Pix por Piggly v2.1.2
Category Scores
Top Issues by Category
security369
maintainability163
Issues Details
742 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"End-of-file reached, probably we got disconnected (sent {$sent} of {$length})"'.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$file['basename']'.
Mismatched text domain. Expected 'pix-por-piggly' but got 'wc-piggly-pix'.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$_wp_column_headers".
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "woocommerce_email_footer".
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Unescaped parameter $table_name used in $wpdb->get_results()\n$table_name assigned unsafely at line 113.
Detected usage of a possibly undefined superglobal array index: $_FILES['pgly_pix_receipt']['name']. Check that the array index exists before using it.
Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'O pagamento do pedido #%s via Pix no valor de %s foi concluído com sucesso.'.
Use placeholders and $wpdb->prepare(); found interpolated variable $table_name at "DELETE FROM $table_name WHERE `status` = 'cancelled' OR `oid` IS NULL"
$_POST[$key] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_FILES['pgly_pix_receipt']['tmp_name']
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
trigger_error() found. Debug code should not normally be used in production.
set_error_handler() found. Debug code should not normally be used in production.
var_export() found. Debug code should not normally be used in production.
Processing form data without nonce verification.
unlink() is discouraged. Use wp_delete_file() to delete a file.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"End-of-file reached, probably we got disconnected (sent {$sent} of {$length})"'. | 203 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$file['basename']'. | 106 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'pix-por-piggly' but got 'wc-piggly-pix'. | 84 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 39 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$_wp_column_headers". | 31 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 26 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "woocommerce_email_footer". | 23 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 18 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 17 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table_name used in $wpdb->get_results()\n$table_name assigned unsafely at line 113. | 14 |
| Internal.LineEndings.Mixed | WARNING | File has mixed line endings; this may cause incorrect results | 12 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['pgly_pix_receipt']['name']. Check that the array index exists before using it. | 10 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$s, %2$s", but got "%s, %s" in 'O pagamento do pedido #%s via Pix no valor de %s foi concluído com sucesso.'. | 10 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $table_name at "DELETE FROM $table_name WHERE `status` = 'cancelled' OR `oid` IS NULL" | 8 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 8 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_POST[$key] not unslashed before sanitization. Use wp_unslash() or similar | 8 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['pgly_pix_receipt']['tmp_name'] | 7 |
| WordPress.WP.AlternativeFunctions.curl_curl_init | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 7 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 6 |
| WordPress.PHP.DevelopmentFunctions.error_log_set_error_handler | WARNING | set_error_handler() found. Debug code should not normally be used in production. | 5 |
| WordPress.PHP.DevelopmentFunctions.error_log_var_export | WARNING | var_export() found. Debug code should not normally be used in production. | 5 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 5 |
| WordPress.WP.AlternativeFunctions.unlink_unlink | ERROR | unlink() is discouraged. Use wp_delete_file() to delete a file. | 5 |
| Generic.PHP.BacktickOperator.Found | ERROR | Use of the backtick operator is forbidden | 4 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 4 |
Latest Snapshot
Findings
742
Errors
547
Warnings
195
Score History
First score snapshot
First scan completed
v2.1.2 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v2.1.2
20
Latest
- Findings
- 742
- Errors
- 547
- Warnings
- 195
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 20 | 742 | 547 | 195 | v2.1.2 | 2.0.0 | 2026.06-mvp-static-v2 |
