Slider, gallery, carousel plugin for WordPress. Build your image slider, video slider, post slider, YouTube slider, or WooCommerce product slider.
Category Scores
Top Issues by Category
maintainability235
security208
i18n56
Issues Details
530 issues found in latest scan
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__dir".
Processing form data without nonce verification.
trigger_error() found. Debug code should not normally be used in production.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" in DEFAULT in directive hash '$id'"'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"'$element' is not allowed/supported $support"'.
$_GET['order'] not unslashed before sanitization. Use wp_unslash() or similar
All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'.
Detected usage of a non-sanitized input variable: $_FILES['async-upload']
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "HTML5".
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
Detected usage of tax_query, possible slow query.
The $text parameter must be a single text string literal. Found: $item['label']
unlink() is discouraged. Use wp_delete_file() to delete a file.
Function "apply_shortcodes()" requires WordPress 5.4.0, but your plugin minimum supported version is WordPress 5.0.0.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in '%sUses your settings timezone%s'.
set_error_handler() found. Debug code should not normally be used in production.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "rest_enabled".
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__dir". | 101 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 94 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 37 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 35 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '" in DEFAULT in directive hash '$id'"'. | 34 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 34 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"'$element' is not allowed/supported $support"'. | 31 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['order'] not unslashed before sanitization. Use wp_unslash() or similar | 21 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like echo esc_html_x() or echo esc_attr_x()), found '_ex'. | 13 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['async-upload'] | 12 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "HTML5". | 9 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 9 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 9 |
| WordPress.DB.SlowDBQuery.slow_db_query_tax_query | WARNING | Detected usage of tax_query, possible slow query. | 8 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $item['label'] | 7 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 6 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "apply_shortcodes()" requires WordPress 5.4.0, but your plugin minimum supported version is WordPress 5.0.0. | 6 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 5 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 5 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 5 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in '%sUses your settings timezone%s'. | 5 |
| WordPress.PHP.DevelopmentFunctions.error_log_set_error_handler | WARNING | set_error_handler() found. Debug code should not normally be used in production. | 4 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "rest_enabled". | 3 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 3 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 3 |
Latest Snapshot
Findings
530
Errors
207
Warnings
323
Score History
First score snapshot
First scan completed Jun 19, 2026
v3.110.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v3.110.0
22
Latest
- Findings
- 530
- Errors
- 207
- Warnings
- 323
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 22 | 530 | 207 | 323 | v3.110.0 | 2.0.0 | 2026.06-mvp-static-v2 |
