PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1051 | MLSImport – Download and synchronize real estate data from various MLS (Multiple Listing Services) | 27 | 154 | 551 | 5k+ | Non-prefixed global variable | ||
| #1052 | Nextend Social Login and Register | 27 | 1,668 | 243 | 200k+ | Output is not escaped | ||
| #1053 | Online Lesson Booking | 27 | 978 | 281 | 500 | Non Singular String Literal Domain | ||
| #1054 | Packlink PRO for WooCommerce | 27 | 132 | 160 | 20k+ | Non-prefixed global variable | ||
| #1055 | Pie Register – User Registration, Profiles & Content Restriction | 27 | 1,779 | 1k+ | Non-prefixed global variable | |||
| #1056 | PublishPress Permissions: Control User Access for Posts, Pages, Categories, Tags | 27 | 424 | 323 | 10k+ | Missing Translators Comment | ||
| #1057 | Rate My Post – Star Rating Plugin by FeedbackWP | 27 | 222 | 360 | 20k+ | Output is not escaped | ||
| #1058 | Restrict for Elementor | 27 | 530 | 1,223 | 900 | Non-prefixed global variable | ||
| #1059 | Shipit | 27 | 371 | 209 | 400 | Text Domain Mismatch | ||
| #1060 | Sign-up Sheets | 27 | 325 | 363 | 1k+ | Output is not escaped | ||
| #1061 | Simple Download Monitor | 27 | 218 | 273 | 20k+ | Output is not escaped | ||
| #1062 | Social Web Suite – Social Media Auto Post, Social Media Auto Publish | 27 | 74 | 164 | 500 | Non-prefixed global variable | ||
| #1063 | Terms & Conditions Per Product | 27 | 533 | 1,336 | 800 | Non-prefixed global variable | ||
| #1064 | Theme One Click Demo Importer | 27 | 210 | 157 | 500 | Text Domain Mismatch | ||
| #1065 | Transbank Webpay | 27 | 198 | 211 | 10k+ | Non-prefixed global variable | ||
| #1066 | Ultimate Watermark – Image Watermark, Image Protection & Bulk Watermarking | 27 | 164 | 303 | 1k+ | Nonce verification recommended | ||
| #1067 | VOD Infomaniak | 27 | 797 | 385 | 20k+ | Output is not escaped | ||
| #1068 | Watu Quiz | 27 | 1,089 | 1,014 | 3k+ | Output is not escaped | ||
| #1069 | Wiremo – Product Reviews for WooCommerce | 27 | 445 | 212 | 700 | Output is not escaped | ||
| #1070 | Mihdan: Ajax Edit Comments | 27 | 1,300 | 523 | 400 | Text Domain Mismatch | ||
| #1071 | Content Pilot – Autoblogging & Affiliate Marketing Suite | 27 | 299 | 269 | 900 | Output is not escaped | ||
| #1072 | WP-DBManager | 27 | 386 | 304 | 60k+ | Non-prefixed global variable | ||
| #1073 | Email Marketing Plugin – WP Email Capture | 27 | 383 | 262 | 1k+ | Output is not escaped | ||
| #1074 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | Input is not sanitized | ||
| #1075 | WP Job Manager | 27 | 93 | 582 | 80k+ | Non-prefixed hook name | ||
| #1076 | wp-mpdf | 27 | 123 | 382 | 1k+ | Non-prefixed global variable | ||
| #1077 | WP Activity Log | 27 | 96 | 230 | 300k+ | Nonce verification recommended | ||
| #1078 | WPBase Cache | 27 | 189 | 113 | 2k+ | Text Domain Mismatch | ||
| #1079 | YARPP – Yet Another Related Posts Plugin | 27 | 191 | 331 | 100k+ | Non-prefixed global variable | ||
| #1080 | Zibal Payment Gateway for Gravity Forms | 27 | 828 | 248 | 400 | Text Domain Mismatch | ||
| #1081 | AForms — Form Builder for Price Calculator & Cost Estimation | 28 | 564 | 95 | 3k+ | Text Domain Mismatch | ||
| #1082 | Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 632 | 351 | 800 | Text Domain Mismatch | ||
| #1083 | Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 649 | 357 | 9k+ | Text Domain Mismatch | ||
| #1084 | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | 28 | 659 | 359 | 400 | Text Domain Mismatch | ||
| #1085 | Code Engine – PHP Snippets, AI Functions & Automation for WordPress | 28 | 124 | 96 | 700 | Non Singular String Literal Domain | ||
| #1086 | Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress | 28 | 465 | 338 | 30k+ | Text Domain Mismatch | ||
| #1087 | Maspik – Ultimate Spam Protection | 28 | 212 | 862 | 30k+ | Missing nonce verification | ||
| #1088 | Database Cleaner | 28 | 137 | 297 | 10k+ | Direct Query | ||
| #1089 | Dynamic User Directory | 28 | 403 | 256 | 1k+ | Output is not escaped | ||
| #1090 | Discount Rules and Dynamic Pricing for WooCommerce | 28 | 181 | 334 | 10k+ | Output is not escaped | ||
| #1091 | Educare – Students & Result Management System | 28 | 1,114 | 1,043 | 800 | Missing nonce verification | ||
| #1092 | Event Tickets Manager for WooCommerce | 28 | 181 | 648 | 1k+ | Non-prefixed global variable | ||
| #1093 | FAPI Member | 28 | 279 | 153 | 500 | Exception output is not escaped | ||
| #1094 | Friends | 28 | 164 | 679 | 1k+ | Non-prefixed global variable | ||
| #1095 | گیتلند | درگاه پرداخت هوشمند گیتلند | 28 | 327 | 235 | 3k+ | Output is not escaped | ||
| #1096 | Geo Mashup | 28 | 775 | 232 | 1k+ | Text Domain Mismatch | ||
| #1097 | GS Books Showcase – Display Books in Grid, Slider & More | Library for WordPress | 28 | 55 | 437 | 500 | Non-prefixed global variable | ||
| #1098 | Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 641 | 348 | 1k+ | Text Domain Mismatch | ||
| #1099 | WP to LinkedIn Auto Publish | 28 | 734 | 250 | 900 | Unsafe printing function | ||
| #1100 | Maven Algolia | 28 | 148 | 89 | 6k+ | Non Singular String Literal Domain |