WhatsApp, Facebook and Instagram help you reach more customers and drive sales with the official Meta for WooCommerce plugin.
Category Scores
Top Issues by Category
maintainability177
security71
performance2
repo_compliance1
Issues Details
252 issues found in latest scan
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "fbe_webhook".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Could not open temp file for writing: {$temp_file_path}"'.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "AbstractFeed::FEED_GEN_COMPLETE_ACTION . $this->feed_name".
Detected usage of a non-sanitized input variable: $_COOKIE['_fbp']
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "WC_Facebook_Loader".
Function "str_contains()" requires WordPress 5.9.0, but your plugin minimum supported version is WordPress 5.6.0.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$superglobal".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'wc_help_tip'.
Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: _site_transient_update_plugins
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
Unescaped parameter $query used in $wpdb->get_col()\n$query assigned unsafely at line 596.
The "/vendor" directory using composer exists, but "composer.json" file is missing.
Missing "License" in Plugin Header. Please update your Plugin Header with a valid GPLv2 (or later) compatible license.
Plugin Updater detected. These are not permitted in WordPress.org hosted plugins. Detected: site_transient_update_plugins
Mismatched Stable Tag: 3.7.0 != 3.7.1. Your Stable Tag is meant to be the stable version of your plugin and it needs to be exactly the same with the Version in your main plugin file's header. Any mismatch can prevent users from downloading the correct plugin files from WordPress.org.
The plugin slug includes a restricted term. Your plugin slug - "facebook-for-woocommerce" - contains the restricted term "facebook" which cannot be used at all in your plugin slug.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "fbe_webhook". | 100 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Could not open temp file for writing: {$temp_file_path}"'. | 52 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "AbstractFeed::FEED_GEN_COMPLETE_ACTION . $this->feed_name". | 17 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE['_fbp'] | 16 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 15 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 14 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "WC_Facebook_Loader". | 13 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "str_contains()" requires WordPress 5.9.0, but your plugin minimum supported version is WordPress 5.6.0. | 4 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$superglobal". | 3 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 3 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 2 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'wc_help_tip'. | 2 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | WARNING | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 2 |
| update_modification_detected | WARNING | Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: _site_transient_update_plugins | 2 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 1 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $query used in $wpdb->get_col()\n$query assigned unsafely at line 596. | 1 |
| missing_composer_json_file | WARNING | The "/vendor" directory using composer exists, but "composer.json" file is missing. | 1 |
| plugin_header_no_license | ERROR | Missing "License" in Plugin Header. Please update your Plugin Header with a valid GPLv2 (or later) compatible license. | 1 |
| plugin_updater_detected | ERROR | Plugin Updater detected. These are not permitted in WordPress.org hosted plugins. Detected: site_transient_update_plugins | 1 |
| stable_tag_mismatch | ERROR | Mismatched Stable Tag: 3.7.0 != 3.7.1. Your Stable Tag is meant to be the stable version of your plugin and it needs to be exactly the same with the Version in your main plugin file's header. Any mismatch can prevent users from downloading the correct plugin files from WordPress.org. | 1 |
| trademarked_term | WARNING | The plugin slug includes a restricted term. Your plugin slug - "facebook-for-woocommerce" - contains the restricted term "facebook" which cannot be used at all in your plugin slug. | 1 |
Latest Snapshot
Findings
252
Errors
66
Warnings
186
Score History
First score snapshot
First scan completed Jun 19, 2026
v3.7.1 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v3.7.1
34
Latest
- Findings
- 252
- Errors
- 66
- Warnings
- 186
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 34 | 252 | 66 | 186 | v3.7.1 | 2.0.0 | 2026.06-mvp-static-v2 |
