Add PHP code to your pages and posts easily using shortcodes.
Category Scores
Top Issues by Category
security285
maintainability102
Issues Details
391 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$after_title'.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
$_GET['xyz_ips_msg'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a possibly undefined superglobal array index: $_GET['action']. Check that the array index exists before using it.
Detected usage of a non-sanitized input variable: $_GET['xyz_ips_msg']
Processing form data without nonce verification.
Attempting a database schema change is discouraged.
Processing form data without nonce verification.
Use placeholders and $wpdb->prepare(); found interpolated variable $field at "SELECT * FROM {$wpdb->prefix}xyz_ips_short_code WHERE title LIKE %s {$strInsertionMethod} ORDER BY $field $order LIMIT %d, %d"
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Unescaped parameter $field used in $wpdb->get_results()\n$field assigned unsafely at line 195.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Unescaped parameter $table_name used in $wpdb->get_results()\n$table_name assigned unsafely at line 11.
In footer ($in_footer) is not set explicitly wp_register_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
The "Requires at least" field was ignored. This field should only contain a valid WordPress version such as "7.0" or "6.9".
One or more tags were ignored. Please limit your plugin to 5 tags.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$after_title'. | 147 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 44 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 42 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['xyz_ips_msg'] not unslashed before sanitization. Use wp_unslash() or similar | 37 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['action']. Check that the array index exists before using it. | 35 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['xyz_ips_msg'] | 28 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 21 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 6 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 6 |
| Generic.PHP.ForbiddenFunctions.Found | ERROR | The use of function eval() is forbidden | 4 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $field at "SELECT * FROM {$wpdb->prefix}xyz_ips_short_code WHERE title LIKE %s {$strInsertionMethod} ORDER BY $field $order LIMIT %d, %d" | 4 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 3 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $field used in $wpdb->get_results()\n$field assigned unsafely at line 195. | 2 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 2 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 2 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 2 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to _e(). | 2 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table_name used in $wpdb->get_results()\n$table_name assigned unsafely at line 11. | 1 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_register_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 1 |
| readme_parser_warnings_requires_header_ignored | WARNING | The "Requires at least" field was ignored. This field should only contain a valid WordPress version such as "7.0" or "6.9". | 1 |
| readme_parser_warnings_too_many_tags | WARNING | One or more tags were ignored. Please limit your plugin to 5 tags. | 1 |
Latest Snapshot
Findings
391
Errors
164
Warnings
227
Score History
First score snapshot
First scan completed
v1.4.6 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v1.4.6
38
Latest
- Findings
- 391
- Errors
- 164
- Warnings
- 227
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 38 | 391 | 164 | 227 | v1.4.6 | 2.0.0 | 2026.06-mvp-static-v2 |
