Manage classified listings with WordPress, and allow users to post classified listings directly to your website.
Category Scores
Top Issues by Category
maintainability5,468
i18n4,751
security945
Issues Details
11,298 issues found in latest scan
Mismatched text domain. Expected 'motors-car-dealership-classified-listings' but got 'butterbean'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__vars".
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'mvl_set_option_' . $opt_name".
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "_stm_listings_build_query_args".
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
$_COOKIE[$location_field_key] not unslashed before sanitization. Use wp_unslash() or similar
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_COOKIE[$location_field_key]
Processing form data without nonce verification.
Detected usage of a possibly undefined superglobal array index: $_FILES['files']. Check that the array index exists before using it.
Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$datas'.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Function "determine_locale()" requires WordPress 5.0.0, but your plugin minimum supported version is WordPress 4.6.0.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DOING_AJAX".
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Detected usage of meta_key, possible slow query.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "STMBulkNotices".
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
The parameter "$args" at position #2 of get_terms() has been deprecated since WordPress version 4.5.0. Instead do not pass the parameter.
unlink() is discouraged. Use wp_delete_file() to delete a file.
Detected usage of meta_query, possible slow query.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'motors-car-dealership-classified-listings' but got 'butterbean'. | 4,675 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$__vars". | 2,737 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "'mvl_set_option_' . $opt_name". | 1,712 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "_stm_listings_build_query_args". | 407 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 377 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE[$location_field_key] not unslashed before sanitization. Use wp_unslash() or similar | 323 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 192 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE[$location_field_key] | 150 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 107 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['files']. Check that the array index exists before using it. | 100 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude | WARNING | Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 68 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$datas'. | 62 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 47 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "determine_locale()" requires WordPress 5.0.0, but your plugin minimum supported version is WordPress 4.6.0. | 47 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "DOING_AJAX". | 33 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 29 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 24 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 21 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 20 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "STMBulkNotices". | 20 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 19 |
| WordPress.WP.DeprecatedParameters.Get_termsParam2Found | ERROR | The parameter "$args" at position #2 of get_terms() has been deprecated since WordPress version 4.5.0. Instead do not pass the parameter. | 18 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 17 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 16 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 11 |
Latest Snapshot
Findings
11,298
Errors
5,340
Warnings
5,958
Score History
First score snapshot
First scan completed
v1.4.112 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v1.4.112
22
Latest
- Findings
- 11,298
- Errors
- 5,340
- Warnings
- 5,958
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 22 | 11,298 | 5,340 | 5,958 | v1.4.112 | 2.0.0 | 2026.06-mvp-static-v2 |
