Yatra – Travel Booking & Tour Operator Software

WordPress travel booking plugin for tour operators. Trips, departures, payments, OTAs, AI. Free + Pro from $99/yr.

v3.0.8MantraBrainUpdated Added 600 installs92% rating100% support resolved
23
Score
2,211
Errors
3,994
Warnings
+0
Change

Category Scores

Security0
Repo90
Performance96
Maintainability0

Issues to Review

Prioritized issue groups from the latest Plugin Check scan

6,205 findings

Security

3,624

14 issue groups

Maintainability

2,491

10 issue groups

I18n

8

1 issue group

WARNINGMaintainabilityNon-prefixed global variableGlobal variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$name".1,662
Category
Maintainability
Occurrences
1,662
Severity
warning

Sample message

Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$name".

ERRORSecuritySQL query is not preparedUse placeholders and $wpdb->prepare(); found $activityId1,265
Category
Security
Occurrences
1,265
Severity
error

Sample message

Use placeholders and $wpdb->prepare(); found $activityId

WARNINGSecurityInterpolated SQL is not preparedUse placeholders and $wpdb->prepare(); found interpolated variable $placeholders at WHERE r.id IN ($placeholders)\n635
Category
Security
Occurrences
635
Severity
warning

Sample message

Use placeholders and $wpdb->prepare(); found interpolated variable $placeholders at WHERE r.id IN ($placeholders)\n

ERRORSecurityOutput is not escapedAll output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$activate_pro_text'.447
Category
Security
Occurrences
447
Severity
error

Sample message

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$activate_pro_text'.

WARNINGSecurityDatabase parameter is not escapedUnescaped parameter $availTable used in $wpdb->get_var()\n$availTable assigned unsafely at line 183.356
Category
Security
Occurrences
356
Severity
warning

Sample message

Unescaped parameter $availTable used in $wpdb->get_var()\n$availTable assigned unsafely at line 183.

WARNINGMaintainabilityDirect QueryUse of a direct database call is discouraged.328
Category
Maintainability
Occurrences
328
Severity
warning

Sample message

Use of a direct database call is discouraged.

WARNINGMaintainabilityNo CachingDirect database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().297
Category
Maintainability
Occurrences
297
Severity
warning

Sample message

Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().

WARNINGSecurityNonce verification recommendedProcessing form data without nonce verification.291
Category
Security
Occurrences
291
Severity
warning

Sample message

Processing form data without nonce verification.

WARNINGSecurityInput is not sanitizedDetected usage of a non-sanitized input variable: $_GET[$b]167
Category
Security
Occurrences
167
Severity
warning

Sample message

Detected usage of a non-sanitized input variable: $_GET[$b]

ERRORMaintainabilitydate datedate() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.144
Category
Maintainability
Occurrences
144
Severity
error

Sample message

date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.

Show 15 more
WARNINGSecurityRequest data is not unslashed144
Category
Security
Occurrences
144
Severity
warning

Sample message

$_GET[$b] not unslashed before sanitization. Use wp_unslash() or similar

ERRORSecurityDatabase parameter is not escaped126
Category
Security
Occurrences
126
Severity
error

Sample message

Unescaped parameter $approved used in $wpdb->get_results()\n$approved assigned unsafely at line 1163.

ERRORSecurityException output is not escaped78
Category
Security
Occurrences
78
Severity
error

Sample message

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"Cannot resolve dependency {$parameter->getName()}"'.

ERRORSecurityUnsafe printing function62
Category
Security
Occurrences
62
Severity
error

Sample message

All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.

WARNINGSecurityUnfinished Prepare26
Category
Security
Occurrences
26
Severity
warning

Sample message

Replacement variables found, but no valid placeholders found in the query.

ERRORMaintainabilityNot Allowed18
Category
Maintainability
Occurrences
18
Severity
error

Sample message

Use of heredoc syntax (<<<) is not allowed; use standard strings or inline HTML instead

WARNINGSecurityReplacements Wrong Number11
Category
Security
Occurrences
11
Severity
warning

Sample message

Incorrect number of replacements passed to $wpdb-&gt;prepare(). Found 1 replacement parameters, expected 2.

WARNINGMaintainabilityerror log error log9
Category
Maintainability
Occurrences
9
Severity
warning

Sample message

error_log() found. Debug code should not normally be used in production.

WARNINGSecurityInput is not validated9
Category
Security
Occurrences
9
Severity
warning

Sample message

Detected usage of a possibly undefined superglobal array index: $_POST[&#039;nonce&#039;]. Check that the array index exists before using it.

ERRORMaintainabilityparse url parse url9
Category
Maintainability
Occurrences
9
Severity
error

Sample message

parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.

ERRORMaintainabilityunlink unlink9
Category
Maintainability
Occurrences
9
Severity
error

Sample message

unlink() is discouraged. Use wp_delete_file() to delete a file.

ERRORI18nMissing Translators Comment8
Category
I18n
Occurrences
8
Severity
error

Sample message

A function call to __() with texts containing placeholders was found, but was not accompanied by a "translators:" comment on the line above to clarify the meaning of the placeholders.

ERRORMaintainabilityMissing direct file access protection8
Category
Maintainability
Occurrences
8
Severity
error

Sample message

PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;

WARNINGMaintainabilityslow db query meta key7
Category
Maintainability
Occurrences
7
Severity
warning

Sample message

Detected usage of meta_key, possible slow query.

WARNINGSecuritywp redirect wp redirect7
Category
Security
Occurrences
7
Severity
warning

Sample message

wp_redirect() found. Using wp_safe_redirect(), along with the &quot;allowed_redirect_hosts&quot; filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.

External Connections

Potential connections found in static code analysis.

61 domains

Outbound calls

222

External assets

3

Incoming endpoints

75

Notable Domains

wpyatra.com67 · outbound
docs.wpyatra.com20 · outbound
youtube.com9 · outbound

Platform / Reference Domains

w3.org8 · platform/reference
wordpress.org8 · platform/reference
github.com7 · platform/reference
downloads.wordpress.org1 · platform/reference
schema.org1 · platform/reference

External Asset Domains

cdn.jsdelivr.net4 · asset + outbound
google.com3 · asset + outbound

Incoming Endpoints

/wp-json/yatra/v1/auth/loginREST

register_rest_route

/wp-json/yatra/v1/auth/registerREST

register_rest_route

/wp-json/yatra/v1/auth/resend-verificationREST

register_rest_route

/wp-json/yatra/v1/availability/recurring-rulesREST

register_rest_route

/wp-json/yatra/v1/availability/recurring-rules/(?P<id>\d+)REST

register_rest_route

/wp-json/yatra/v1/availability/recurring-rules/(?P<id>\d+)/exceptionsREST

register_rest_route

Admin AJAX endpoints18
wp_ajax_yatra_activate_proauthenticated

wp_ajax

wp_ajax_yatra_activate_themeauthenticated

wp_ajax

wp_ajax_yatra_activity_shortcode_loadauthenticated

wp_ajax

wp_ajax_yatra_ajax_loginauthenticated

wp_ajax

wp_ajax_yatra_destination_shortcode_loadauthenticated

wp_ajax

wp_ajax_yatra_discount_trip_shortcode_loadauthenticated

wp_ajax

wp_ajax_yatra_dismiss_noticeauthenticated

wp_ajax

wp_ajax_yatra_enable_feature_and_deactivateauthenticated

wp_ajax

wp_ajax_yatra_get_attribute_directauthenticated

wp_ajax

wp_ajax_yatra_go_to_featuresauthenticated

wp_ajax

wp_ajax_yatra_install_themeauthenticated

wp_ajax

wp_ajax_yatra_premium_redirectauthenticated

wp_ajax

6 more hidden

Score History

2 score snapshots

+0
1007550250Jun 25, 2026, 01:58 PM UTC Score 23/100 Plugin v3.0.7 Plugin Check 2.0.0 2,221 errors, 3,973 warningsJun 26, 2026, 07:44 AM UTC Score 23/100 Plugin v3.0.8 Plugin Check 2.0.0 2,211 errors, 3,994 warningsJun 25, 2026Jun 26, 2026

v3.0.8

23

Latest

Findings
6,205
Errors
2,211
Warnings
3,994
Check
2.0.0

v3.0.7

23

Score

Findings
6,194
Errors
2,221
Warnings
3,973
Check
2.0.0

Relationship Map

Author, categories, issues, domains, and nearby plugins.

37 nodes

Related Plugins