MailChimp Forms to get more email subscribers. Subscribe your WordPress visitors to your MailChimp lists easily.
Category Scores
Top Issues by Category
security125
maintainability56
Issues Details
210 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$args['after_title']'.
Detected usage of a non-sanitized input variable: $_GET['step']
$_GET['step'] not unslashed before sanitization. Use wp_unslash() or similar
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Detected usage of a possibly undefined superglobal array index: $_POST['email']. Check that the array index exists before using it.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$autoEmbed".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Processing form data without nonce verification.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "activate_mailchimp_mailmunch".
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Processing form data without nonce verification.
The $domain parameter must be a single text string literal. Found: MAILCHIMP_MAILMUNCH_SLUG
Mismatched text domain. Expected 'mailchimp-forms-by-mailmunch' but got 'text_domain'.
The plugin name includes a restricted term. Your chosen plugin name - "MailChimp Forms by MailMunch" - contains the restricted term "mailchimp" and cannot be used to begin your plugin name. We disallow the use of certain terms in ways that are abused, or potentially infringe on and/or are misleading with regards to trademarks. You may use the term "mailchimp" elsewhere in your plugin name, such as "... for mailchimp".
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "DrewmMailChimp".
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Invalid MailChimp API key `{$api_key}` supplied."'.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$args['after_title']'. | 52 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['step'] | 23 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['step'] not unslashed before sanitization. Use wp_unslash() or similar | 23 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 16 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 15 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['email']. Check that the array index exists before using it. | 12 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$autoEmbed". | 11 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 11 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 6 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "activate_mailchimp_mailmunch". | 4 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 3 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 3 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 3 |
| WordPress.WP.I18n.NonSingularStringLiteralDomain | ERROR | The $domain parameter must be a single text string literal. Found: MAILCHIMP_MAILMUNCH_SLUG | 3 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'mailchimp-forms-by-mailmunch' but got 'text_domain'. | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "MailChimp Forms by MailMunch" - contains the restricted term "mailchimp" and cannot be used to begin your plugin name. We disallow the use of certain terms in ways that are abused, or potentially infringe on and/or are misleading with regards to trademarks. You may use the term "mailchimp" elsewhere in your plugin name, such as "... for mailchimp". | 3 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $check_sql | 2 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 2 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 2 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "DrewmMailChimp". | 1 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Invalid MailChimp API key `{$api_key}` supplied."'. | 1 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 1 |
| WordPress.WP.AlternativeFunctions.curl_curl_close | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 1 |
| WordPress.WP.AlternativeFunctions.curl_curl_error | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 1 |
| WordPress.WP.AlternativeFunctions.curl_curl_exec | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 1 |
Latest Snapshot
Findings
210
Errors
116
Warnings
94
Score History
First score snapshot
First scan completed Jun 20, 2026
v3.2.7 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v3.2.7
34
Latest
- Findings
- 210
- Errors
- 116
- Warnings
- 94
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 34 | 210 | 116 | 94 | v3.2.7 | 2.0.0 | 2026.06-mvp-static-v2 |
