PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#951Bangladeshi Payments Mobile – QR Code & Transaction Reports265351,2801k+Non-prefixed global variable
#952Blog Floating Button267052409k+Output is not escaped
#953Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar265262635k+Output is not escaped
#954Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More269727010k+error log error log
#955Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty26113671400k+Non-prefixed global variable
#956Conditional Logic for Woo Product Add-ons265751,352500Non-prefixed global variable
#957Database for Contact Form 7, WPforms, Elementor forms2631748960k+Non-prefixed global variable
#958CP Multi View Events Calendar2686439900Non-prefixed global variable
#959Ditty – Responsive News Tickers, Sliders, and Lists2656148430k+Output is not escaped
#960Easy Post Views Count265341,1802k+Non-prefixed global variable
#961ELEX WooCommerce Google Shopping (Google Product Feed)262262421k+Text Domain Mismatch
#962Event Monster – Event Manager, Ticket Booking & Registration26781781600Non-prefixed global variable
#963ezCache2612728810k+Direct Query
#964RSS Redirect & Feedburner Alternative262772721k+Output is not escaped
#965FG PrestaShop to WooCommerce2625494900Unsafe printing function
#966Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager2611359790k+Non-prefixed global variable
#967FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)265944172k+Exception output is not escaped
#968FV Antispam26332239900Output is not escaped
#969GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites26286216500badly named files
#970Hide Admin Bar Based on User Roles265491,34520k+Non-prefixed global variable
#971Image SEO – AI-Driven Image SEO Optimizer263503271k+Text Domain Mismatch
#972Integrate Razorpay for Contact Form 72615297500curl curl setopt
#973Kadence Central – Site Management, Backups, Security, and Reporting2646221330k+Text Domain Mismatch
#974Kirki – Freeform Page Builder, Website Builder & Customizer26192799500k+Nonce verification recommended
#975Login Widget With Shortcode263351986k+wp function not compatible with requires wp
#976Media File Renamer: Rename for better SEO (AI-Powered)2615417040k+Direct Query
#977Hotel Booking266909404k+Unsafe printing function
#978OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)262725996k+Request data is not unslashed
#979Open User Map – Interactive Leaflet Maps2689398610k+Non-prefixed global variable
#980Paytium: Mollie payment forms & donations265065513k+Unsafe printing function
#981PDF for WPForms + Drag and Drop Template Builder266741131k+wp function not compatible with requires wp
#982LoginWP (Formerly Peter's Login Redirect)2640127890k+Output is not escaped
#983Polylang2636564800k+Non-prefixed hook name
#984Portfolio by BestWebSoft – Work and Projects Presentation Plugin for WordPress26525240600Text Domain Mismatch
#985Post List Designer – Category Post, Recent Post, Post List265421,3201k+Non-prefixed global variable
#986Premmerce User Roles265971,357600Non-prefixed global variable
#987Pressidium Cookie Consent262039510k+Exception output is not escaped
#988Product Table For WooCommerce26191858600Non-prefixed global variable
#989Profile Extra Fields by BestWebSoft265145322k+Text Domain Mismatch
#990Related Posts Thumbnails Plugin for WordPress2638219820k+Output is not escaped
#991RestaurantPress26265518600Output is not escaped
#992Role Based Pricing for Woo by Meow Crew265481,3542k+Non-prefixed global variable
#993Send Users Email – Email Subscribers, Email Marketing Newsletter261884155k+Non-prefixed global variable
#994SP Move Login268812156k+Text Domain Mismatch
#995Sliced Invoices – WordPress Invoice Plugin266844555k+Output is not escaped
#996Video Gallery – Vimeo and YouTube Gallery265617946k+Non-prefixed global variable
#997Carousel, Recent Post Slider and Banner Slider265281,4098k+Non-prefixed global variable
#998StoreGrowth: Smart Sales Booster for WooCommerce | BOGO, Upsells, Direct Checkout, Quick View, Side Cart261254202k+Non-prefixed global variable
#999Subscriber by BestWebSoft26550376900Text Domain Mismatch
#1000Tag Groups is the Advanced Way to Display Your Taxonomy Terms263512323k+Unsafe printing function