Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
17 of your 41 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.

wordpress/wordpress

https://github.com/wordpress/wordpress · scanned 2026-05-20 14:54 UTC (3 weeks, 2 days ago) · 10 languages

360 raw signals (30 security + 330 graph) 11/13 scanners ran 0th percentile · Php · large (100-500K LoC) System graph score 73 (lower by 23)

File as issue Image
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 weeks, 2 days ago · v2 · 183 actionable findings from 2 signal sources. 12 repeated signals grouped for readability. Security checks, system graph analysis, and verified AI-agent feedback are merged into one review queue.

JSON
Combined
68.5
/100
Security checks
64
18 findings
System graph
73
100.0% cov · 165 findings
Critical
2
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 40.0 0.15 6.00
security_score 100.0 0.25 25.00
testing_score 0.0 0.20 0.00
documentation_score 68.0 0.15 10.20
practices_score 30.0 0.15 4.50
code_quality 50.0 0.10 5.00
Overall 1.00 50.7
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 2 High 4 Medium 27 Low 105 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Security checks 18 System graph 165 Crowd 0 Layer: Quality 71 Software 52 Frontend 43 Security 15 Cicd 1 Api 1
Scan summary Quality grade C- (51/100). Dimensions: security 100, maintainability 40. 30 findings. 161,514 lines analyzed.

Showing 138 of 183 actionable findings. 195 raw detector signals were grouped into reader-sized issues. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical System graph security Secrets conf 1.00 Possible secret in wp-admin/js/auth-app.js
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
wp-admin/js/auth-app.js:84
critical System graph security Secrets conf 1.00 Possible secret in wp-admin/js/auth-app.min.js
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
wp-admin/js/auth-app.min.js:2
high System graph security security conf 1.00 Insecure pattern 'eval_used' in wp-includes/js/jquery/jquery.form.min.js:1
Found a known-risky pattern (eval_used). Review and replace if possible.
wp-includes/js/jquery/jquery.form.min.js:1 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in wp-includes/js/jquery/jquery.schedule.js:30
Found a known-risky pattern (eval_used). Review and replace if possible.
wp-includes/js/jquery/jquery.schedule.js:30 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in wp-includes/js/tinymce/tiny_mce_popup.js:192
Found a known-risky pattern (eval_used). Review and replace if possible.
wp-includes/js/tinymce/tiny_mce_popup.js:192 Eval used
high System graph security security conf 1.00 Insecure pattern 'eval_used' in wp-includes/js/tw-sack.js:119
Found a known-risky pattern (eval_used). Review and replace if possible.
wp-includes/js/tw-sack.js:119 Eval used
medium Security checks quality Practices conf 1.00 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
Add a .gitignore appropriate for your language/framework.
medium Security checks software Open redirect conf 1.00 [SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030.
Validate the URL is same-origin or on an explicit allowlist before assignment: const u = new URL(serverUrl, location.href); if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return; location.assign(u); Even better: have the server return a path (/checkout/done) instead of a full …
wp-admin/js/privacy-tools.js:91
medium Security checks quality Quality Average file size is 519 lines (recommend <300)
Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle — each module should have one clear purpose.
medium Security checks quality Quality conf 0.82 Vendored upstream framework tree is mixed with application code
Prefer package management, submodules, or a clearly isolated vendor path. If the copy is intentional, add scanner ignore rules and document the supported customization boundaries.
wp-includes:1
medium Security checks quality Quality conf 0.82 Vendored upstream framework tree is mixed with application code
Prefer package management, submodules, or a clearly isolated vendor path. If the copy is intentional, add scanner ignore rules and document the supported customization boundaries.
wp-admin:1
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-admin/js/customize-controls.js:4267
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-admin/js/customize-controls.min.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-admin/js/revisions.js:321
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-admin/js/revisions.min.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-admin/js/widgets/media-widgets.js:608
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-admin/js/widgets/media-widgets.min.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-includes/js/media-grid.js:97
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-includes/js/media-grid.min.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-includes/js/media-models.js:36
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-includes/js/media-models.min.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-includes/js/media-views.js:900
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-includes/js/media-views.min.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-includes/js/wp-api.js:397
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph quality Integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — wp-includes/js/wp-api.min.js:2
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
runtime safetyRobustness
medium System graph security security conf 1.00 Insecure pattern 'cors_wildcard' in wp-includes/js/mediaelement/mediaelement-and-player.min.js:12
Found a known-risky pattern (cors_wildcard). Review and replace if possible.
wp-includes/js/mediaelement/mediaelement-and-player.min.js:12 Cors wildcard
medium System graph security security conf 1.00 Insecure pattern 'cors_wildcard' in wp-includes/js/mediaelement/mediaelement.min.js:12
Found a known-risky pattern (cors_wildcard). Review and replace if possible.
wp-includes/js/mediaelement/mediaelement.min.js:12 Cors wildcard
medium System graph security security conf 1.00 Insecure pattern 'cors_wildcard' in wp-includes/js/plupload/moxie.min.js:1
Found a known-risky pattern (cors_wildcard). Review and replace if possible.
wp-includes/js/plupload/moxie.min.js:1 Cors wildcard
medium System graph security security conf 1.00 Insecure pattern 'cors_wildcard' in wp-includes/js/tinymce/tinymce.min.js:2
Found a known-risky pattern (cors_wildcard). Review and replace if possible.
wp-includes/js/tinymce/tinymce.min.js:2 Cors wildcard
medium System graph security security conf 1.00 Insecure pattern 'cors_wildcard' in wp-includes/js/tinymce/wp-tinymce.js:3
Found a known-risky pattern (cors_wildcard). Review and replace if possible.
wp-includes/js/tinymce/wp-tinymce.js:3 Cors wildcard
medium System graph security Coverage conf 1.00 No auth library detected
The scanner did not find any standard auth library (JWT, OAuth, NextAuth, Auth0, etc.). Either auth lives in custom code, in a separate service, or is missing.
auth
medium System graph cicd CI/CD security conf 1.00 No CI/CD pipelines detected
No GitHub Actions, GitLab CI, or CircleCI configs found. Without CI you can't gate deploys on tests/lints.
CI/CD securityCoverage
medium System graph quality Tests conf 1.00 Very low test-to-source ratio
0 test file(s) for 456 source file(s) (ratio 0.00). Consider adding integration or unit tests for critical paths.
Coverage
low Security checks quality Quality conf 0.60 Duplicated implementation block across source files
Duplicate implementation blocks are maintenance debt. Keep them visible, but they are not a high-severity defect unless the duplicated logic is security-sensitive or drifting.
wp-content/themes/twentysixteen/index.php:1 duplicationquality
low System graph quality Maintenance conf 1.00 111 TODO/FIXME markers
High count of TODO/FIXME/HACK markers — track them as issues so they're not forgotten.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/accordion.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/auth-app.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/auth-app.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/color-picker.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/comment.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/comment.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/custom-background.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/custom-background.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/custom-header.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/dashboard.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/edit-comments.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/farbtastic.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/gallery.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/gallery.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/image-edit.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/inline-edit-post.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/inline-edit-post.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/inline-edit-tax.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/inline-edit-tax.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/iris.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/language-chooser.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/language-chooser.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/link.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/media-gallery.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/media-gallery.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/media-upload.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/media.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/password-strength-meter.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/postbox.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/revisions.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/revisions.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/set-post-thumbnail.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/set-post-thumbnail.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/svg-painter.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/svg-painter.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/tags-box.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/tags-box.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/updates.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/updates.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/user-suggest.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/widgets.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/widgets/media-audio-widget.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/widgets/media-gallery-widget.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/widgets/media-image-widget.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/widgets/media-video-widget.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/widgets/media-widgets.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/widgets/text-widgets.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/word-count.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/xfn.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph software Dead code candidate conf 1.00 File has no detected symbols: wp-admin/js/xfn.min.js
Source file with no class/function declarations — possible config, dead code, or scratch file.
low System graph security security conf 1.00 Insecure pattern 'document_write' in wp-includes/js/tinymce/tiny_mce_popup.js:237
Found a known-risky pattern (document_write). Review and replace if possible.
wp-includes/js/tinymce/tiny_mce_popup.js:237 Document write
low System graph security security conf 1.00 Insecure pattern 'document_write' in wp-includes/js/tinymce/tinymce.min.js:2
Found a known-risky pattern (document_write). Review and replace if possible.
wp-includes/js/tinymce/tinymce.min.js:2 Document write
low System graph security security conf 1.00 Insecure pattern 'document_write' in wp-includes/js/tinymce/wp-tinymce.js:3
Found a known-risky pattern (document_write). Review and replace if possible.
wp-includes/js/tinymce/wp-tinymce.js:3 Document write
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `actions_copy` in wp-includes/js/clipboard.js:139
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pdataOld` in wp-includes/js/jquery/jquery.js:5819
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph quality Integrity conf 1.00 Old/deprecated-named symbol `pg_end_copy` in wp-includes/js/codemirror/codemirror.min.js:11
Names with suffixes like `_old`, `_v1`, `_deprecated` usually indicate replaced-but-not-removed code (typical AI-coder leftover). Confirm and delete, or rename if it's the active version.
old markerDead code
low System graph frontend Frontend quality conf 1.00 React Flow edge with `label=` but no project-wide edge-label CSS override — wp-includes/js/jquery/ui/autocomplete.min.js:9
React Flow edge labels render with a white rectangle behind the text by default, which scatters bright boxes across a dark canvas. Either drop the label, or override `.react-flow__edge-textbg` and `.react-flow__edge-text` in your stylesheet. Why: P-H in CHECKLIST.md — vendor edge labels bleed whit…
Fq edge label no bg
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-admin/js/editor.js:1222
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-admin/js/password-strength-meter.js:63
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-admin/js/password-strength-meter.min.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-admin/js/updates.js:349
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-admin/js/updates.min.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/codemirror/codemirror.min.js:11
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/jquery/jquery-migrate.js:97
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/jquery/jquery-migrate.min.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/jquery/jquery.form.js:1534
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/jquery/jquery.form.min.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/plupload/moxie.js:1183
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/plupload/moxie.min.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/tinymce/plugins/compat3x/plugin.js:31
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/tinymce/plugins/compat3x/plugin.min.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/tinymce/plugins/paste/plugin.js:28
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/tinymce/plugins/paste/plugin.min.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/tinymce/plugins/wpdialogs/plugin.js:48
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/tinymce/plugins/wpdialogs/plugin.min.js:1
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/tinymce/tinymce.min.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/tinymce/wp-tinymce.js:3
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/twemoji.js:216
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/wp-api.js:1197
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph frontend Frontend quality conf 1.00 Stray `console.log` in TS/JS — wp-includes/js/wp-api.min.js:2
Replace with the toast helper, an error boundary, or remove. `console.warn` / `console.error` are acceptable. Why: Hygiene — easy to leak debug output. Rule id: fq.console-leak
Fq console leak
low System graph api Wiring conf 1.00 Unused endpoint: GET
`wp-includes/js/tinymce/wp-tinymce.js` declares `GET ` but no frontend code we scanned calls it. This is fine if the endpoint serves external clients (mobile app, third-party, server-side webhooks). Otherwise it's dead code — consider removing or documenting who consumes it.
Unused endpoint
low System graph quality Complexity conf 1.00 Very large file: wp-admin/js/common.js (2358 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-admin/js/customize-controls.js (9389 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-admin/js/customize-nav-menus.js (3556 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-admin/js/customize-widgets.js (2373 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-admin/js/nav-menu.js (1904 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-admin/js/theme.js (2132 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-admin/js/updates.js (3495 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/backbone.js (2157 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/codemirror/csslint.js (10858 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/codemirror/esprima.js (6708 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/jquery/jquery.js (10716 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/jquery/ui/datepicker.js (2240 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/media-views.js (10566 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/mediaelement/mediaelement-and-player.js (8540 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/mediaelement/mediaelement.js (3984 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/plupload/moxie.js (9904 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/plupload/plupload.js (2379 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/tinymce/plugins/lists/plugin.js (2148 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/tinymce/plugins/paste/plugin.js (2367 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/tinymce/themes/inlite/theme.js (9792 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/tinymce/themes/modern/theme.js (9607 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
low System graph quality Complexity conf 1.00 Very large file: wp-includes/js/underscore.js (2063 lines)
Files with >800 lines often hide complexity hotspots and discourage tests.
For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/d9dc5cbb-cc4d-4a84-828d-f7c23a11ff2a/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/d9dc5cbb-cc4d-4a84-828d-f7c23a11ff2a/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.