POP chain not flagging

[random-robbie]

Does this scanner pick up on vulnerable code that can be abused for a POP chain?

i.e

// Check if "cache" cookie is set   
      if(isset($_COOKIE['mgpf_geo_coockie'])) {
	      $mdata = unserialize(stripslashes(base64_decode($_COOKIE['mgpf_geo_coockie'])));
         if($mdata->ipAddress == $ip && $mdata->service == $mgpf_geo_data['service'])
	         return $mdata;     
	   }

I made a docker container to do this and grab the latest repo here.

docker run --rm wp-analysis --slug=my-geo-posts-free --report=full --tag=1.2

Running: php bin/check-plugin-by-slug.php --slug=my-geo-posts-free --report=full --tag=1.2
================================================================================
Checking my-geo-posts-free in /tmp/plugin-my-geo-posts-free88cWfI...
================================================================================

FILE: inc/signup.php
--------------------------------------------------------------------------------
FOUND 0 ERRORS AND 4 WARNINGS AFFECTING 3 LINES
--------------------------------------------------------------------------------
 28 | WARNING | Unescaped parameter $error_message used in echo
    |         | $error_message assigned unsafely at line 27:
    |         |  $error_message = $response->get_error_message()
    |         | $response assigned unsafely at line 7:
    |         |  $response = wp_remote_post( $url, array(
    |         |     'method' => 'POST',
    |         |     'timeout' => 45,
    |         |     'redirection' => 5,
    |         |     'httpversion' => '1.0',
    |         |     'blocking' => true,
    |         |     'headers' => array(),
    |         |     'body' => array(
    |         |         'action'=>'plugin_signup_form',
    |         |         'plugin_name'=>$sunrise->name,
    |         |         'name' => $_POST['name'],
    |         |         'email' => $_POST['email'],
    |         |         'admin_email'=>get_bloginfo('admin_email'),
    |         |         'blog'=>get_bloginfo('url')
    |         |         ),
    |         |     'cookies' => array()
    |         |     )
    |         |     )
    |         | $_POST['name'] used without escaping.
    |         | $_POST['email'] used without escaping.
    |         | (WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter)
 28 | WARNING | All output should be run through an escaping function (see the
    |         | Security sections in the WordPress Developer Handbooks), found
    |         | '"Something went wrong: $error_message"'.
    |         | (WordPress.Security.EscapeOutput.OutputNotEscaped)
 74 | WARNING | Unescaped parameter plugins_url('/images/newsletter.png',
    |         | __FILE__) used in echo
    |         | (WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter)
 82 | WARNING | Unescaped parameter plugins_url('/images/new_sub_button.png',
    |         | __FILE__) used in echo
    |         | (WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter)
--------------------------------------------------------------------------------


FILE: my-geo-posts-free.php
--------------------------------------------------------------------------------
FOUND 0 ERRORS AND 3 WARNINGS AFFECTING 2 LINES
--------------------------------------------------------------------------------
 58 | WARNING | Unescaped parameter plugins_url('/inc/images/geo_large.png',
    |         | __FILE__) used in echo
    |         | (WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter)
 79 | WARNING | Unescaped parameter $mgpf_geo_data['api'] used in echo
    |         | (WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter)
 79 | WARNING | All output should be run through an escaping function (see the
    |         | Security sections in the WordPress Developer Handbooks), found
    |         | '$mgpf_geo_data['api']'.
    |         | (WordPress.Security.EscapeOutput.OutputNotEscaped)
--------------------------------------------------------------------------------