Lead Form Builder & Contact Form

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$active_cls'.

Processing form data without nonce verification.

$_COOKIE['thc_time'] not unslashed before sanitization. Use wp_unslash() or similar

Use placeholders and $wpdb->prepare(); found interpolated variable $data_table_name at "INSERT INTO $data_table_name ( form_id, form_data, ip_address, server_request, date ) \r\n

Detected usage of a non-sanitized input variable: $_FILES['lfb_file_import']['tmp_name']

Use of a direct database call is discouraged.

Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().

Detected usage of a possibly undefined superglobal array index: $_COOKIE['thc_time']. Check that the array index exists before using it.

All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.

Processing form data without nonce verification.

date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.

Use placeholders and $wpdb->prepare(); found $default_insert

Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.

Unescaped parameter $lead_form used in $wpdb->get_var()\n$lead_form assigned unsafely at line 9.

Unescaped parameter $default_insert used in $wpdb->query()\n$default_insert assigned unsafely at line 75.

PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;

Mismatched text domain. Expected 'lead-form-builder' but got 'lead-form-buulder'.

Attempting a database schema change is discouraged.

Translatable string should not be wrapped in HTML. Found: '<b class="lfb-required">*</b>'

The $text parameter must be a single text string literal. Found: $instance['title']

wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.

In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.

load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.

Offloading images, js, css, and other scripts to your servers or any remote service is disallowed.

The use of function set_time_limit() is discouraged