Top Issues by Category
security112
maintainability33
repo_compliance3
Issues Details
149 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$baidu'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
Detected usage of a non-sanitized input variable: $_POST[$this->key . '_nonce']
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod().
Processing form data without nonce verification.
$_POST[$this->key . '_nonce'] not unslashed before sanitization. Use wp_unslash() or similar
The plugin name includes a restricted term. Your chosen plugin name - "Wppao Sitemap" - contains the restricted term "wp" which cannot be used at all in your plugin name.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Detected usage of a possibly undefined superglobal array index: $_SERVER["PHP_SELF"]. Check that the array index exists before using it.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable().
Unescaped parameter $sql_mini used in $wpdb->get_results()\n$sql_mini assigned unsafely at line 20.
The parameter "'orderby=count&hide_empty=0'" at position #2 of get_terms() has been deprecated since WordPress version 4.5.0. Instead do not pass the parameter.
Mismatched text domain. Expected 'wppao-sitemap' but got 'wppao_sitemap'.
Tested up to: 5.4 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress.
Plugin Updater detected. These are not permitted in WordPress.org hosted plugins. Detected: site_transient_update_plugins
The readme description contains unofficial language. It must be written in standard English.
The readme short description contains unofficial language. It must be written in standard English.
Mismatched Stable Tag: 1.2 != 1.2.0. Your Stable Tag is meant to be the stable version of your plugin and it needs to be exactly the same with the Version in your main plugin file's header. Any mismatch can prevent users from downloading the correct plugin files from WordPress.org.
Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: _site_transient_update_plugins
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$baidu'. | 97 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 9 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 7 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_POST[$this->key . '_nonce'] | 4 |
| WordPress.WP.AlternativeFunctions.file_system_operations_chmod | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: chmod(). | 4 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 3 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_POST[$this->key . '_nonce'] not unslashed before sanitization. Use wp_unslash() or similar | 3 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "Wppao Sitemap" - contains the restricted term "wp" which cannot be used at all in your plugin name. | 3 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 2 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 2 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $sql_html | 2 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_SERVER["PHP_SELF"]. Check that the array index exists before using it. | 2 |
| WordPress.WP.AlternativeFunctions.file_system_operations_is_writable | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: is_writable(). | 2 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $sql_mini used in $wpdb->get_results()\n$sql_mini assigned unsafely at line 20. | 1 |
| WordPress.WP.DeprecatedParameters.Get_termsParam2Found | WARNING | The parameter "'orderby=count&hide_empty=0'" at position #2 of get_terms() has been deprecated since WordPress version 4.5.0. Instead do not pass the parameter. | 1 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'wppao-sitemap' but got 'wppao_sitemap'. | 1 |
| outdated_tested_upto_header | ERROR | Tested up to: 5.4 < 7.0. The "Tested up to" value in your plugin is not set to the current version of WordPress. This means your plugin will not show up in searches, as we require plugins to be compatible and documented as tested up to the most recent version of WordPress. | 1 |
| plugin_updater_detected | ERROR | Plugin Updater detected. These are not permitted in WordPress.org hosted plugins. Detected: site_transient_update_plugins | 1 |
| readme_description_non_official_language | ERROR | The readme description contains unofficial language. It must be written in standard English. | 1 |
| readme_short_description_non_official_language | ERROR | The readme short description contains unofficial language. It must be written in standard English. | 1 |
| stable_tag_mismatch | ERROR | Mismatched Stable Tag: 1.2 != 1.2.0. Your Stable Tag is meant to be the stable version of your plugin and it needs to be exactly the same with the Version in your main plugin file's header. Any mismatch can prevent users from downloading the correct plugin files from WordPress.org. | 1 |
| update_modification_detected | WARNING | Plugin Updater detected. Detected code which may be altering WordPress update routines. Detected: _site_transient_update_plugins | 1 |
Latest Snapshot
Findings
149
Errors
128
Warnings
21
Score History
First score snapshot
First scan completed
v1.2.0 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
v1.2.0
36
Latest
- Findings
- 149
- Errors
- 128
- Warnings
- 21
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Latest | 36 | 149 | 128 | 21 | v1.2.0 | 2.0.0 | 2026.06-mvp-static-v2 |
