Search & Replace data in your database with WordPress admin, replace domains/URLs of your WordPress installation.
Category Scores
Top Issues by Category
security63
maintainability26
Issues Details
103 issues found in latest scan
Processing form data without nonce verification.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$csv'.
Detected usage of a non-sanitized input variable: $_FILES['file_to_upload']['error']
Use placeholders and $wpdb->prepare(); found interpolated variable $end at "SELECT * FROM $table LIMIT $start, $end"
$_GET['page'] not unslashed before sanitization. Use wp_unslash() or similar
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Unescaped parameter $table used in $wpdb->get_results()
Detected usage of a possibly undefined superglobal array index: $_FILES['file_to_upload']['error']. Check that the array index exists before using it.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "inpsyde.search_and_replace.error".
Processing form data without nonce verification.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite().
Resource version not set in call to wp_register_script(). This means new versions of the script may not always be loaded due to browser caching.
Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_enqueue_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development.
In footer ($in_footer) is not set explicitly wp_register_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
Short PHP opening tag used with echo; expected "<?php echo esc_html ..." but found "<?= esc_html ..."
Unescaped parameter $sql used in $wpdb->query()\n$sql assigned unsafely at line 152.
Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \mysqli.
Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: mysqli_close.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 15 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $sql | 11 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 9 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$csv'. | 8 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_FILES['file_to_upload']['error'] | 7 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $end at "SELECT * FROM $table LIMIT $start, $end" | 6 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['page'] not unslashed before sanitization. Use wp_unslash() or similar | 5 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 5 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table used in $wpdb->get_results() | 4 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_FILES['file_to_upload']['error']. Check that the array index exists before using it. | 4 |
| Squiz.PHP.DiscouragedFunctions.Discouraged | WARNING | The use of function ini_set() is discouraged | 2 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "inpsyde.search_and_replace.error". | 2 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fwrite | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fwrite(). | 2 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_register_script(). This means new versions of the script may not always be loaded due to browser caching. | 2 |
| WordPress.WP.EnqueuedResourceParameters.NoExplicitVersion | ERROR | Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_enqueue_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development. | 2 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_register_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 2 |
| Generic.PHP.DisallowShortOpenTag.EchoFound | ERROR | Short PHP opening tag used with echo; expected "<?php echo esc_html ..." but found "<?= esc_html ..." | 1 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $sql used in $wpdb->query()\n$sql assigned unsafely at line 152. | 1 |
| WordPress.DB.RestrictedClasses.mysql__mysqli | ERROR | Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: \mysqli. | 1 |
| WordPress.DB.RestrictedFunctions.mysql_mysqli_close | ERROR | Accessing the database directly should be avoided. Please use the $wpdb object and associated functions instead. Found: mysqli_close. | 1 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 1 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 1 |
Latest Snapshot
Findings
103
Errors
50
Warnings
53
Score History
First score snapshot
First scan completed Jun 19, 2026
v3.2.3 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v3.2.3
36
Latest
- Findings
- 103
- Errors
- 50
- Warnings
- 53
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 36 | 103 | 50 | 53 | v3.2.3 | 2.0.0 | 2026.06-mvp-static-v2 |
