A multi-featured plugin to embed YouTube in WordPress. Embed a video, YouTube channel gallery, playlist, or YouTube livestream. Defer JavaScript too!
Category Scores
Top Issues by Category
security649
i18n58
maintainability49
Issues Details
766 issues found in latest scan
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$array['align']'.
All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.
Detected usage of a possibly undefined superglobal array index: $_POST['options']. Check that the array index exists before using it.
$_POST['options'] not unslashed before sanitization. Use wp_unslash() or similar
Detected usage of a non-sanitized input variable: $_POST['options']
Processing form data without nonce verification.
Mismatched text domain. Expected 'youtube-embed-plus' but got 'text_domain'.
rand() is discouraged. Use the far less predictable wp_rand() instead.
Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete().
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.
Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$all_yt_options".
Found single-underscore "_()" function when double-underscore expected.
Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "ytprefs_filter_the_content_light".
Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "EPYTGB_INCLUDES_PATH".
print_r() found. Debug code should not normally be used in production.
parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;
Function "register_block_type()" requires WordPress 5.0.0, but your plugin minimum supported version is WordPress 4.5.0.
Plugin folders are deleted when upgraded. Do not save data to the plugin folder using fwrite(). Detected usage of __FILE__ or __DIR__ magic constant. Use wp_upload_dir() to get the uploads directory path or save to the database instead.
Unescaped parameter $vi_table_name used in $wpdb->query()\n$vi_table_name assigned unsafely at line 26.
Unescaped parameter $sql used in $wpdb->query()\n$sql assigned unsafely at line 1830.
| Code | Type | Message | Count |
|---|---|---|---|
| WordPress.Security.EscapeOutput.OutputNotEscaped | ERROR | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$array['align']'. | 413 |
| WordPress.Security.EscapeOutput.UnsafePrintingFunction | ERROR | All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'. | 70 |
| WordPress.Security.ValidatedSanitizedInput.InputNotValidated | WARNING | Detected usage of a possibly undefined superglobal array index: $_POST['options']. Check that the array index exists before using it. | 44 |
| WordPress.WP.I18n.MissingArgDomain | ERROR | Missing $domain parameter in function call to __(). | 43 |
| WordPress.Security.ValidatedSanitizedInput.MissingUnslash | WARNING | $_POST['options'] not unslashed before sanitization. Use wp_unslash() or similar | 42 |
| WordPress.Security.ValidatedSanitizedInput.InputNotSanitized | WARNING | Detected usage of a non-sanitized input variable: $_POST['options'] | 40 |
| WordPress.Security.NonceVerification.Missing | WARNING | Processing form data without nonce verification. | 35 |
| WordPress.WP.I18n.TextDomainMismatch | ERROR | Mismatched text domain. Expected 'youtube-embed-plus' but got 'text_domain'. | 11 |
| WordPress.WP.AlternativeFunctions.rand_rand | ERROR | rand() is discouraged. Use the far less predictable wp_rand() instead. | 8 |
| WordPress.DB.DirectDatabaseQuery.DirectQuery | WARNING | Use of a direct database call is discouraged. | 6 |
| WordPress.DB.DirectDatabaseQuery.NoCaching | WARNING | Direct database call without caching detected. Consider using wp_cache_get() / wp_cache_set() or wp_cache_delete(). | 6 |
| WordPress.WP.AlternativeFunctions.strip_tags_strip_tags | ERROR | strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead. | 6 |
| WordPress.WP.EnqueuedResourceParameters.NotInFooter | WARNING | In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header. | 5 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound | WARNING | Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$all_yt_options". | 4 |
| WordPress.WP.I18n.SingleUnderscoreGetTextFunction | ERROR | Found single-underscore "_()" function when double-underscore expected. | 4 |
| WordPress.DB.PreparedSQL.NotPrepared | ERROR | Use placeholders and $wpdb->prepare(); found $query_sql | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound | WARNING | Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: "ytprefs_filter_the_content_light". | 3 |
| WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedConstantFound | WARNING | Global constants defined by a theme/plugin should start with the theme/plugin prefix. Found: "EPYTGB_INCLUDES_PATH". | 2 |
| WordPress.PHP.DevelopmentFunctions.error_log_print_r | WARNING | print_r() found. Debug code should not normally be used in production. | 2 |
| WordPress.WP.AlternativeFunctions.parse_url_parse_url | ERROR | parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead. | 2 |
| missing_direct_file_access_protection | ERROR | PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit; | 2 |
| wp_function_not_compatible_with_requires_wp | ERROR | Function "register_block_type()" requires WordPress 5.0.0, but your plugin minimum supported version is WordPress 4.5.0. | 2 |
| PluginCheck.CodeAnalysis.WriteFile.PluginDirectoryWrite | ERROR | Plugin folders are deleted when upgraded. Do not save data to the plugin folder using fwrite(). Detected usage of __FILE__ or __DIR__ magic constant. Use wp_upload_dir() to get the uploads directory path or save to the database instead. | 1 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | WARNING | Unescaped parameter $vi_table_name used in $wpdb->query()\n$vi_table_name assigned unsafely at line 26. | 1 |
| PluginCheck.Security.DirectDB.UnescapedDBParameter | ERROR | Unescaped parameter $sql used in $wpdb->query()\n$sql assigned unsafely at line 1830. | 1 |
Latest Snapshot
Findings
766
Errors
571
Warnings
195
Score History
First score snapshot
First scan completed Jun 19, 2026
v14.2.6 · Plugin Check 2.0.0 · Model 2026.06-mvp-static-v2
Jun 19, 2026
v14.2.6
34
Latest
- Findings
- 766
- Errors
- 571
- Warnings
- 195
- Plugin Check
- 2.0.0
- Model
- 2026.06-mvp-static-v2
| Scan | Score | Findings | Errors | Warnings | Plugin | Plugin Check | Model |
|---|---|---|---|---|---|---|---|
| Jun 19, 2026Latest | 34 | 766 | 571 | 195 | v14.2.6 | 2.0.0 | 2026.06-mvp-static-v2 |
