All-in-one Syntax Highlighting solution. Full Gutenberg and Classic Editor integration. Graphical theme customizer. Based on EnlighterJS.
Category Scores
Top Issues by Category
security39
maintainability10
i18n7
repo_compliance3
supply_chain1
Issues Details
60 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$attb'.
Processing form data without nonce verification.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writeable().
unlink() is discouraged. Use wp_delete_file() to delete a file.
Mismatched text domain. Expected 'enlighter' but got 'enligther'.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod().
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
The $text parameter must be a single text string literal. Found: 'The cache-directory <code>'. $this->_cacheManager->getCachePath(). '</code> is not writable! Please change the directory permission (chmod <code>0774</code> or <code>0777</code>) to use the ThemeCustomizer (the generated stylesheets are stored there). - <a href="'.admin_url('admin.php?page=Enlighter').'&cache-permission-fix=true">Autoset Permissions</a>'
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Tested up to: 6.9 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress.
One or more tags were ignored. Please limit your plugin to 5 tags.
The "Changelog" section is too long and was truncated. A maximum of 5000 characters is supported.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$attb'. | 34 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 4 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 4 |
| Internal.LineEndings.Mixed | WARNING | File has mixed line endings; this may cause incorrect results | 3 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writeable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writeable(). | 2 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 2 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'enlighter' but got 'enligther'. | 2 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_chmod | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod(). | 1 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 1 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: 'The cache-directory <code>'. $this->_cacheManager->getCachePath(). '</code> is not writable! Please change the directory permission (chmod <code>0774</code> or <code>0777</code>) to use the ThemeCustomizer (the generated stylesheets are stored there). - <a href="'.admin_url('admin.php?page=Enlighter').'&cache-permission-fix=true">Autoset Permissions</a>' | 1 |
| hidden_files | ERROR | Hidden files are not permitted. | 1 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 1 |
| outdated_tested_upto_header | ERROR | Tested up to: 6.9 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress. | 1 |
| readme_parser_warnings_too_many_tags | WARNING | One or more tags were ignored. Please limit your plugin to 5 tags. | 1 |
| readme_parser_warnings_trimmed_section_changelog | WARNING | The "Changelog" section is too long and was truncated. A maximum of 5000 characters is supported. | 1 |
Latest Snapshot
Findings
60
Errors
50
Warnings
10
Score History
First score snapshot
First scan completed
v4.7.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v4.7.0
35
Latest
- Findings
- 60
- Errors
- 50
- Warnings
- 10
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 35 | 60 | 50 | 10 | v4.7.0 | 2.0.0 | 2026.06-mvp-static-v2 |
