong>$message</strong></p></div>"'. | 287 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$activityDates". | 146 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 41 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['cminds_action'] not unslashed before sanitization. Use wp_unslash() or similar | 38 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['importJSON'] | 36 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'cm-pop-up-banners' but got ''. | 31 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $postIn | 28 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 25 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching. | 22 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 22 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 17 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$config['abbrev'] . '_after_config'". | 15 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['importJSON']['tmp_name']. Check that the array index exists before using it. | 15 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 15 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 12 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 12 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 11 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'. | 11 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "cm_popflyin_submenu_page". | 10 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 10 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $where used in $wpdb->get_results()\n$where assigned unsafely at line 1730. | 6 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 6 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 6 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 4 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $postIn used in $wpdb->get_results()\n$postIn assigned unsafely at line 1844. | 3 |
Latest Snapshot
Findings
874
Errors
466
Warnings
408
Score History
First score snapshot
First scan completed
v1.8.6 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v1.8.6
24
Latest
- Findings
- 874
- Errors
- 466
- Warnings
- 408
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 24 | 874 | 466 | 408 | v1.8.6 | 2.0.0 | 2026.06-mvp-static-v2 |
