Create and add rich content to your website for free. Some examples of what you get with H5P are Interactive Video, Quizzes, Collage and Timeline.
Category Scores
Top Issues by Category
maintainability335
i18n320
security259
Issues Details
945 issues found in latest scan
The $domain parameter must be a single text string literal. Found: $this->plugin_slug
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$additional_embed_head_tags'.
Use placeholders and $wpdb->prepare(); found interpolated variable $i at "ALTER TABLE `{$wpdb->prefix}{$table}` DROP INDEX `{$index}_$i`"
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Attempting a database schema change is discouraged.
unlink() is discouraged. Use wp_delete_file() to delete a file.
Detected usage of a possibly undefined superglobal array index: $_FILES['file']['name']. Check that the array index exists before using it.
Unescaped parameter $charset used in $wpdb->query()\n$charset assigned unsafely at line 573.
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_FILES['file']['name']
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'.
Unescaped parameter $table used in $wpdb->get_results()\n$column used without escaping.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Function "register_rest_route()" requires WordPress 4.4.0, but your plugin minimum supported version is WordPress 3.8.1.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$field'.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir().
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$d, %3$d, %4$d", but got "%s, %d, %d, %d" in 'Upgrade %s %d.%d.%d content'.
$_POST['libraries'] not unslashed before sanitization. Use wp_unslash() or similar
trigger_error() found. Debug code should not normally be used in production.
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.WP.I18n.NonSingularStringLiteralDomain | ERROR | The $domain parameter must be a single text string literal. Found: $this->plugin_slug | 286 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 131 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 118 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 62 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$additional_embed_head_tags'. | 59 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $i at "ALTER TABLE `{$wpdb->prefix}{$table}` DROP INDEX `{$index}_$i`" | 33 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 29 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 25 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 20 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['file']['name']. Check that the array index exists before using it. | 17 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $charset used in $wpdb->query()\n$charset assigned unsafely at line 573. | 16 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 15 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['file']['name'] | 15 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 14 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $content_id | 13 |
| WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder | ERROR | Simple placeholders should not be quoted in the query string in $wpdb->prepare(). Found: '%s'. | 10 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table used in $wpdb->get_results()\n$column used without escaping. | 8 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 8 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "register_rest_route()" requires WordPress 4.4.0, but your plugin minimum supported version is WordPress 3.8.1. | 8 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$field'. | 7 |
| WordPress.WP.AlternativeFunctions.file_system_operations_rmdir | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: rmdir(). | 5 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$d, %3$d, %4$d", but got "%s, %d, %d, %d" in 'Upgrade %s %d.%d.%d content'. | 5 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_POST['libraries'] not unslashed before sanitization. Use wp_unslash() or similar | 4 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 3 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 3 |
Latest Snapshot
Findings
945
Errors
565
Warnings
380
Score History
First score snapshot
First scan completed Jun 20, 2026
v1.17.8 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v1.17.8
23
Latest
- Findings
- 945
- Errors
- 565
- Warnings
- 380
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 23 | 945 | 565 | 380 | v1.17.8 | 2.0.0 | 2026.06-mvp-static-v2 |
