Set up and control WPvivid Backup Free and Pro for all child sites directly from your MainWP Dashboard.
Category Scores
Top Issues by Category
security1,621
i18n525
maintainability446
Issues Details
2,612 issues found in latest scan
Processing form data without nonce verification.
Mismatched text domain. Expected 'wpvivid-backup-mainwp' but got 'mainwp'.
$_GET['action'] not unslashed before sanitization. Use wp_unslash() or similar
error_log() found. Debug code should not normally be used in production.
Processing form data without nonce verification.
Use placeholders and $wpdb->prepare(); found $option_name
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 1018.
Detected usage of a possibly undefined superglobal array index: $_GET['id']. Check that the array index exists before using it.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<$tag $scope $id $class>$column_display_name</$tag>"'.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.
The $text parameter must be a single text string literal. Found: $auto_backup_db_before_update
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().
Detected usage of a non-sanitized input variable: $_ENV['MAGIC']
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().
Unescaped parameter $table_name used in $wpdb->get_row()\n$table_name assigned unsafely at line 103.
Use placeholders and $wpdb->prepare(); found interpolated variable $table_name at "SELECT option_value FROM $table_name WHERE option_name = %s LIMIT 1"
trigger_error() found. Debug code should not normally be used in production.
The plugin name includes a restricted term. Your chosen plugin name - "WPvivid Backup MainWP" - contains the restricted term "wp" which cannot be used at all in your plugin name.
Using cURL functions is highly discouraged. Use wp_remote_get() instead.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 1,048 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 273 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'wpvivid-backup-mainwp' but got 'mainwp'. | 242 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_GET['action'] not unslashed before sanitization. Use wp_unslash() or similar | 219 |
| WordPress.PHP.DevelopmentFunctions.error_log_error_log | WARNING | error_log() found. Debug code should not normally be used in production. | 135 |
| WordPress.Security.NonceVerification.Recommended | WARNING | Processing form data without nonce verification. | 128 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 120 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $option_name | 104 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 89 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 1018. | 50 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_GET['id']. Check that the array index exists before using it. | 33 |
| WordPress.WP.AlternativeFunctions.curl_curl_setopt | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 27 |
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<$tag $scope $id $class>$column_display_name</$tag>"'. | 26 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 25 |
| WordPress.DateTime.RestrictedFunctions.date_date | ERROR | date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead. | 18 |
| WordPress.WP.I18n.NonSingularStringLiteralText | ERROR | The $text parameter must be a single text string literal. Found: $auto_backup_db_before_update | 10 |
| badly_named_files | ERROR | File and folder names must not contain spaces or special characters. | 10 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fopen | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen(). | 8 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_ENV['MAGIC'] | 5 |
| WordPress.WP.AlternativeFunctions.file_system_operations_fclose | ERROR | File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose(). | 5 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $table_name used in $wpdb->get_row()\n$table_name assigned unsafely at line 103. | 4 |
| WordPress.DB.PreparedSQL.InterpolatedNotPrepared | WARNING | Use placeholders and $wpdb->prepare(); found interpolated variable $table_name at "SELECT option_value FROM $table_name WHERE option_name = %s LIMIT 1" | 4 |
| WordPress.PHP.DevelopmentFunctions.error_log_trigger_error | WARNING | trigger_error() found. Debug code should not normally be used in production. | 4 |
| trademarked_term | WARNING | The plugin name includes a restricted term. Your chosen plugin name - "WPvivid Backup MainWP" - contains the restricted term "wp" which cannot be used at all in your plugin name. | 3 |
| WordPress.WP.AlternativeFunctions.curl_curl_close | ERROR | Using cURL functions is highly discouraged. Use wp_remote_get() instead. | 2 |
Latest Snapshot
Findings
2,612
Errors
818
Warnings
1,794
Score History
First score snapshot
First scan completed Jun 20, 2026
v0.9.41 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 20, 2026
v0.9.41
25
Latest
- Findings
- 2,612
- Errors
- 818
- Warnings
- 1,794
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 20, 2026Latest | 25 | 2,612 | 818 | 1,794 | v0.9.41 | 2.0.0 | 2026.06-mvp-static-v2 |
