Create JSON Web Token Authentication in WordPress.
Category Scores
Top Issues by Category
security18
maintainability11
supply_chain1
repo_compliance1
Issues Details
32 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$output'.
Detected usage of a non-sanitized input variable: $_COOKIE['refresh_token']
Detected usage of a possibly undefined superglobal array index: $_SERVER['REQUEST_URI']. Check that the array index exists before using it.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
$_COOKIE['refresh_token'] not unslashed before sanitization. Use wp_unslash() or similar
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
Plugin name "JWT Auth - WordPress JSON Web Token Authentication" is different from the name declared in plugin header "JWT Auth".
The "/vendor" directory using composer exists, but "composer.json" file is missing.
Tested up to: 6.5 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress.
The plugin name includes a restricted term. Your chosen plugin name - "JWT Auth - WordPress JSON Web Token Authentication" - contains the restricted term "wordpress" which cannot be used at all in your plugin name.
Incorrect Stable Tag. It's recommended not to use "Stable Tag: trunk". Your Stable Tag is meant to be the stable version of your plugin and it needs to be exactly the same with the Version in your main plugin file's header. Any mismatch can prevent users from downloading the correct plugin files from WordPress.org.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$output'. | 8 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE['refresh_token'] | 5 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_SERVER['REQUEST_URI']. Check that the array index exists before using it. | 3 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 2 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 2 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE['refresh_token'] not unslashed before sanitization. Use wp_unslash() or similar | 2 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 1 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 1 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 1 |
| application_detected | ERROR | Application files are not permitted. | 1 |
| hidden_files | ERROR | Hidden files are not permitted. | 1 |
| mismatched_plugin_name | WARNING | Plugin name "JWT Auth - WordPress JSON Web Token Authentication" is different from the name declared in plugin header "JWT Auth". | 1 |
| missing_composer_json_file | WARNING | The "/vendor" directory using composer exists, but "composer.json" file is missing. | 1 |
| outdated_tested_upto_header | ERROR | Tested up to: 6.5 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress. | 1 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "JWT Auth - WordPress JSON Web Token Authentication" - contains the restricted term "wordpress" which cannot be used at all in your plugin name. | 1 |
| trunk_stable_tag | ERROR | Incorrect Stable Tag. It's recommended not to use "Stable Tag: trunk". Your Stable Tag is meant to be the stable version of your plugin and it needs to be exactly the same with the Version in your main plugin file's header. Any mismatch can prevent users from downloading the correct plugin files from WordPress.org. | 1 |
Latest Snapshot
Findings
32
Errors
14
Warnings
18
Score History
First score snapshot
First scan completed
v3.0.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v3.0.2
35
Latest
- Findings
- 32
- Errors
- 14
- Warnings
- 18
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 35 | 32 | 14 | 18 | v3.0.2 | 2.0.0 | 2026.06-mvp-static-v2 |
