PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1151Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier )292082620k+Non-prefixed namespace
#1152Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms296253511k+Text Domain Mismatch
#1153Jetpack Boost – Website Speed, Performance and Critical CSS29659247200k+Text Domain Mismatch
#1154Wishlist for WooCommerce29610296600Output is not escaped
#1155Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress2986233500Nonce verification recommended
#1156MapSVG – Vector maps, Image maps, Google Maps2978491k+Missing direct file access protection
#1157Meow Gallery2911318210k+Direct Query
#1158Music Player for WooCommerce291071561k+Non-prefixed global variable
#1159MyWorks Sync for WooCommerce & Xero2911,080800Non-prefixed global variable
#1160Offload Media – Cloud Storage29126801k+unlink unlink
#1161Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization2980162200k+Nonce verification recommended
#1162Page Restrict for WooCommerce29579374700Text Domain Mismatch
#1163Page View Count2910624610k+Dynamic hook name
#1164Post Timeline2991200800Missing nonce verification
#1165Post Views Counter29179398200k+Non-prefixed hook name
#1166Recipe Card Blocks Lite2915140810k+Non-prefixed global variable
#1167Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft29487262800Text Domain Mismatch
#1168SamedayCourier Shipping293362694k+Non Singular String Literal Domain
#1169Security Ninja – WordPress Security & Firewall291493477k+Direct Query
#1170Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce291482465k+Unsafe printing function
#1171Shiptastic for WooCommerce2915466210k+Non-prefixed global variable
#1172Slider by BestWebSoft29478336400Text Domain Mismatch
#1173Social Engine2913390600Exception output is not escaped
#1174SureForms – Drag & Drop Contact Form & Form Builder, Payment Form, Survey, Quiz & Calculator29336198500k+Text Domain Mismatch
#1175SureMembers – Membership & Content Restriction Plugin293592481k+Text Domain Mismatch
#1176Themify – WooCommerce Product Filter2964314520k+Output is not escaped
#1177Ultimate Auction for WooCommerce – Excellent WP Auction Plugin29525232k+Non-prefixed global variable
#1178User Verification by PickPlugins29413145k+Request data is not unslashed
#1179weMail – Email Marketing, Newsletter Builder & Email Automations for WooCommerce292766810k+Missing direct file access protection
#1180Countdown Timer – Widget Countdown2929015210k+Output is not escaped
#1181WooCommerce Stripe Payment Gateway29184592700k+Exception output is not escaped
#1182Woostify Sites Library2922919820k+Text Domain Mismatch
#1183WP Popular Posts2977300100k+Non-prefixed global variable
#1184WP-PostRatings2942538430k+Output is not escaped
#1185WPComplete293833331k+Output is not escaped
#1186Xagio SEO – AI Powered SEO2921,27310k+Direct Query
#1187Xpro Addons — 140+ Widgets for Elementor292782630k+Non-prefixed global variable
#1188Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance30173479100k+Interpolated SQL is not prepared
#1189AI Product Tools – Bulk Product Content Generator & AI Toolkit for WooCommerce30508562400SQL query is not prepared
#1190AutoWP – AI Content Writer & Rewriter305483701k+Text Domain Mismatch
#1191Private groups305833161k+Unsafe printing function
#1192Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster3030643430k+Non-prefixed global variable
#1193Cryptocurrency Donation Box – Bitcoin & Crypto Donations30334284500Output is not escaped
#1194Custom Search by BestWebSoft – WordPress Custom Search Plugin30454228900Text Domain Mismatch
#1195Easy Affiliate Links301861987k+Missing direct file access protection
#1196EasyParcel Shipping– All-in-one Shipping Solution, Real-Time Shipping Rates3031610600Non-prefixed global variable
#1197Epeken All Kurir for Woocommerce305901,246400Missing nonce verification
#1198PiWeb Export Customers Users & Guest customer to CSV for WooCommerce30173751k+Text Domain Mismatch
#1199FormLift for Keap (Legacy) Web Forms30162315400Request data is not unslashed
#1200Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant302642214k+Non Singular String Literal Text