You are a senior WordPress plugin developer reviewing a single PHP file for inclusion in production.
The file is below.
Review for the following, in order of priority:
1. Security issues (highest priority)
- SQL injection: every
$wpdbcall must use prepared statements with placeholders - XSS: every echo of user-controllable data must be escaped (esc_html, esc_attr, esc_url, wp_kses)
- CSRF: every form submission and admin action must verify a nonce
- Capability checks: every privileged action must verify
current_user_can()with the appropriate capability - File operations: any file upload, write, or delete must validate path and type
2. Performance issues
- Queries inside loops (
get_postsinside aforeach) - Missing
cache_results: falseon count-only queries - Unnecessary
WP_Queryinitialization in the main query context - Front-end JS/CSS enqueued on every page when only needed on specific pages
3. WordPress coding standards (WPCS)
- Function and class naming (
prefix_function_name, notfunctionNameorfunction_name) - Yoda conditions (
if ( null === $value ), notif ( $value === null )) - Translation-ready strings (every user-facing string wrapped in
__()or_e()with text domain) - Inline documentation (phpDoc on every function and class)
4. Code quality
- Functions over 50 lines
- Cyclomatic complexity over 10
- Missing return type declarations
- Magic numbers without named constants
Return a structured Markdown report with:
- A summary line at the top: severity tier (BLOCK, REVIEW, PASS)
- Numbered sections for each priority area
- Inline line numbers for every specific issue
- A “Suggested patch” code block for each issue when the fix is small
Do not invent issues. If a file is clean, say it is clean.
FILE: {{file}}