PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #751 | Advanced WordPress Reset – Debug, Recover & Reset WP | 25 | 475 | 464 | 20k+ | Output is not escaped | ||
| #752 | AF Companion – Starter Sites, Speed Booster & Growth Suite for Professional Publishing | 25 | 665 | 1,486 | 10k+ | Non-prefixed global variable | ||
| #753 | Affiliates | 25 | 689 | 1,483 | 2k+ | Output is not escaped | ||
| #754 | FiboSearch – Ajax Search for WooCommerce | 25 | 603 | 302 | 100k+ | Output is not escaped | ||
| #755 | AliExpress Dropshipping Plugin for WooCommerce Stores | 25 | 550 | 728 | 5k+ | Text Domain Mismatch | ||
| #756 | All 404 Redirect to Homepage | 25 | 140 | 301 | 200k+ | date date | ||
| #757 | AIO Forms – Craft Complex Forms Easily | 25 | 189 | 418 | 700 | Mixed line endings | ||
| #758 | Animated Number Counters | 25 | 408 | 1,949 | 2k+ | Non-prefixed global variable | ||
| #759 | Appointment Booking Calendar | 25 | 327 | 1,055 | 1k+ | Non-prefixed global variable | ||
| #760 | Appointment Hour Booking – Booking Calendar | 25 | 261 | 1,254 | 10k+ | Non-prefixed global variable | ||
| #761 | ATUM WooCommerce Inventory Management and Stock Tracking | 25 | 2,638 | 1,304 | 10k+ | Non Singular String Literal Domain | ||
| #762 | bbp style pack | 25 | 1,419 | 1,792 | 6k+ | Output is not escaped | ||
| #763 | BlockSpare – Gutenberg Post Grid Blocks for News, Magazine & Blog Websites | 25 | 1,327 | 1,714 | 10k+ | Non-prefixed global variable | ||
| #764 | Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid | 25 | 243 | 854 | 50k+ | Non-prefixed global variable | ||
| #765 | Booking Activities | 25 | 1,036 | 1,469 | 3k+ | Output is not escaped | ||
| #766 | Booking Calendar Contact Form | 25 | 371 | 884 | 500 | Input is not validated | ||
| #767 | Booking Package | 25 | 1,703 | 3,977 | 10k+ | Missing nonce verification | ||
| #768 | Online Scheduling and Appointment Booking System – Bookly | 25 | 3,528 | 870 | 60k+ | Text Domain Mismatch | ||
| #769 | Broken Link Checker | 25 | 727 | 600 | 500k+ | Output is not escaped | ||
| #770 | BuddyPress Docs | 25 | 284 | 421 | 7k+ | Nonce verification recommended | ||
| #771 | SilentShield – Captcha & Anti-Spam for WordPress (CF7, WPForms, Elementor, WooCommerce) | 25 | 235 | 214 | 10k+ | Database parameter is not escaped | ||
| #772 | GSheetConnector for CF7 – Connect Contact Form 7 to Google Sheets and Send Form Submissions in Real Time | 25 | 614 | 1,431 | 40k+ | Non-prefixed global variable | ||
| #773 | CheckoutWC Lite | 25 | 1,399 | 852 | 3k+ | Text Domain Mismatch | ||
| #774 | CheckView – Form & Checkout Testing | 25 | 66 | 337 | 1k+ | Direct Query | ||
| #775 | Admin Columns | 25 | 613 | 995 | 100k+ | Non-prefixed namespace | ||
| #776 | Colissimo shipping methods for WooCommerce | 25 | 1,755 | 557 | 10k+ | Text Domain Mismatch | ||
| #777 | Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode | 25 | 99 | 1,040 | 700k+ | Non-prefixed global variable | ||
| #778 | Disable Comments & Delete All Comments | 25 | 503 | 185 | 9k+ | Output is not escaped | ||
| #779 | Coinbase Business Gateway for WooCommerce | 25 | 569 | 1,317 | 800 | Non-prefixed global variable | ||
| #780 | Conditional Payment Methods for WooCommerce | 25 | 548 | 1,398 | 1k+ | Non-prefixed global variable | ||
| #781 | Contact Form DB Divi | 25 | 533 | 1,299 | 3k+ | Non-prefixed global variable | ||
| #782 | Contact Form Email | 25 | 409 | 898 | 9k+ | Non-prefixed global variable | ||
| #783 | Coupon Creator | 25 | 698 | 412 | 1k+ | Output is not escaped | ||
| #784 | CP Contact Form with PayPal | 25 | 466 | 936 | 800 | Unsafe printing function | ||
| #785 | Cryptocurrency Payment Gateway | 25 | 1,963 | 589 | 400 | Text Domain Mismatch | ||
| #786 | CSS & JavaScript Toolbox | 25 | 155 | 617 | 10k+ | Non-prefixed class | ||
| #787 | Smash Balloon Social Post Feed – Simple Social Feeds for WordPress | 25 | 554 | 982 | 200k+ | Output is not escaped | ||
| #788 | DecaLog | 25 | 943 | 236 | 1k+ | Exception output is not escaped | ||
| #789 | Demo Importer Plus | 25 | 58 | 239 | 10k+ | Non-prefixed hook name | ||
| #790 | Disable Admin Notices – Hide Dashboard Notifications | 25 | 465 | 195 | 100k+ | Output is not escaped | ||
| #791 | Docket Cache – Object Cache Accelerator | 25 | 333 | 481 | 20k+ | Output is not escaped | ||
| #792 | WEB-Translation – eTranslation Multilingual | 25 | 217 | 1,057 | 400 | Non-prefixed function | ||
| #793 | Show Eventbrite Events – Event Feed for Eventbrite | 25 | 595 | 1,525 | 900 | Non-prefixed global variable | ||
| #794 | Event Genius – Event Management, Events Calendar, Registration, and RSVP | 25 | 180 | 1,560 | 500 | Non-prefixed global variable | ||
| #795 | Events Made Easy | 25 | 507 | 6,299 | 1k+ | Non-prefixed function | ||
| #796 | F4 Post Tree | 25 | 536 | 1,332 | 500 | Non-prefixed global variable | ||
| #797 | 胖鼠采集(Fat Rat Collect) | 25 | 630 | 190 | 900 | Missing Arg Domain | ||
| #798 | FlatPM – Ad Manager, AdSense and Custom Code | 25 | 3,017 | 557 | 10k+ | Text Domain Mismatch | ||
| #799 | FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler | 25 | 323 | 499 | 7k+ | Non-prefixed global variable | ||
| #800 | Lightbox & Modal Popup WordPress Plugin – FooBox | 25 | 610 | 1,365 | 100k+ | Non-prefixed global variable |