WooCommerce Product Addons Add custom fields to your WooCommerce product page. With an easy-to-use Custom Form Builder.
Category Scores
Top Issues by Category
security127
maintainability68
i18n31
Issues Details
238 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$class'.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "active_plugins".
Processing form data without nonce verification.
Function "register_rest_route()" requires WordPress 4.4.0, but your plugin minimum supported version is WordPress 4.0.0.
The $text parameter must be a single text string literal. Found: $response
Detected usage of a non-sanitized input variable: $_GET[$field->name]
$_GET[$field->name] not unslashed before sanitization. Use wp_unslash() or similar
Processing form data without nonce verification.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$class".
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of meta_query, possible slow query.
Detected usage of a possibly undefined superglobal array index: $_GET['from_post']. Check that the array index exists before using it.
Mismatched text domain. Expected 'woo-custom-product-addons' but got 'my_text_domain'.
Unescaped parameter $query used in $wpdb->get_col()\n$query assigned unsafely at line 1181.
Detected usage of tax_query, possible slow query.
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "self::$CPT.'_labels'".
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.
Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$s", but got "%d, %s" in 'Value must be greater than or equal to %d for field %s '.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$class'. | 60 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "active_plugins". | 25 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 18 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "register_rest_route()" requires WordPress 4.4.0, but your plugin minimum supported version is WordPress 4.0.0. | 15 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $response | 13 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_GET[$field->name] | 12 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET[$field->name] not unslashed before sanitization. Use wp_unslash() or similar | 12 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 10 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 9 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$class". | 8 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 4 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 4 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query | 4 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_query | WARNING | Detected usage of meta_query, possible slow query. | 4 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['from_post']. Check that the array index exists before using it. | 4 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'woo-custom-product-addons' but got 'my_text_domain'. | 4 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $query used in $wpdb->get_col()\n$query assigned unsafely at line 1181. | 3 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 3 |
| WordPress.DB.SlowDBQuery.slow_db_query_tax_query | WARNING | Detected usage of tax_query, possible slow query. | 2 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 2 |
| WordPress.NamingConventions.PrefixAllGlobals.DynamicHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "self::$CPT.'_labels'". | 2 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 2 |
| WordPress.Security.SafeRedirect.wp_redirect_wp_redirect | WARNING | wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed. | 2 |
| WordPress.WP.I18n.UnorderedPlaceholdersText | ERROR | Multiple placeholders in translatable strings should be ordered. Expected "%1$d, %2$s", but got "%d, %s" in 'Value must be greater than or equal to %d for field %s '. | 2 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 2 |
Latest Snapshot
Findings
238
Errors
124
Warnings
114
Score History
First score snapshot
First scan completed Jun 20, 2026
v3.1.4 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v3.1.4
33
Latest
- Findings
- 238
- Errors
- 124
- Warnings
- 114
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 33 | 238 | 124 | 114 | v3.1.4 | 2.0.0 | 2026.06-mvp-static-v2 |
