Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more
Category Scores
Top Issues by Category
security821
maintainability683
Issues Details
1,569 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Could not create new segment with name [{$name}] because a segment with that name already exists."'.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "__TwigTemplate_02deb84769839d0a6212d921e633c1fa1d1daa6b34177426293099b2197e4112".
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Processing form data without nonce verification.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DECLARED_FORM".
Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead
Processing form data without nonce verification.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
mt_rand() is discouraged. Use the far less predictable wp_rand() instead.
Unescaped parameter $andWhere used in $wpdb->get_results()\n$andWhere assigned unsafely at line 344.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$bar".
rand() is discouraged. Use the far less predictable wp_rand() instead.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
$_GET['id'] not unslashed before sanitization. Use wp_unslash() or similar
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
unlink() is discouraged. Use wp_delete_file() to delete a file.
Scripts must be registered/enqueued via wp_enqueue_script()
Attempting a database schema change is discouraged.
Mismatched text domain. Expected 'mailpoet' but got 'woocommerce'.
error_log() found. Debug code should not normally be used in production.
trigger_error() found. Debug code should not normally be used in production.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
Stylesheets must be registered/enqueued via wp_enqueue_style()
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Could not create new segment with name [{$name}] because a segment with that name already exists."'. | 649 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "__TwigTemplate_02deb84769839d0a6212d921e633c1fa1d1daa6b34177426293099b2197e4112". | 174 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 106 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 102 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 97 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DECLARED_FORM". | 89 |
| PluginCheck.CodeAnalysis.Heredoc.NotAllowed | ERROR | Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead | 64 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 45 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 25 |
| WordPress.WP.AlternativeFunctions.rand_mt_rand | ERROR | mt_rand() is discouraged. Use the far less predictable wp_rand() instead. | 25 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $andWhere used in $wpdb->get_results()\n$andWhere assigned unsafely at line 344. | 18 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$bar". | 16 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 15 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 14 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['id'] not unslashed before sanitization. Use wp_unslash() or similar | 12 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 8 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 8 |
| WordPress.WP.EnqueuedResources.NonEnqueuedScript | ERROR | Scripts must be registered/enqueued via wp_enqueue_script() | 7 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 6 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'mailpoet' but got 'woocommerce'. | 6 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 5 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 5 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 5 |
| WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet | ERROR | Stylesheets must be registered/enqueued via wp_enqueue_style() | 5 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 4 |
Latest Snapshot
Findings
1,569
Errors
858
Warnings
711
Score History
First score snapshot
First scan completed Jun 19, 2026
v5.30.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v5.30.0
23
Latest
- Findings
- 1,569
- Errors
- 858
- Warnings
- 711
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 23 | 1,569 | 858 | 711 | v5.30.0 | 2.0.0 | 2026.06-mvp-static-v2 |
