PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#751Advanced WordPress Reset – Debug, Recover & Reset WP2547546420k+Output is not escaped
#752AF Companion – Starter Sites, Speed Booster & Growth Suite for Professional Publishing256651,48610k+Non-prefixed global variable
#753Affiliates256891,4832k+Output is not escaped
#754FiboSearch – Ajax Search for WooCommerce25603302100k+Output is not escaped
#755AliExpress Dropshipping Plugin for WooCommerce Stores255507285k+Text Domain Mismatch
#756All 404 Redirect to Homepage25140301200k+date date
#757AIO Forms – Craft Complex Forms Easily25189418700Mixed line endings
#758Animated Number Counters254081,9492k+Non-prefixed global variable
#759Appointment Booking Calendar253271,0551k+Non-prefixed global variable
#760Appointment Hour Booking – Booking Calendar252611,25410k+Non-prefixed global variable
#761ATUM WooCommerce Inventory Management and Stock Tracking252,6381,30410k+Non Singular String Literal Domain
#762bbp style pack251,4191,7926k+Output is not escaped
#763BlockSpare – Gutenberg Post Grid Blocks for News, Magazine & Blog Websites251,3271,71410k+Non-prefixed global variable
#764Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid2524385450k+Non-prefixed global variable
#765Booking Activities251,0361,4693k+Output is not escaped
#766Booking Calendar Contact Form25371884500Input is not validated
#767Booking Package251,7033,97710k+Missing nonce verification
#768Online Scheduling and Appointment Booking System – Bookly253,52887060k+Text Domain Mismatch
#769Broken Link Checker25727600500k+Output is not escaped
#770BuddyPress Docs252844217k+Nonce verification recommended
#771SilentShield – Captcha & Anti-Spam for WordPress (CF7, WPForms, Elementor, WooCommerce)2523521410k+Database parameter is not escaped
#772GSheetConnector for CF7 – Connect Contact Form 7 to Google Sheets and Send Form Submissions in Real Time256141,43140k+Non-prefixed global variable
#773CheckoutWC Lite251,3998523k+Text Domain Mismatch
#774CheckView – Form & Checkout Testing25663371k+Direct Query
#775Admin Columns25613995100k+Non-prefixed namespace
#776Colissimo shipping methods for WooCommerce251,75555710k+Text Domain Mismatch
#777Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode25991,040700k+Non-prefixed global variable
#778Disable Comments & Delete All Comments255031859k+Output is not escaped
#779Coinbase Business Gateway for WooCommerce255691,317800Non-prefixed global variable
#780Conditional Payment Methods for WooCommerce255481,3981k+Non-prefixed global variable
#781Contact Form DB Divi255331,2993k+Non-prefixed global variable
#782Contact Form Email254098989k+Non-prefixed global variable
#783Coupon Creator256984121k+Output is not escaped
#784CP Contact Form with PayPal25466936800Unsafe printing function
#785Cryptocurrency Payment Gateway251,963589400Text Domain Mismatch
#786CSS & JavaScript Toolbox2515561710k+Non-prefixed class
#787Smash Balloon Social Post Feed – Simple Social Feeds for WordPress25554982200k+Output is not escaped
#788DecaLog259432361k+Exception output is not escaped
#789Demo Importer Plus255823910k+Non-prefixed hook name
#790Disable Admin Notices – Hide Dashboard Notifications25465195100k+Output is not escaped
#791Docket Cache – Object Cache Accelerator2533348120k+Output is not escaped
#792WEB-Translation – eTranslation Multilingual252171,057400Non-prefixed function
#793Show Eventbrite Events – Event Feed for Eventbrite255951,525900Non-prefixed global variable
#794Event Genius – Event Management, Events Calendar, Registration, and RSVP251801,560500Non-prefixed global variable
#795Events Made Easy255076,2991k+Non-prefixed function
#796F4 Post Tree255361,332500Non-prefixed global variable
#797胖鼠采集(Fat Rat Collect)25630190900Missing Arg Domain
#798FlatPM – Ad Manager, AdSense and Custom Code253,01755710k+Text Domain Mismatch
#799FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler253234997k+Non-prefixed global variable
#800Lightbox & Modal Popup WordPress Plugin – FooBox256101,365100k+Non-prefixed global variable