A modern video and audio player for courses, landing pages, marketing, and testimonials — with captions, branding, and page-builder support.
Category Scores
Top Issues by Category
maintainability110
security84
Issues Details
255 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<div class='notice {$noticeLevel} is-dismissible'><p>{$message}</p></div>"'.
Editor blocks must define "apiVersion" 3 or higher in block.json for WordPress 7.0+ iframe editor compatibility.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Unescaped parameter $audio_table used in $wpdb->get_var()
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$load_presto_js".
Processing form data without nonce verification.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "BSF_Analytics".
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
$_POST['nonce'] not unslashed before sanitization. Use wp_unslash() or similar
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$key . '_tracking_enabled'".
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "bsf_core_stats".
Detected usage of a non-sanitized input variable: $_POST['nonce']
Function "utf8_decode()" requires WordPress 6.9.0, but your plugin minimum supported version is WordPress 6.3.0.
Use placeholders and $wpdb->prepare(); found interpolated variable $columns at "CREATE TABLE IF NOT EXISTS $full_table_name ( $columns ) $table_options;"
Attempting a database schema change is discouraged.
Detected usage of meta_query, possible slow query.
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "BSF_ANALYTICS_URI".
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Mismatched text domain. Expected 'presto-player' but got 'nps-survey'.
Unexpected markdown file "CLAUDE.md" detected in plugin root. Only specific markdown files are expected in production plugins.
Mismatched text domain. Expected 'presto-player' but got 'default'.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<div class='notice {$noticeLevel} is-dismissible'><p>{$message}</p></div>"'. | 32 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 32 |
| block_api_version_too_low | ERROR | Editor blocks must define "apiVersion" 3 or higher in block.json for WordPress 7.0+ iframe editor compatibility. | 22 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 14 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 14 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $audio_table used in $wpdb->get_var() | 13 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 13 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$load_presto_js". | 12 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 12 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "BSF_Analytics". | 8 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 8 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_POST['nonce'] not unslashed before sanitization. Use wp_unslash() or similar | 7 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$key . '_tracking_enabled'". | 5 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "bsf_core_stats". | 5 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_POST['nonce'] | 5 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "utf8_decode()" requires WordPress 6.9.0, but your plugin minimum supported version is WordPress 6.3.0. | 5 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $columns at "CREATE TABLE IF NOT EXISTS $full_table_name ( $columns ) $table_options;" | 4 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 3 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $name | 3 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "BSF_ANALYTICS_URI". | 3 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 3 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'presto-player' but got 'nps-survey'. | 3 |
| unexpected_markdown_file | WARNING | Unexpected markdown file "CLAUDE.md" detected in plugin root. Only specific markdown files are expected in production plugins. | 3 |
| WordPress.WP.I18n.TextDomainMismatch | WARNING | Mismatched text domain. Expected 'presto-player' but got 'default'. | 2 |
Latest Snapshot
Findings
255
Errors
131
Warnings
124
Score History
First score snapshot
First scan completed Jun 19, 2026
v4.2.3 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v4.2.3
27
Latest
- Findings
- 255
- Errors
- 131
- Warnings
- 124
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 27 | 255 | 131 | 124 | v4.2.3 | 2.0.0 | 2026.06-mvp-static-v2 |
