HashBar – Announcement, Notification Bar & Popup Campaign

Create Announcement Bars, Notification Bars & Popup Campaigns with countdown timers, A/B testing, smart targeting & analytics.

v1.9.9DevItemsUpdated Added 8k+ installs86% rating0% support resolved
25
Score
2,718
Errors
610
Warnings
+0
Change

Category Scores

Security0
Repo100
Performance96
Maintainability0

Issues to Review

Prioritized issue groups from the latest Plugin Check scan

3,328 findings

I18n

2,401

4 issue groups

Security

468

10 issue groups

Maintainability

430

10 issue groups

Performance

4

1 issue group

ERRORI18nText Domain MismatchMismatched text domain. Expected 'hashbar-wp-notification-bar' but got 'csf'.2,382
Category
I18n
Occurrences
2,382
Severity
error

Sample message

Mismatched text domain. Expected 'hashbar-wp-notification-bar' but got 'csf'.

ERRORSecurityOutput is not escapedAll output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$args[$property.'_icon']'.253
Category
Security
Occurrences
253
Severity
error

Sample message

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$args[$property.'_icon']'.

WARNINGMaintainabilityNon-prefixed global variableGlobal variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$activate".109
Category
Maintainability
Occurrences
109
Severity
warning

Sample message

Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$activate".

WARNINGMaintainabilityNon-prefixed hook nameHook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "csf_chosen_ajax_capability".75
Category
Maintainability
Occurrences
75
Severity
warning

Sample message

Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "csf_chosen_ajax_capability".

WARNINGMaintainabilityDirect QueryUse of a direct database call is discouraged.63
Category
Maintainability
Occurrences
63
Severity
warning

Sample message

Use of a direct database call is discouraged.

WARNINGMaintainabilityNo CachingDirect database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().63
Category
Maintainability
Occurrences
63
Severity
warning

Sample message

Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().

WARNINGMaintainabilityNon-prefixed classClasses declared by a theme/plugin should start with the theme/plugin prefix. Found: "CSF".62
Category
Maintainability
Occurrences
62
Severity
warning

Sample message

Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "CSF".

WARNINGSecurityInterpolated SQL is not preparedUse placeholders and $wpdb->prepare(); found interpolated variable $post_id at "SELECT meta_key, meta_value FROM $wpdb->postmeta WHERE post_id=$post_id"52
Category
Security
Occurrences
52
Severity
warning

Sample message

Use placeholders and $wpdb->prepare(); found interpolated variable $post_id at "SELECT meta_key, meta_value FROM $wpdb->postmeta WHERE post_id=$post_id"

WARNINGSecurityRequest data is not unslashed$_COOKIE['keep_closed_bar_' . $post_id] not unslashed before sanitization. Use wp_unslash() or similar43
Category
Security
Occurrences
43
Severity
warning

Sample message

$_COOKIE['keep_closed_bar_' . $post_id] not unslashed before sanitization. Use wp_unslash() or similar

WARNINGSecurityInput is not sanitizedDetected usage of a non-sanitized input variable: $_COOKIE['keep_closed_bar_' . $post_id]36
Category
Security
Occurrences
36
Severity
warning

Sample message

Detected usage of a non-sanitized input variable: $_COOKIE['keep_closed_bar_' . $post_id]

Show 15 more
WARNINGSecurityDatabase parameter is not escaped25
Category
Security
Occurrences
25
Severity
warning

Sample message

Unescaped parameter $table used in $wpdb->get_results()

WARNINGMaintainabilityNon-prefixed function22
Category
Maintainability
Occurrences
22
Severity
warning

Sample message

Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "csf_array_search".

WARNINGSecurityNonce verification recommended22
Category
Security
Occurrences
22
Severity
warning

Sample message

Processing form data without nonce verification.

ERRORMaintainabilityMissing direct file access protection18
Category
Maintainability
Occurrences
18
Severity
error

Sample message

PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;

ERRORSecuritySQL query is not prepared13
Category
Security
Occurrences
13
Severity
error

Sample message

Use placeholders and $wpdb->prepare(); found $countrywise_traking_query

ERRORSecurityDatabase parameter is not escaped11
Category
Security
Occurrences
11
Severity
error

Sample message

Unescaped parameter $countrywise_traking_query used in $wpdb->get_results()\n$countrywise_traking_query assigned unsafely at line 37.

ERRORI18nMissing Arg Domain9
Category
I18n
Occurrences
9
Severity
error

Sample message

Missing $domain parameter in function call to __().

WARNINGSecurityMissing nonce verification8
Category
Security
Occurrences
8
Severity
warning

Sample message

Processing form data without nonce verification.

ERRORMaintainabilitywp function not compatible with requires wp8
Category
Maintainability
Occurrences
8
Severity
error

Sample message

Function "register_block_pattern()" requires WordPress 5.5.0, but your plugin minimum supported version is WordPress 5.0.0.

ERRORI18nMissing Translators Comment6
Category
I18n
Occurrences
6
Severity
error

Sample message

A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.

ERRORMaintainabilityOffloaded Content5
Category
Maintainability
Occurrences
5
Severity
error

Sample message

Found call to wp_enqueue_script() with external resource. Offloading scripts to your servers or any remote service is disallowed.

WARNINGSecurityInput is not validated5
Category
Security
Occurrences
5
Severity
warning

Sample message

Detected usage of a possibly undefined superglobal array index: $_POST['clicked']. Check that the array index exists before using it.

WARNINGMaintainabilityMissing Version5
Category
Maintainability
Occurrences
5
Severity
warning

Sample message

Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.

ERRORI18nUnordered Placeholders Text4
Category
I18n
Occurrences
4
Severity
error

Sample message

Multiple placeholders in translatable strings should be ordered. Expected "%1$.4f, %2$.1f", but got "%.4f, %.1f" in 'Not significant (p=%.4f, %.1f%% confidence)'.

WARNINGPerformancePost Not In exclude4
Category
Performance
Occurrences
4
Severity
warning

Sample message

Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.

External Connections

Potential connections found in static code analysis.

25 domains

Outbound calls

92

External assets

4

Incoming endpoints

66

Notable Domains

wphashbar.com16 · outbound
ip-api.com9 · outbound
hasthemes.com6 · outbound
youtube.com3 · outbound
feed.hasthemes.com2 · outbound

Platform / Reference Domains

w3.org13 · platform/reference
github.com11 · platform/reference
wordpress.org2 · platform/reference
gnu.org1 · platform/reference

External Asset Domains

cdn.jsdelivr.net7 · asset + outbound

Incoming Endpoints

/wp-json/hashbar/v1/announcement-bars/(?P<id>\d+)REST

register_rest_route

/wp-json/hashbar/v1/popup-campaigns/(?P<id>\d+)REST

register_rest_route

/wp-json/hashbar/v1/announcement-barsREST

register_rest_route

/wp-json/hashbar/v1/notifications/(?P<id>\d+)REST

register_rest_route

/wp-json/hashbar/v1/popup-campaignsREST

register_rest_route

/wp-json/hashbar/v1/ab-test/stats/(?P<bar_id>\d+)REST

register_rest_route

Admin AJAX endpoints12
wp_ajax_csf_authenticated

wp_ajax

wp_ajax_csf-chosenauthenticated

wp_ajax

wp_ajax_csf-exportauthenticated

wp_ajax

wp_ajax_csf-get-iconsauthenticated

wp_ajax

wp_ajax_csf-get-shortcode-authenticated

wp_ajax

wp_ajax_csf-importauthenticated

wp_ajax

wp_ajax_csf-resetauthenticated

wp_ajax

wp_ajax_hashbar_analyticsauthenticated

wp_ajax

wp_ajax_hashbar_diagnostic_dataauthenticated

wp_ajax

wp_ajax_hashbar_get_pages_postsauthenticated

wp_ajax

wp_ajax_hashbar_noticesauthenticated

wp_ajax

wp_ajax_hashbar_plugin_deactivation_feedbackauthenticated

wp_ajax

Score History

2 score snapshots

+0
1007550250Jun 20, 2026, 11:38 PM UTC Score 25/100 Plugin v1.9.8 Plugin Check 2.0.0 2,718 errors, 610 warningsJul 2, 2026, 10:31 AM UTC Score 25/100 Plugin v1.9.9 Plugin Check 2.0.0 2,718 errors, 610 warningsJun 20, 2026Jul 2, 2026

v1.9.9

25

Latest

Findings
3,328
Errors
2,718
Warnings
610
Check
2.0.0

v1.9.8

25

Score

Findings
3,328
Errors
2,718
Warnings
610
Check
2.0.0

Relationship Map

Author, categories, issues, domains, and nearby plugins.

37 nodes

Related Plugins

Sticky Banner

700 active installs

91
Easy Notification Bar

9k+ active installs

87
WP Notification Bars

10k+ active installs

67