WooCommerce Product Badge and Label, Sale Badge, Sold Out Badge, Countdown Timer, Notification Bar (PRO), Quick View, out-of-stock badge.
Category Scores
Top Issues by Category
maintainability67
security58
i18n6
Issues Details
135 issues found in latest scan
Use placeholders and $wpdb->prepare(); found interpolated variable $column at "SELECT $column FROM $this->table_name WHERE $column_where = %s LIMIT 1;"
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Processing form data without nonce verification.
Unescaped parameter $table_name used in $wpdb->get_var()\n$table_name assigned unsafely at line 8.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$output'.
Processing form data without nonce verification.
Replacement variables found, but no valid placeholders found in the query.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "woocommerce_add_to_cart_validation".
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$autoloader".
Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching.
Unescaped parameter $query used in $wpdb->get_var()\n$query assigned unsafely at line 140.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
Attempting a database schema change is discouraged.
Incorrect number of replacements passed to $wpdb->prepare(). Found 1 replacement parameters, expected 2.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "$name".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$id'.
Detected usage of a non-sanitized input variable: $_POST['quantity']
Use of the "translate()" function is reserved for low-level API usage.
The $text parameter must be a single text string literal. Found: $badge->badgeLabel
Mismatched text domain. Expected 'easy-sale-badges-for-woocommerce' but got 'labelTranslate'.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $column at "SELECT $column FROM $this->table_name WHERE $column_where = %s LIMIT 1;" | 27 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 21 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 17 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 16 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 7 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table_name used in $wpdb->get_var()\n$table_name assigned unsafely at line 8. | 6 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$output'. | 4 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 4 |
| WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare | WARNING | Replacement variables found, but no valid placeholders found in the query. | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "woocommerce_add_to_cart_validation". | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$autoloader". | 3 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching. | 3 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $query used in $wpdb->get_var()\n$query assigned unsafely at line 140. | 2 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 2 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 2 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 2 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 1 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 1 |
| WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber | WARNING | Incorrect number of replacements passed to $wpdb->prepare(). Found 1 replacement parameters, expected 2. | 1 |
| WordPress.NamingConventions.PrefixAllGlobals.VariableConstantNameFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "$name". | 1 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$id'. | 1 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_POST['quantity'] | 1 |
| WordPress.WP.I18n.LowLevelTranslationFunction | WARNING | Use of the "translate()" function is reserved for low-level API usage. | 1 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $badge->badgeLabel | 1 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'easy-sale-badges-for-woocommerce' but got 'labelTranslate'. | 1 |
Latest Snapshot
Findings
135
Errors
37
Warnings
98
Score History
First score snapshot
First scan completed
v7.2.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v7.2.2
38
Latest
- Findings
- 135
- Errors
- 37
- Warnings
- 98
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 38 | 135 | 37 | 98 | v7.2.2 | 2.0.0 | 2026.06-mvp-static-v2 |
