PluginScore

The Innovative Form Builder – IvyForms

The most innovative WordPress Form Builder plugin. Build awesome contact, order, registration, custom forms, and more in minutes.

v1.2Melograno Venture StudioUpdated Added 400 installs100% rating100% support resolved
WP Formscontact formcustom formformform builder
22
Score
713
Errors
250
Warnings
+0
Change

Category Scores

Security0
Repo83
Performance100
Maintainability0

Issues to Review

Prioritized issue groups from the latest Plugin Check scan

963 findings

Security

671

10 issue groups

Maintainability

228

12 issue groups

I18n

36

2 issue groups

Supply Chain

3

1 issue group

ERRORSecurityException output is not escapedAll output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Circular dependency detected while trying to resolve entry '{$entryName}'"'.374
Category
Security
Occurrences
374
Severity
error

Sample message

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Circular dependency detected while trying to resolve entry '{$entryName}'"'.

WordPress.Security.EscapeOutput.ExceptionNotEscapedReference
ERRORSecuritySQL query is not preparedUse placeholders and $wpdb->prepare(); found $alterQuery183
Category
Security
Occurrences
183
Severity
error

Sample message

Use placeholders and $wpdb->prepare(); found $alterQuery

WordPress.DB.PreparedSQL.NotPrepared
ERRORMaintainabilitywp function not compatible with requires wpFunction "array_is_list()" requires WordPress 6.5.0, but your plugin minimum supported version is WordPress 5.0.0.47
Category
Maintainability
Occurrences
47
Severity
error

Sample message

Function "array_is_list()" requires WordPress 6.5.0, but your plugin minimum supported version is WordPress 5.0.0.

wp_function_not_compatible_with_requires_wpReference
WARNINGMaintainabilityerror log error logerror_log() found. Debug code should not normally be used in production.40
Category
Maintainability
Occurrences
40
Severity
warning

Sample message

error_log() found. Debug code should not normally be used in production.

WordPress.PHP.DevelopmentFunctions.error_log_error_log
WARNINGMaintainabilityDirect QueryUse of a direct database call is discouraged.31
Category
Maintainability
Occurrences
31
Severity
warning

Sample message

Use of a direct database call is discouraged.

WordPress.DB.DirectDatabaseQuery.DirectQuery
WARNINGMaintainabilityNo CachingDirect database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().31
Category
Maintainability
Occurrences
31
Severity
warning

Sample message

Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().

WordPress.DB.DirectDatabaseQuery.NoCaching
ERRORI18nNon Singular String Literal TextThe $text parameter must be a single text string literal. Found: 'Add a new field to an existing IvyForms form. ' .\n 'Supported types: text, textarea, email, number, phone, website, name, radio, checkbox, ' .\n 'select, multi-select, address, date, time, rating, html, slider, file-upload, gdpr, ' .\n 'product, quantity, total. ' .\n 'When IvyForms Pro is active, password, signature, date_time, likert, nps, and rich_text ' .\n 'are also supported. ' .\n 'After adding a field, use open-form-builder to let the user see and configure. ' .\n 'For multipage forms (Pro), pass pageId (e.g. page_1) to place the field on a specific page.'31
Category
I18n
Occurrences
31
Severity
error

Sample message

The $text parameter must be a single text string literal. Found: 'Add a new field to an existing IvyForms form. ' .\n 'Supported types: text, textarea, email, number, phone, website, name, radio, checkbox, ' .\n 'select, multi-select, address, date, time, rating, html, slider, file-upload, gdpr, ' .\n 'product, quantity, total. ' .\n 'When IvyForms Pro is active, password, signature, date_time, likert, nps, and rich_text ' .\n 'are also supported. ' .\n 'After adding a field, use open-form-builder to let the user see and configure. ' .\n 'For multipage forms (Pro), pass pageId (e.g. page_1) to place the field on a specific page.'

WordPress.WP.I18n.NonSingularStringLiteralTextReference
WARNINGSecurityInterpolated SQL is not preparedUse placeholders and $wpdb->prepare(); found interpolated variable $placeholders at " WHERE $this->table.id IN ($placeholders) ORDER BY $this->table.position ASC"30
Category
Security
Occurrences
30
Severity
warning

Sample message

Use placeholders and $wpdb->prepare(); found interpolated variable $placeholders at " WHERE $this->table.id IN ($placeholders) ORDER BY $this->table.position ASC"

WordPress.DB.PreparedSQL.InterpolatedNotPrepared
WARNINGSecurityDatabase parameter is not escapedUnescaped parameter $alterQuery used in $wpdb->query()\n$alterQuery assigned unsafely at line 48.26
Category
Security
Occurrences
26
Severity
warning

Sample message

Unescaped parameter $alterQuery used in $wpdb->query()\n$alterQuery assigned unsafely at line 48.

PluginCheck.Security.DirectDB.UnescapedDBParameter
ERRORSecurityDatabase parameter is not escapedUnescaped parameter $alterQuery used in $wpdb->query()\n$alterQuery assigned unsafely at line 33.25
Category
Security
Occurrences
25
Severity
error

Sample message

Unescaped parameter $alterQuery used in $wpdb->query()\n$alterQuery assigned unsafely at line 33.

PluginCheck.Security.DirectDB.UnescapedDBParameter
Show 15 more
WARNINGMaintainabilityerror log var export23
Category
Maintainability
Occurrences
23
Severity
warning

Sample message

var_export() found. Debug code should not normally be used in production.

WordPress.PHP.DevelopmentFunctions.error_log_var_export
WARNINGMaintainabilityNon-prefixed global variable21
Category
Maintainability
Occurrences
21
Severity
warning

Sample message

Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__composer_autoload_files".

WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
ERRORSecurityOutput is not escaped12
Category
Security
Occurrences
12
Severity
error

Sample message

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$customCssClass'.

WordPress.Security.EscapeOutput.OutputNotEscapedReference
ERRORMaintainabilityMissing direct file access protection11
Category
Maintainability
Occurrences
11
Severity
error

Sample message

PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;

missing_direct_file_access_protectionReference
WARNINGMaintainabilityNon-prefixed global symbol10
Category
Maintainability
Occurrences
10
Severity
warning

Sample message

The "ivyforms/delete" prefix is not a valid namespace/function/class/variable/constant prefix in PHP.

WordPress.NamingConventions.PrefixAllGlobals.InvalidPrefixPassed
WARNINGSecurityUnfinished Prepare7
Category
Security
Occurrences
7
Severity
warning

Sample message

Replacement variables found, but no valid placeholders found in the query.

WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare
WARNINGSecurityNonce verification recommended5
Category
Security
Occurrences
5
Severity
warning

Sample message

Processing form data without nonce verification.

WordPress.Security.NonceVerification.Recommended
WARNINGSecurityInput is not sanitized5
Category
Security
Occurrences
5
Severity
warning

Sample message

Detected usage of a non-sanitized input variable: $_ENV[$variableName]

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
ERRORI18nMissing Translators Comment5
Category
I18n
Occurrences
5
Severity
error

Sample message

A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.

WordPress.WP.I18n.MissingTranslatorsCommentReference
ERRORMaintainabilityShort PHP open tag found4
Category
Maintainability
Occurrences
4
Severity
error

Sample message

Short PHP opening tag used with echo; expected "<?php echo $methodContent ..." but found "<?= $methodContent ..."

Generic.PHP.DisallowShortOpenTag.EchoFound
WARNINGSecurityRequest data is not unslashed4
Category
Security
Occurrences
4
Severity
warning

Sample message

$_GET[&#039;_wpNonce&#039;] not unslashed before sanitization. Use wp_unslash() or similar

WordPress.Security.ValidatedSanitizedInput.MissingUnslash
ERRORMaintainabilityunlink unlink4
Category
Maintainability
Occurrences
4
Severity
error

Sample message

unlink() is discouraged. Use wp_delete_file() to delete a file.

WordPress.WP.AlternativeFunctions.unlink_unlink
WARNINGMaintainabilitySchema Change3
Category
Maintainability
Occurrences
3
Severity
warning

Sample message

Attempting a database schema change is discouraged.

WordPress.DB.DirectDatabaseQuery.SchemaChange
ERRORMaintainabilityfile system operations chmod3
Category
Maintainability
Occurrences
3
Severity
error

Sample message

File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod().

WordPress.WP.AlternativeFunctions.file_system_operations_chmod
ERRORSupply ChainHidden files included3
Category
Supply Chain
Occurrences
3
Severity
error

Sample message

Hidden files are not permitted.

hidden_files

External Connections

Potential connections found in static code analysis.

23 domains

Outbound calls

75

External assets

0

Incoming endpoints

2

Notable Domains

json-schema.org17 · outbound
ivyforms.com8 · outbound
php-fig.org4 · outbound
modelcontextprotocol.io3 · outbound
php-di.org3 · outbound
challenges.cloudflare.com2 · outbound

Platform / Reference Domains

github.com10 · platform/reference
w3.org5 · platform/reference
developer.wordpress.org4 · platform/reference
gnu.org3 · platform/reference
wordpress.org1 · platform/reference

External Asset Domains

No external asset domains detected.

Incoming Endpoints

wp_ajax_nopriv_ivyforms_apipublic

wp_ajax

Admin AJAX endpoints1
wp_ajax_ivyforms_apiauthenticated

wp_ajax

Score History

First score snapshot

v1.2

22

Latest

Findings
963
Errors
713
Warnings
250
Check
2.0.0

Relationship Map

Author, categories, issues, domains, and nearby plugins.

37 nodes

Related

Akismet Anti-spam: Spam Protection35 scoreYoast SEO – Advanced SEO with real-time guidance and built-in AI24 scoreWooCommerce22 scoreWordfence Security – Firewall, Malware Scan, and Login Security21 scoreSite Kit by Google – Analytics, Search Console, AdSense, Speed25 scoreAll-in-One WP Migration and Backup34 scoreWP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin30 scoreRank Math SEO – AI SEO Tools to Dominate SEO Rankings31 scoreJetpack – WP Security, Backup, Speed, & Growth23 scoreContact Form 769 scoreWPForms – AI Form Builder for WordPress – Contact Forms, Payment Forms, Survey Form, Quiz & More32 scoreMC4WP: Mailchimp for WordPress57 scoreFluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder22 scoreForminator Forms – Contact Form, Payment Form & Custom Form Builder24 score

Related Plugins

Add Password Field for Contact Form 7

3k+ active installs

100
Contact Form Query

1k+ active installs

100
Style Contact Form 7

1k+ active installs

100
WS Form LITE – Drag & Drop Contact Form Builder

10k+ active installs

100
ACF Field For CF7

10k+ active installs

99
Connect Elementor Forms to Google Sheets Addon

800 active installs

99