Automatically optimize images with bulk compression, lazy loading, WebP/AVIF conversion & CloudFront image CDN. Boost Core Web Vitals & conversions.
Category Scores
Top Issues by Category
maintainability119
security113
Issues Details
242 issues found in latest scan
Processing form data without nonce verification.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$badge_html'.
print_r() found. Debug code should not normally be used in production.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "breeze_clear_all_cache".
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of a non-sanitized input variable: $_FILES['file']
$_GET['optml_nonce'] not unslashed before sanitization. Use wp_unslash() or similar
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
The %i modifier is only supported in WP 6.2 or higher. Found: "%i".
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Detected usage of meta_query, possible slow query.
Detected usage of a possibly undefined superglobal array index: $_FILES['file']['name']. Check that the array index exists before using it.
Function "get_block_wrapper_attributes()" requires WordPress 5.6.0, but your plugin minimum supported version is WordPress 5.5.0.
Unescaped parameter $meta_values_str used in $wpdb->get_results()\n$meta_values_str assigned unsafely at line 320.
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
unlink() is discouraged. Use wp_delete_file() to delete a file.
The use of function set_time_limit() is discouraged
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
rand() is discouraged. Use the far less predictable wp_rand() instead.
srand() is discouraged. Rand seeding is not necessary when using the wp_rand() function (as you should).
load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 42 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$badge_html'. | 25 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 24 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "breeze_clear_all_cache". | 16 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 13 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 13 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['file'] | 11 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['optml_nonce'] not unslashed before sanitization. Use wp_unslash() or similar | 11 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 11 |
| WordPress.DB.PreparedSQLPlaceholders.UnsupportedIdentifierPlaceholder | ERROR | The %i modifier is only supported in WP 6.2 or higher. Found: "%i". | 9 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 8 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching. | 7 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 6 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 5 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['file']['name']. Check that the array index exists before using it. | 5 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "get_block_wrapper_attributes()" requires WordPress 5.6.0, but your plugin minimum supported version is WordPress 5.5.0. | 5 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $meta_values_str used in $wpdb->get_results()\n$meta_values_str assigned unsafely at line 320. | 4 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 4 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 3 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function set_time_limit() is discouraged | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 2 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 2 |
| WordPress.WP.AlternativeFunctions.rand_seeding_srand | ERROR | srand() is discouraged. Rand seeding is not necessary when using the wp_rand() function (as you should). | 2 |
| PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFound | WARNING | load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed. | 1 |
Latest Snapshot
Findings
242
Errors
80
Warnings
162
Score History
First score snapshot
First scan completed Jun 19, 2026
v4.2.7 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v4.2.7
29
Latest
- Findings
- 242
- Errors
- 80
- Warnings
- 162
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 29 | 242 | 80 | 162 | v4.2.7 | 2.0.0 | 2026.06-mvp-static-v2 |
