Build eCommerce sites & boost your earnings with the WooCommerce Builder, WooCommerce Blocks, and more effective features.
Category Scores
Top Issues by Category
maintainability257
security205
i18n31
Issues Details
495 issues found in latest scan
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$_discount".
Processing form data without nonce verification.
$_COOKIE['wopb_cart_reserved_timer'] not unslashed before sanitization. Use wp_unslash() or similar
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_POST['wopb_video_type']'.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "cross_sell_product".
Detected usage of a non-sanitized input variable: $_COOKIE['wopb_compare']
Mismatched text domain. Expected 'product-blocks' but got 'product-blocks-pro'.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Processing form data without nonce verification.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "prad_promo_promotion_hooks".
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "Elementor_WOPB_Extension".
Use placeholders and $wpdb->prepare(); found interpolated variable $product_id at WHERE order_product.product_id = {intval($product_id)} {$variation_statement}\n
Detected usage of a possibly undefined superglobal array index: $_POST['_wopb_backorder_message']. Check that the array index exists before using it.
Unescaped parameter $product_id used in $wpdb->get_results()\n$product_id used without escaping.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of meta_query, possible slow query.
error_log() found. Debug code should not normally be used in production.
Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
The use of function wp_get_sidebars_widgets() is forbidden
Unescaped parameter $date used in $wpdb->get_results()\n$date used without escaping.
trigger_error() found. Debug code should not normally be used in production.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$_discount". | 206 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 85 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_COOKIE['wopb_cart_reserved_timer'] not unslashed before sanitization. Use wp_unslash() or similar | 55 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$_POST['wopb_video_type']'. | 24 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "cross_sell_product". | 22 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_COOKIE['wopb_compare'] | 20 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'product-blocks' but got 'product-blocks-pro'. | 19 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 11 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 10 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 8 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "prad_promo_promotion_hooks". | 6 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "Elementor_WOPB_Extension". | 5 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $product_id at WHERE order_product.product_id = {intval($product_id)} {$variation_statement}\n | 4 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['_wopb_backorder_message']. Check that the array index exists before using it. | 3 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $product_id used in $wpdb->get_results()\n$product_id used without escaping. | 2 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 2 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 2 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 2 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude | WARNING | Using exclusionary parameters, like exclude, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 2 |
| Generic.PHP.ForbiddenFunctions.Found | ERROR | The use of function wp_get_sidebars_widgets() is forbidden | 1 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $date used in $wpdb->get_results()\n$date used without escaping. | 1 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 1 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 1 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 1 |
Latest Snapshot
Findings
495
Errors
66
Warnings
429
Score History
First score snapshot
First scan completed
v4.4.22 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v4.4.22
36
Latest
- Findings
- 495
- Errors
- 66
- Warnings
- 429
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 36 | 495 | 66 | 429 | v4.4.22 | 2.0.0 | 2026.06-mvp-static-v2 |
