Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin

Hotel, Car Rental & Tour Booking WordPress plugin. Build a website like Booking.com, Airbnb, Enterprise, Avis. WooCommerce and Elementor Supported.

v2.22.8ThemeficUpdated Added 2k+ installs82% rating
25
Score
119
Errors
2,700
Warnings
+0
Change

Category Scores

Security0
Repo100
Performance95
Maintainability0

Issues to Review

Prioritized issue groups from the latest Plugin Check scan

2,819 findings

Maintainability

1,795

16 issue groups

Security

978

8 issue groups

I18n

12

1 issue group

WARNINGMaintainabilityNon-prefixed global variableGlobal variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$address".1,001
Category
Maintainability
Occurrences
1,001
Severity
warning

Sample message

Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$address".

WARNINGSecurityNonce verification recommendedProcessing form data without nonce verification.531
Category
Security
Occurrences
531
Severity
warning

Sample message

Processing form data without nonce verification.

WARNINGMaintainabilityNon-prefixed hook nameHook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: ""tf-" . $parent_id . '-after-tab-content'".296
Category
Maintainability
Occurrences
296
Severity
warning

Sample message

Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: ""tf-" . $parent_id . '-after-tab-content'".

WARNINGSecurityRequest data is not unslashed$_GET['adults'] not unslashed before sanitization. Use wp_unslash() or similar289
Category
Security
Occurrences
289
Severity
warning

Sample message

$_GET['adults'] not unslashed before sanitization. Use wp_unslash() or similar

WARNINGMaintainabilityNon-prefixed functionFunctions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "car_display_cart_item_custom_meta_data".116
Category
Maintainability
Occurrences
116
Severity
warning

Sample message

Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "car_display_cart_item_custom_meta_data".

WARNINGMaintainabilityDirect QueryUse of a direct database call is discouraged.83
Category
Maintainability
Occurrences
83
Severity
warning

Sample message

Use of a direct database call is discouraged.

WARNINGMaintainabilityNo CachingDirect database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().82
Category
Maintainability
Occurrences
82
Severity
warning

Sample message

Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().

ERRORMaintainabilitywp function not compatible with requires wpFunction "block_footer_area()" requires WordPress 5.9.0, but your plugin minimum supported version is WordPress 5.4.0.52
Category
Maintainability
Occurrences
52
Severity
error

Sample message

Function "block_footer_area()" requires WordPress 5.9.0, but your plugin minimum supported version is WordPress 5.4.0.

WARNINGMaintainabilityNon-prefixed classClasses declared by a theme/plugin should start with the theme/plugin prefix. Found: "TF_API_Routes".50
Category
Maintainability
Occurrences
50
Severity
warning

Sample message

Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "TF_API_Routes".

WARNINGSecurityInput is not validatedDetected usage of a possibly undefined superglobal array index: $_FILES['file']['name']. Check that the array index exists before using it.50
Category
Security
Occurrences
50
Severity
warning

Sample message

Detected usage of a possibly undefined superglobal array index: $_FILES['file']['name']. Check that the array index exists before using it.

Show 15 more
WARNINGSecurityInput is not sanitized42
Category
Security
Occurrences
42
Severity
warning

Sample message

Detected usage of a non-sanitized input variable: $_GET['car_transmission']

ERRORSecurityOutput is not escaped22
Category
Security
Occurrences
22
Severity
error

Sample message

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$button_text'.

WARNINGMaintainabilityslow db query tax query21
Category
Maintainability
Occurrences
21
Severity
warning

Sample message

Detected usage of tax_query, possible slow query.

WARNINGMaintainabilityNon-prefixed constant20
Category
Maintainability
Occurrences
20
Severity
warning

Sample message

Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "TF_ADMIN_PATH".

WARNINGSecurityMissing nonce verification20
Category
Security
Occurrences
20
Severity
warning

Sample message

Processing form data without nonce verification.

WARNINGMaintainabilityerror log error log16
Category
Maintainability
Occurrences
16
Severity
warning

Sample message

error_log() found. Debug code should not normally be used in production.

WARNINGSecurityInterpolated SQL is not prepared15
Category
Security
Occurrences
15
Severity
warning

Sample message

Use placeholders and $wpdb->prepare(); found interpolated variable $enquiry_table at "ALTER TABLE $enquiry_table ADD COLUMN `enquiry_status` VARCHAR(255) NOT NULL DEFAULT 'read' AFTER `author_roles`"

WARNINGMaintainabilityDiscouraged PHP function15
Category
Maintainability
Occurrences
15
Severity
warning

Sample message

wp_reset_query() is discouraged. Use wp_reset_postdata() instead.

WARNINGMaintainabilityDynamic hook name14
Category
Maintainability
Occurrences
14
Severity
warning

Sample message

Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$key . '_icon'".

ERRORI18nMissing Translators Comment12
Category
I18n
Occurrences
12
Severity
error

Sample message

A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.

ERRORMaintainabilitydate date10
Category
Maintainability
Occurrences
10
Severity
error

Sample message

date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.

WARNINGSecurityDatabase parameter is not escaped9
Category
Security
Occurrences
9
Severity
warning

Sample message

Unescaped parameter $enquiry_table used in $wpdb->get_results()\n$enquiry_table assigned unsafely at line 1390.

ERRORMaintainabilityMissing direct file access protection9
Category
Maintainability
Occurrences
9
Severity
error

Sample message

PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;

WARNINGMaintainabilitySchema Change5
Category
Maintainability
Occurrences
5
Severity
warning

Sample message

Attempting a database schema change is discouraged.

WARNINGMaintainabilityslow db query meta query5
Category
Maintainability
Occurrences
5
Severity
warning

Sample message

Detected usage of meta_query, possible slow query.

External Connections

Potential connections found in static code analysis.

34 domains

Outbound calls

261

External assets

4

Incoming endpoints

33

Notable Domains

themefic.com26 · outbound
openstreetmap.org8 · outbound
fontawesome.com4 · outbound
portal.themefic.com4 · outbound

Platform / Reference Domains

w3.org131 · platform/reference
github.com5 · platform/reference

External Asset Domains

tourfic.com40 · asset + outbound

Incoming Endpoints

No public endpoints detected.

Admin AJAX endpoints33
wp_ajax_save_tour_package_pricingauthenticated

wp_ajax

wp_ajax_save_tour_pricing_typeauthenticated

wp_ajax

wp_ajax_tf_add_apartment_availabilityauthenticated

wp_ajax

wp_ajax_tf_add_hotel_room_availabilityauthenticated

wp_ajax

wp_ajax_tf_add_tour_availabilityauthenticated

wp_ajax

wp_ajax_tf_backend_apartment_bookingauthenticated

wp_ajax

wp_ajax_tf_backend_hotel_bookingauthenticated

wp_ajax

wp_ajax_tf_backend_tour_bookingauthenticated

wp_ajax

wp_ajax_tf_check_apartment_aditional_feesauthenticated

wp_ajax

wp_ajax_tf_check_available_apartmentauthenticated

wp_ajax

wp_ajax_tf_check_available_hotelauthenticated

wp_ajax

wp_ajax_tf_check_available_roomauthenticated

wp_ajax

21 more hidden

Score History

3 score snapshots

+0
1007550250Jun 21, 2026, 06:28 PM UTC Score 25/100 Plugin v2.22.6 Plugin Check 2.0.0 119 errors, 2,724 warningsJun 22, 2026, 07:27 AM UTC Score 25/100 Plugin v2.22.7 Plugin Check 2.0.0 119 errors, 2,706 warningsJun 24, 2026, 01:07 PM UTC Score 25/100 Plugin v2.22.8 Plugin Check 2.0.0 119 errors, 2,700 warningsJun 21, 2026Jun 24, 2026

v2.22.8

25

Latest

Findings
2,819
Errors
119
Warnings
2,700
Check
2.0.0

v2.22.7

25

Score

Findings
2,825
Errors
119
Warnings
2,706
Check
2.0.0

Relationship Map

Author, categories, issues, domains, and nearby plugins.

37 nodes

Related Plugins