WPCOM Member

WPCOM Member - User profile & membership plugin for WordPress

v1.7.24LomuUpdated Added 1k+ installs0% rating
26
Score
432
Errors
638
Warnings
+0
Change

Category Scores

Security0
Repo83
Performance98
Maintainability19

Issues to Review

Prioritized issue groups from the latest Plugin Check scan

1,070 findings

Security

510

10 issue groups

I18n

350

4 issue groups

Maintainability

188

11 issue groups

ERRORI18nNon Singular String Literal DomainThe $domain parameter must be a single text string literal. Found: WPMX_TD327
Category
I18n
Occurrences
327
Severity
error

Sample message

The $domain parameter must be a single text string literal. Found: WPMX_TD

WARNINGSecurityMissing nonce verificationProcessing form data without nonce verification.117
Category
Security
Occurrences
117
Severity
warning

Sample message

Processing form data without nonce verification.

WARNINGSecurityNonce verification recommendedProcessing form data without nonce verification.104
Category
Security
Occurrences
104
Severity
warning

Sample message

Processing form data without nonce verification.

WARNINGSecurityRequest data is not unslashed$_COOKIE[$rp_cookie] not unslashed before sanitization. Use wp_unslash() or similar101
Category
Security
Occurrences
101
Severity
warning

Sample message

$_COOKIE[$rp_cookie] not unslashed before sanitization. Use wp_unslash() or similar

WARNINGMaintainabilityNon-prefixed global variableGlobal variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$wpmx_info".76
Category
Maintainability
Occurrences
76
Severity
warning

Sample message

Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$wpmx_info".

WARNINGSecurityInput is not sanitizedDetected usage of a non-sanitized input variable: $_COOKIE[$rp_cookie]61
Category
Security
Occurrences
61
Severity
warning

Sample message

Detected usage of a non-sanitized input variable: $_COOKIE[$rp_cookie]

ERRORSecurityOutput is not escapedAll output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$atts'.54
Category
Security
Occurrences
54
Severity
error

Sample message

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$atts'.

WARNINGMaintainabilityDirect QueryUse of a direct database call is discouraged.28
Category
Maintainability
Occurrences
28
Severity
warning

Sample message

Use of a direct database call is discouraged.

WARNINGSecurityInput is not validatedDetected usage of a possibly undefined superglobal array index: $_FILES['file']['tmp_name']. Check that the array index exists before using it.26
Category
Security
Occurrences
26
Severity
warning

Sample message

Detected usage of a possibly undefined superglobal array index: $_FILES['file']['tmp_name']. Check that the array index exists before using it.

WARNINGMaintainabilityNo CachingDirect database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().23
Category
Maintainability
Occurrences
23
Severity
warning

Sample message

Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().

Show 15 more
WARNINGSecuritywp redirect wp redirect20
Category
Security
Occurrences
20
Severity
warning

Sample message

wp_redirect() found. Using wp_safe_redirect(), along with the "allowed_redirect_hosts" filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.

WARNINGMaintainabilityNon-prefixed hook name19
Category
Maintainability
Occurrences
19
Severity
warning

Sample message

Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "option_{$option}".

WARNINGSecurityInterpolated SQL is not prepared16
Category
Security
Occurrences
16
Severity
warning

Sample message

Use placeholders and $wpdb->prepare(); found interpolated variable $column at "SELECT COUNT(*) FROM $table WHERE meta_key = %s AND $column = %d"

ERRORI18nMissing Arg Domain15
Category
I18n
Occurrences
15
Severity
error

Sample message

Missing $domain parameter in function call to __().

WARNINGMaintainabilityslow db query meta value11
Category
Maintainability
Occurrences
11
Severity
warning

Sample message

Detected usage of meta_value, possible slow query.

WARNINGMaintainabilityslow db query meta key10
Category
Maintainability
Occurrences
10
Severity
warning

Sample message

Detected usage of meta_key, possible slow query.

WARNINGSecurityDatabase parameter is not escaped9
Category
Security
Occurrences
9
Severity
warning

Sample message

Unescaped parameter $table used in $wpdb->get_results()\n$table assigned unsafely at line 94.

WARNINGMaintainabilityDynamic hook name6
Category
Maintainability
Occurrences
6
Severity
warning

Sample message

Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "$filter".

ERRORMaintainabilityparse url parse url5
Category
Maintainability
Occurrences
5
Severity
error

Sample message

parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.

ERRORI18nMissing Translators Comment5
Category
I18n
Occurrences
5
Severity
error

Sample message

A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.

ERRORMaintainabilityrand rand4
Category
Maintainability
Occurrences
4
Severity
error

Sample message

rand() is discouraged. Use the far less predictable wp_rand() instead.

ERRORI18nText Domain Mismatch3
Category
I18n
Occurrences
3
Severity
error

Sample message

Mismatched text domain. Expected 'wpcom-member' but got 'WPMX_TD'.

ERRORMaintainabilityMissing direct file access protection3
Category
Maintainability
Occurrences
3
Severity
error

Sample message

PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;

WARNINGMaintainabilitytrademarked term3
Category
Maintainability
Occurrences
3
Severity
warning

Sample message

The plugin name includes a restricted term. Your chosen plugin name - "WPCOM Member 用户中心" - contains the restricted term "wp" which cannot be used at all in your plugin name.

ERRORSecurityDatabase parameter is not escaped2
Category
Security
Occurrences
2
Severity
error

Sample message

Unescaped parameter $query used in $wpdb->get_row()\n$query assigned unsafely at line 18.

External Connections

Potential connections found in static code analysis.

25 domains

Outbound calls

62

External assets

0

Incoming endpoints

39

Notable Domains

api.twitter.com7 · outbound
api.weixin.qq.com6 · outbound
graph.qq.com4 · outbound
wpcom.cn4 · outbound
api.weibo.com3 · outbound
googleapis.com3 · outbound

Platform / Reference Domains

github.com3 · platform/reference
w3.org3 · platform/reference

External Asset Domains

No external asset domains detected.

Incoming Endpoints

wp_ajax_nopriv_wpcom_accountbindpublic

wp_ajax

wp_ajax_nopriv_wpcom_aliyun_captcha_verifypublic

wp_ajax

wp_ajax_nopriv_wpcom_approve_resendpublic

wp_ajax

wp_ajax_nopriv_wpcom_captchapublic

wp_ajax

wp_ajax_nopriv_wpcom_is_loginpublic

wp_ajax

wp_ajax_nopriv_wpcom_loginpublic

wp_ajax

Admin AJAX endpoints19
wp_ajax_wpcom_accountbindauthenticated

wp_ajax

wp_ajax_wpcom_aliyun_captcha_verifyauthenticated

wp_ajax

wp_ajax_wpcom_approve_resendauthenticated

wp_ajax

wp_ajax_wpcom_captchaauthenticated

wp_ajax

wp_ajax_wpcom_cropped_uploadauthenticated

wp_ajax

wp_ajax_wpcom_is_loginauthenticated

wp_ajax

wp_ajax_wpcom_login_modalauthenticated

wp_ajax

wp_ajax_wpcom_lostpasswordauthenticated

wp_ajax

wp_ajax_wpcom_resetpasswordauthenticated

wp_ajax

wp_ajax_wpcom_send_sms_codeauthenticated

wp_ajax

wp_ajax_wpcom_sl_createauthenticated

wp_ajax

wp_ajax_wpcom_sl_loginauthenticated

wp_ajax

7 more hidden

Score History

2 score snapshots

+0
1007550250Jun 21, 2026, 08:44 PM UTC Score 26/100 Plugin v1.7.23 Plugin Check 2.0.0 432 errors, 638 warningsJul 3, 2026, 06:10 AM UTC Score 26/100 Plugin v1.7.24 Plugin Check 2.0.0 432 errors, 638 warningsJun 21, 2026Jul 3, 2026

v1.7.24

26

Latest

Findings
1,070
Errors
432
Warnings
638
Check
2.0.0

v1.7.23

26

Score

Findings
1,070
Errors
432
Warnings
638
Check
2.0.0

Relationship Map

Author, categories, issues, domains, and nearby plugins.

34 nodes

Related Plugins