The security-first MCP server for WordPress. Connect Claude, ChatGPT, and Gemini with API key auth, rate limiting, activity logging, and Elementor pag …
Category Scores
Top Issues by Category
security20
maintainability14
Issues Details
36 issues found in latest scan
Use placeholders and $wpdb->prepare(); found interpolated variable {$auth_codes_table} at "DELETE FROM `{$auth_codes_table}` WHERE used = 1 OR expires_at < %s"
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$class'.
Unescaped parameter $where used in $wpdb->get_results()\n$where assigned unsafely at line 2698.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Attempting a database schema change is discouraged.
Replacement variables found, but no valid placeholders found in the query.
Detected usage of tax_query, possible slow query.
The "Changelog" section is too long and was truncated. A maximum of 5000 characters is supported.
The "Short Description" section is too long and was truncated. A maximum of 150 characters is supported.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable {$auth_codes_table} at "DELETE FROM `{$auth_codes_table}` WHERE used = 1 OR expires_at < %s" | 13 |
| upgrade_notice_limit | WARNING | The upgrade notice for "1.4.14" exceeds the limit of 300 characters. | 8 |
| WordPress.Security.EscapeOutput.ExceptionNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$class'. | 5 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 3 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $where used in $wpdb->get_results()\n$where assigned unsafely at line 2698. | 1 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 1 |
| WordPress.DB.DirectDatabaseQuery.SchemaChange | WARNING | Attempting a database schema change is discouraged. | 1 |
| WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare | WARNING | Replacement variables found, but no valid placeholders found in the query. | 1 |
| WordPress.DB.SlowDBQuery.slow_db_query_tax_query | WARNING | Detected usage of tax_query, possible slow query. | 1 |
| readme_parser_warnings_trimmed_section_changelog | WARNING | The "Changelog" section is too long and was truncated. A maximum of 5000 characters is supported. | 1 |
| readme_parser_warnings_trimmed_short_description | WARNING | The "Short Description" section is too long and was truncated. A maximum of 150 characters is supported. | 1 |
Latest Snapshot
Findings
36
Errors
5
Warnings
31
Score History
First score snapshot
First scan completed
v1.4.29 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v1.4.29
65
Latest
- Findings
- 36
- Errors
- 5
- Warnings
- 31
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 65 | 36 | 5 | 31 | v1.4.29 | 2.0.0 | 2026.06-mvp-static-v2 |
