Build beautiful responsive forms for WordPress. Contact forms, surveys, quizzes, booking forms, payments, popups & more with NEX-Forms...
Category Scores
Top Issues by Category
security1,280
maintainability191
Issues Details
3,197 issues found in latest scan
Mismatched text domain. Expected 'nex-forms-express-wp-form-builder' but got 'nex-forms'.
$_GET['nf_entry_id'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a possibly undefined superglobal array index: $_FILES[$key]. Check that the array index exists before using it.
Processing form data without nonce verification.
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_FILES[$key]
Function "rest_sanitize_array()" requires WordPress 5.5.0, but your plugin minimum supported version is WordPress 4.0.0.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$api_params".
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "add_nf_wf_notice_dismissible".
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "CSVExport".
Replacement variables found, but no valid placeholders found in the query.
rand() is discouraged. Use the far less predictable wp_rand() instead.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "NF_PATH".
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
error_reporting() can lead to full path disclosure.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread().
The plugin name includes a restricted term. Your chosen plugin name - "NEX-Forms - Ultimate Forms Plugin for WordPress" - contains the restricted term "plugin" which cannot be used at all in your plugin name.
Using date_default_timezone_set() and similar isn't allowed, instead use WP internal timezone support.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'nex-forms-express-wp-form-builder' but got 'nex-forms'. | 1,718 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['nf_entry_id'] not unslashed before sanitization. Use wp_unslash() or similar | 340 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES[$key]. Check that the array index exists before using it. | 299 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 206 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 169 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found ! | 142 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES[$key] | 120 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "rest_sanitize_array()" requires WordPress 5.5.0, but your plugin minimum supported version is WordPress 4.0.0. | 44 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 43 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$api_params". | 25 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "add_nf_wf_notice_dismissible". | 18 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 17 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 15 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "CSVExport". | 6 |
| WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare | WARNING | Replacement variables found, but no valid placeholders found in the query. | 4 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 4 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "NF_PATH". | 3 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 3 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 2 |
| WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_error_reporting | WARNING | error_reporting() can lead to full path disclosure. | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fread | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fread(). | 2 |
| library_core_files | ERROR | Library files that are already in the WordPress core are not permitted. | 2 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "NEX-Forms - Ultimate Forms Plugin for WordPress" - contains the restricted term "plugin" which cannot be used at all in your plugin name. | 2 |
| WordPress.DateTime.RestrictedFunctions.timezone_change_date_default_timezone_set | ERROR | Using date_default_timezone_set() and similar isn't allowed, instead use WP internal timezone support. | 1 |
Latest Snapshot
Findings
3,197
Errors
1,997
Warnings
1,200
Score History
First score snapshot
First scan completed
v9.2.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v9.2.2
24
Latest
- Findings
- 3,197
- Errors
- 1,997
- Warnings
- 1,200
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 24 | 3,197 | 1,997 | 1,200 | v9.2.2 | 2.0.0 | 2026.06-mvp-static-v2 |
