Sell gift cards to your WooCommerce store, in just a few minutes!
Category Scores
Top Issues by Category
security276
maintainability122
Issues Details
423 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$map[0] { $map[1]: $value; }\n"'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$active_count".
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Processing form data without nonce verification.
Detected usage of a non-sanitized input variable: $_GET['card_number']
$_GET['card_number'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a possibly undefined superglobal array index: $_POST['amount']. Check that the array index exists before using it.
The $text parameter must be a single text string literal. Found: $card_number
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "product_variation_linked".
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "WC_Email_PW_Gift_Card".
Function "has_block()" requires WordPress 5.0.0, but your plugin minimum supported version is WordPress 4.5.0.
Unescaped parameter $price_decimals used in $wpdb->get_row()\n$price_decimals assigned unsafely at line 10.
Use placeholders and $wpdb->prepare(); found interpolated variable $active_sql at $active_sql\n
The plugin name includes a restricted term. Your chosen plugin name - "PW WooCommerce Gift Cards" - contains the restricted term "woocommerce" which cannot be used within in your plugin name, unless your plugin name contains one of the allowed patterns: "for woocommerce", "with woocommerce", "using woocommerce", or "and woocommerce". The term must still not appear anywhere else in your name.
Attempting a database schema change is discouraged.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '__'.
Use of the "translate()" function is reserved for low-level API usage.
Mismatched text domain. Expected 'pw-woocommerce-gift-cards' but got 'woocommerce'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"$map[0] { $map[1]: $value; }\n"'. | 110 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 86 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$active_count". | 47 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 20 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 18 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 18 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET['card_number'] | 18 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['card_number'] not unslashed before sanitization. Use wp_unslash() or similar | 18 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['amount']. Check that the array index exists before using it. | 13 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $card_number | 9 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "product_variation_linked". | 8 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 6 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 6 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound | WARNING | Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "WC_Email_PW_Gift_Card". | 5 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 5 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "has_block()" requires WordPress 5.0.0, but your plugin minimum supported version is WordPress 4.5.0. | 5 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $price_decimals used in $wpdb->get_row()\n$price_decimals assigned unsafely at line 10. | 4 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $active_sql at $active_sql\n | 4 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "PW WooCommerce Gift Cards" - contains the restricted term "woocommerce" which cannot be used within in your plugin name, unless your plugin name contains one of the allowed patterns: "for woocommerce", "with woocommerce", "using woocommerce", or "and woocommerce". The term must still not appear anywhere else in your name. | 3 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 2 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '__'. | 2 |
| WordPress.WP.I18n.LowLevelTranslationFunction | WARNING | Use of the "translate()" function is reserved for low-level API usage. | 2 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'pw-woocommerce-gift-cards' but got 'woocommerce'. | 2 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 2 |
Latest Snapshot
Findings
423
Errors
238
Warnings
185
Score History
First score snapshot
First scan completed
v2.43 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v2.43
34
Latest
- Findings
- 423
- Errors
- 238
- Warnings
- 185
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 34 | 423 | 238 | 185 | v2.43 | 2.0.0 | 2026.06-mvp-static-v2 |
