Add posts to your website from any post type using a simple shortcode.
Category Scores
Top Issues by Category
security114
maintainability64
i18n25
Issues Details
209 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$args['after_title']'.
Processing form data without nonce verification.
Mismatched text domain. Expected 'wp-show-posts' but got 'butterbean'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them.
$_POST[$this->get_field_name()] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_POST[$this->get_field_name()]
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$day".
Detected usage of a possibly undefined superglobal array index: $_POST['id']. Check that the array index exists before using it.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information.
The plugin name includes a restricted term. Your chosen plugin name - "WP Show Posts" - contains the restricted term "wp" which cannot be used at all in your plugin name.
Detected usage of meta_key, possible slow query.
Detected usage of meta_value, possible slow query.
Detected usage of tax_query, possible slow query.
Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "wp_show_posts_type".
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "wp_show_posts_shortcode_args".
error_log() found. Debug code should not normally be used in production.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
get_page_by_title() has been deprecated since WordPress version 6.2.0. Use WP_Query instead.
The parameter "'orderby=count&hide_empty=1'" at position #2 of get_terms() has been deprecated since WordPress version 4.5.0. Instead do not pass the parameter.
Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching.
Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_enqueue_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development.
A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$args['after_title']'. | 52 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 26 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'wp-show-posts' but got 'butterbean'. | 23 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 22 |
| Internal.NoCodeFound | WARNING | No PHP code was found in this file and short open tags are not allowed by this install of PHP. This file may be using short open tags but PHP does not allow them. | 16 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_POST[$this->get_field_name()] not unslashed before sanitization. Use wp_unslash() or similar | 15 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_POST[$this->get_field_name()] | 12 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$day". | 10 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['id']. Check that the array index exists before using it. | 5 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 4 |
| WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in | WARNING | Using exclusionary parameters, like post__not_in, in calls to get_posts() should be done with caution, see https://wpvip.com/documentation/performance-improvements-by-removing-usage-of-post__not_in/ for more information. | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "WP Show Posts" - contains the restricted term "wp" which cannot be used at all in your plugin name. | 3 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_key | WARNING | Detected usage of meta_key, possible slow query. | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_meta_value | WARNING | Detected usage of meta_value, possible slow query. | 2 |
| WordPress.DB.SlowDBQuery.slow_db_query_tax_query | WARNING | Detected usage of tax_query, possible slow query. | 1 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound | WARNING | Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: "wp_show_posts_type". | 1 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "wp_show_posts_shortcode_args". | 1 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 1 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 1 |
| WordPress.WP.DeprecatedFunctions.get_page_by_titleFound | WARNING | get_page_by_title() has been deprecated since WordPress version 6.2.0. Use WP_Query instead. | 1 |
| WordPress.WP.DeprecatedParameters.Get_termsParam2Found | WARNING | The parameter "'orderby=count&hide_empty=1'" at position #2 of get_terms() has been deprecated since WordPress version 4.5.0. Instead do not pass the parameter. | 1 |
| WordPress.WP.EnqueuedResourceParameters.MissingVersion | WARNING | Resource version not set in call to wp_enqueue_style(). This means new versions of the style may not always be loaded due to browser caching. | 1 |
| WordPress.WP.EnqueuedResourceParameters.NoExplicitVersion | ERROR | Version parameter is not explicitly set or has been set to an equivalent of "false" for wp_enqueue_script; This means that the WordPress core version will be used which is not recommended for plugin or theme development. | 1 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to _e(). | 1 |
| WordPress.WP.I18n.MissingTranslatorsComment | ERROR | A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders. | 1 |
Latest Snapshot
Findings
209
Errors
107
Warnings
102
Score History
First score snapshot
First scan completed
v1.1.6 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v1.1.6
36
Latest
- Findings
- 209
- Errors
- 107
- Warnings
- 102
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 36 | 209 | 107 | 102 | v1.1.6 | 2.0.0 | 2026.06-mvp-static-v2 |
