A trustworthy message storage plugin for Contact Form 7.
Category Scores
Top Issues by Category
security193
maintainability49
Issues Details
243 issues found in latest scan
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_GET['contact_tag_id']
$_GET['contact_tag_id'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of meta_key, possible slow query.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Detected usage of meta_value, possible slow query.
Detected usage of a possibly undefined superglobal array index: $_POST['contact']. Check that the array index exists before using it.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "manage_flamingo_contact_posts_columns".
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$nonce_action".
Detected usage of tax_query, possible slow query.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 85 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['contact_tag_id'] | 51 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['contact_tag_id'] not unslashed before sanitization. Use wp_unslash() or similar | 51 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 16 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 15 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 6 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['contact']. Check that the array index exists before using it. | 6 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "manage_flamingo_contact_posts_columns". | 4 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$nonce_action". | 4 |
| WordPress.DB.SlowDBQuery.slow_db_query_tax_query | WARNING | Detected usage of tax_query, possible slow query. | 2 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 1 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 1 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude | WARNING | Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 1 |
Latest Snapshot
Findings
243
Errors
15
Warnings
228
Score History
First score snapshot
First scan completed Jun 19, 2026
v2.6.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v2.6.2
40
Latest
- Findings
- 243
- Errors
- 15
- Warnings
- 228
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 40 | 243 | 15 | 228 | v2.6.2 | 2.0.0 | 2026.06-mvp-static-v2 |
