Security Issues Audited

Test jQuery Updates

by Andrew Ozz · 1,000 active installations · v3.0.3

critical

high

118

medium

low

info

127 total findings · ai, phpcs ·⚠ Contains security findings — details embargoed until disclosure deadline

⏱ Disclosure Timeline

Audited & Notified

May 2, 2026

Security Summary (Day 30)

Jun 1, 2026

Full Disclosure (Day 90)

Jul 31, 2026

Findings

7 issues

medium 1 issue ▼

ai class_wp_jquery_update_test.php:22

Overriding WordPress global $GLOBALS['concatenate_scripts']

The plugin directly assigns false to $GLOBALS['concatenate_scripts'] to prevent script concatenation so it can swap jQuery sources. While functional, overriding WordPress globals is prohibited by coding standards and may interfere with other plugins or caching systems. The plugin also defines CONCATENATE_SCRIPTS as false if not already defined — both approaches affect the entire WordPress request.

low 6 issues ▼

ai class_wp_jquery_update_test.php:11

Inconsistent indentation throughout the file

The plugin uses inconsistent tab indentation across many lines (PHPCS flagged 80+ indentation violations). While this has no functional or security impact, it makes the code harder to read and maintain and does not comply with WordPress coding standards.

ai class_wp_jquery_update_test.php:54

Inline comments do not end with punctuation

Several inline comments (lines 54, 66, 75, 134, 500) do not end with a full stop, exclamation mark, or question mark as required by WordPress coding standards. Code quality issue only.

ai class_wp_jquery_update_test.php:98

Missing translators comment for placeholder in __() call

Line 98 uses __() with a %s placeholder but has no // translators: comment on the preceding line to explain what the placeholder represents. This makes the string harder for translators to localize correctly.

ai class_wp_jquery_update_test.php:97

Embedded PHP tags not on their own lines

Lines 97 and 100 have PHP opening/closing tags (<?php and ?>) on the same line as content inside the settings_ui() method, violating the WordPress coding standard rule Squiz.PHP.EmbeddedPhp. Code quality issue only.

ai class_wp_jquery_update_test.php:1

Non-standard file naming conventions

The file class_wp_jquery_update_test.php uses underscores as separators. WordPress coding standards require hyphenated lowercase filenames (class-wp-jquery-update-test.php) and class files should be prefixed with 'class-'. This is a code quality issue with no security impact.

ai class_wp_jquery_update_test.php:11

Missing PHPDoc comments on most methods and class

The class WP_Jquery_Update_Test and most of its methods (__construct, init_actions, replace_scripts, set_script, settings_ui, add_menu_item, add_settings_link) lack /** ... */ docblock comments. Only activate(), uninstall(), and print_versions() have docblocks. This is a code quality issue.

🔒 Security Findings

3 issues

🔒

Security Findings — Restricted Access

Security details are shared with the plugin developer during the 90-day disclosure period.
If you received a notification email, use the magic link or enter your password below.

Embargoed until Jul 31, 2026

Are you the plugin developer? Request access →

Enter your name and email and we'll review your request.

PHP_CodeSniffer

117 coding standard violations

What is PHP_CodeSniffer?

PHP_CodeSniffer (PHPCS) is a static analysis tool that checks your PHP code against a set of coding standards. The violations below were caught using the WordPress Coding Standards ruleset — the official style guide for WordPress plugins. These aren't security issues, but they affect code consistency, readability, and long-term maintainability.

Run it yourself & auto-fix

Install PHPCS and the WordPress ruleset via Composer:

composer require --dev squizlabs/php_codesniffer wp-coding-standards/wpcs
./vendor/bin/phpcs --config-set installed_paths vendor/wp-coding-standards/wpcs

Then check your plugin:

./vendor/bin/phpcs --standard=WordPress wp-jquery-update-test/

Many violations can be fixed automatically with phpcbf (PHP Code Beautifier, bundled with PHPCS):

./vendor/bin/phpcbf --standard=WordPress wp-jquery-update-test/

phpcbf will auto-fix whitespace, indentation, and many formatting issues. Review the diff before committing.

117 violations found — run PHPCS locally (see above) to view the full list.

Addressed the Issues?

If you've fixed the security issues flagged in this audit, request a focused re-scan. We'll verify the fixes and — if all security findings are resolved — publish the full details publicly and award your plugin a Hall of Fame badge.

Re-scans focus only on the original security findings. You'll receive an email with the results.

WP.org	View Plugin ↗
Installs	1,000+
Version	3.0.3
Last Updated	Dec 2025
Developer contacted	❌ Could not locate