PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#801AnWP Football Leagues253,5981,955900Text Domain Mismatch
#802WP Fast Total Search – The Power of Indexed Search252092911k+Non-prefixed global variable
#803FunnelKit – Funnel Builder for WooCommerce Checkout253,1642,62430k+Text Domain Mismatch
#804Photo Gallery by Ays – Responsive Image Gallery254668201k+Output is not escaped
#805GD Rating System251,5111,0431k+Output is not escaped
#806GD Security Headers254075211k+Output is not escaped
#807GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content25878636k+Non-prefixed global variable
#808Genesis Club Lite25513317900Output is not escaped
#809Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)25501,0431k+Non-prefixed global variable
#810Simple Giveaways – Grow your business, email lists and traffic with contests259562,384400Non-prefixed global variable
#811WPBruiser {no- Captcha anti-Spam}2564625910k+Non Singular String Literal Domain
#812MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)251164412m+Nonce verification recommended
#813Site Kit by Google – Analytics, Search Console, AdSense, Speed251,3042425m+Missing direct file access protection
#814Sitemap by BestWebSoft – WordPress XML Site Map Page Generator Plugin2560820720k+Text Domain Mismatch
#815Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation2578931330k+Text Domain Mismatch
#816Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More251,7862,2202k+Non-prefixed global variable
#817Solid Testimonials – Testimonial Slider, Video Testimonials & Customer Reviews256451,5851k+Non-prefixed global variable
#818HashBar – Announcement, Notification Bar & Popup Campaign252,7186108k+Text Domain Mismatch
#819Cool Author Box – For Widget and Post Content258531,379600Non-prefixed global variable
#820HT Contact Form – Drag & Drop Form Builder for WordPress2516059410k+Non-prefixed global variable
#821Hydra Booking — Appointment Scheduling & Booking Calendar252387072k+Non-prefixed global variable
#822Independent Analytics – WordPress Analytics Plugin251,1482,293100k+Non-prefixed global variable
#823Index WP MySQL For Speed2525025550k+Output is not escaped
#824Infinite Uploads – Offload Media and Video to Cloud Storage25579720800Direct Query
#825Smash Balloon Social Photo Feed – Easy Social Feeds Plugin254491,3001m+Interpolated SQL is not prepared
#826IP Location Block2552162410k+Output is not escaped
#827IP Locator25482211600Text Domain Mismatch
#828JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin251,5411,5781k+Non-prefixed global variable
#829JoomSport – for Sports: Team & League, Football, Hockey & more255231,7471k+Direct Query
#830kk Star Ratings – Rate Post & Collect User Feedbacks257721,38870k+Non-prefixed global variable
#831Knit Pay – Cashfree, Instamojo, Razorpay, PayPal and more254,0191,2652k+Text Domain Mismatch
#832Live Composer – Free WordPress Website Builder251,21642710k+Output is not escaped
#833Liza Widget For Spotify and Elementor251,4782,5721k+Non-prefixed global variable
#834Login Widget With Shortcode253351986k+wp function not compatible with requires wp
#835Loginizer258145041m+Output is not escaped
#836Logo Showcase – Responsive Logo Carousel, Logo Slider & Logo Grid256561,5065k+Non-prefixed global variable
#837Bulk Page Generator – LPagery256701,9263k+Non-prefixed global variable
#838M Chart255611,4653k+Non-prefixed global variable
#839MaxButtons – Create buttons2562640470k+Output is not escaped
#840Media Cleaner: Clean your WordPress!2515139190k+Direct Query
#841Media Cloud Sync251,0952741k+Exception output is not escaped
#842Create251,5587696k+Text Domain Mismatch
#843Minimum and Maximum Quantity for WooCommerce255561,4363k+Non-prefixed global variable
#844Multibanco / MB Way / Payshop / Cofidis Pay (by LUSOPAY) for WooCommerce25492216400Text Domain Mismatch
#845My Calendar – Accessible Event Manager25102,19320k+Non-prefixed function
#846All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements2535259740k+Non-prefixed global variable
#847Nexter Extension – Security, Performance, Code Snippets & Site Toolkit2519871210k+Nonce verification recommended
#848NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar2525740040k+Non-prefixed hook name
#849Notifications for Forms & WordPress Actions253092821k+Text Domain Mismatch
#850NOWPayments for WooCommerce – Crypto Payment Gateway255341,3064k+Non-prefixed global variable