PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1101 | Media Hygiene: Remove or Delete Unused Images and More! | 28 | 654 | 309 | 5k+ | Non Singular String Literal Domain | ||
| #1102 | My auctions allegro | 28 | 483 | 235 | 500 | Non Singular String Literal Domain | ||
| #1103 | My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) | 28 | 164 | 441 | 100k+ | Non-prefixed global variable | ||
| #1104 | Order Tracking – WordPress Status Tracking Plugin | 28 | 619 | 773 | 3k+ | Unsafe printing function | ||
| #1105 | PDF for Contact Form 7 + Drag and Drop Template Builder | 28 | 674 | 101 | 500 | wp function not compatible with requires wp | ||
| #1106 | ووکامرس فارسی | 28 | 157 | 215 | 90k+ | Output is not escaped | ||
| #1107 | افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری | 28 | 131 | 190 | 20k+ | Missing nonce verification | ||
| #1108 | Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery | 28 | 146 | 259 | 5k+ | Post Not In exclude | ||
| #1109 | Pixelgrade Assistant | 28 | 1,348 | 160 | 2k+ | Text Domain Mismatch | ||
| #1110 | Podcast Importer SecondLine | 28 | 356 | 169 | 4k+ | Text Domain Mismatch | ||
| #1111 | Product Sync for WooCommerce | 28 | 158 | 375 | 400 | Direct Query | ||
| #1112 | Query Wrangler | 28 | 628 | 229 | 700 | Output is not escaped | ||
| #1113 | Rating by BestWebSoft | 28 | 509 | 218 | 400 | Text Domain Mismatch | ||
| #1114 | ReDi Restaurant Reservation – Instant Restaurant Booking & Table Reservation System | 28 | 1,013 | 239 | 800 | Unsafe printing function | ||
| #1115 | Responsive Lightbox & Gallery | 28 | 139 | 513 | 100k+ | Non-prefixed hook name | ||
| #1116 | Secure Downloads | 28 | 616 | 406 | 600 | Output is not escaped | ||
| #1117 | Praison AI SEO | 28 | 649 | 306 | 1k+ | Text Domain Mismatch | ||
| #1118 | Transliterator – Multilingual and Multi-script Text Conversion | 28 | 305 | 322 | 3k+ | Output is not escaped | ||
| #1119 | Slider Pro | 28 | 583 | 527 | 4k+ | Unsafe printing function | ||
| #1120 | Tab – Accordion, FAQ | 28 | 104 | 542 | 1k+ | Non-prefixed global variable | ||
| #1121 | Terms descriptions | 28 | 222 | 423 | 1k+ | Non-prefixed function | ||
| #1122 | Themesflat Addons For Elementor | 28 | 714 | 227 | 40k+ | Output is not escaped | ||
| #1123 | Jetpack VaultPress | 28 | 71 | 362 | 10k+ | Missing nonce verification | ||
| #1124 | VG WORT METIS | 28 | 150 | 317 | 900 | Nonce verification recommended | ||
| #1125 | WC Fields Factory | 28 | 194 | 369 | 7k+ | Nonce verification recommended | ||
| #1126 | 10WebSocial | 28 | 584 | 185 | 10k+ | Unsafe printing function | ||
| #1127 | WP ADA Compliance Check Basic | 28 | 785 | 177 | 3k+ | Text Domain Mismatch | ||
| #1128 | WP Booking System – Booking Calendar | 28 | 502 | 549 | 20k+ | Output is not escaped | ||
| #1129 | Connect Matomo – Analytics Dashboard for WordPress | 28 | 100 | 102 | 60k+ | Missing Translators Comment | ||
| #1130 | WhyDonate – FREE Donate button – Crowdfunding – Fundraising | 28 | 216 | 328 | 800 | Non-prefixed global variable | ||
| #1131 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped | ||
| #1132 | WP Synchro – The Ultimate WordPress Migration Tool | 28 | 243 | 244 | 2k+ | Missing Translators Comment | ||
| #1133 | WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买 | 28 | 57 | 138 | 500 | Request data is not unslashed | ||
| #1134 | Accordion Slider | 29 | 391 | 447 | 2k+ | Unsafe printing function | ||
| #1135 | AL Pack | 29 | 13 | 816 | 2k+ | Non-prefixed global variable | ||
| #1136 | Alt Text AI – Automatically generate image alt text for SEO and accessibility | 29 | 72 | 280 | 20k+ | Non-prefixed global variable | ||
| #1137 | Attribute Stock for WooCommerce – Shared Stock & Variable Quantities (Lite Version) | 29 | 481 | 313 | 2k+ | Text Domain Mismatch | ||
| #1138 | Bitcoin Payments – Blockonomics | 29 | 208 | 227 | 2k+ | Output is not escaped | ||
| #1139 | Plugin BlueX for WooCommerce | 29 | 431 | 216 | 2k+ | Text Domain Mismatch | ||
| #1140 | Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | 29 | 236 | 369 | 2k+ | Non-prefixed global variable | ||
| #1141 | Chained Quiz | 29 | 1,132 | 721 | 1k+ | Text Domain Mismatch | ||
| #1142 | CloudSecure WP Security | 29 | 74 | 350 | 100k+ | Request data is not unslashed | ||
| #1143 | Countdown, Coming Soon, Maintenance – Countdown & Clock | 29 | 1,735 | 143 | 10k+ | Non Singular String Literal Domain | ||
| #1144 | Custom Field Template | 29 | 568 | 530 | 30k+ | wp function not compatible with requires wp | ||
| #1145 | Document Gallery | 29 | 183 | 98 | 8k+ | Output is not escaped | ||
| #1146 | ECPay Ecommerce for WooCommerce | 29 | 248 | 370 | 2k+ | Missing nonce verification | ||
| #1147 | FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider | 29 | 74 | 78 | 600k+ | Missing Translators Comment | ||
| #1148 | Gianism | 29 | 391 | 154 | 700 | Text Domain Mismatch | ||
| #1149 | reCaptcha by BestWebSoft | 29 | 474 | 272 | 100k+ | Text Domain Mismatch | ||
| #1150 | Easy HTTPS Redirection (SSL) | 29 | 266 | 152 | 100k+ | Unsafe printing function |