PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1301 | annasta Filters for WooCommerce | 32 | 1,073 | 441 | 2k+ | Text Domain Mismatch | ||
| #1302 | APCu Manager | 32 | 151 | 126 | 10k+ | Output is not escaped | ||
| #1303 | Author Avatars List/Block | 32 | 85 | 135 | 4k+ | Non-prefixed hook name | ||
| #1304 | Auto YouTube Importer | 32 | 338 | 173 | 1k+ | Text Domain Mismatch | ||
| #1305 | Better Chat Support for Messenger | 32 | 73 | 103 | 1k+ | Interpolated SQL is not prepared | ||
| #1306 | Blog2Social: Social Media Auto Post & Scheduler | 32 | 7 | 957 | 50k+ | Direct Query | ||
| #1307 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | Output is not escaped | ||
| #1308 | Quantity Discounts, Breaks & Product Bundles for Woocommerce By Bundler | 32 | 147 | 319 | 400 | Direct Query | ||
| #1309 | Code Manager | 32 | 217 | 261 | 500 | Nonce verification recommended | ||
| #1310 | Vimeotheque – Vimeo WordPress Plugin & Video Gallery | 32 | 642 | 264 | 2k+ | Unsafe printing function | ||
| #1311 | Ultimate WooCommerce Filters | 32 | 322 | 207 | 600 | Unsafe printing function | ||
| #1312 | CSV Import and Exporter | 32 | 83 | 138 | 1k+ | Non-prefixed global variable | ||
| #1313 | Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) | 32 | 560 | 198 | 5k+ | Text Domain Mismatch | ||
| #1314 | Fable Extra | 32 | 79 | 282 | 4k+ | Non-prefixed global variable | ||
| #1315 | FA Lite – WP responsive slider plugin | 32 | 726 | 140 | 500 | Unsafe printing function | ||
| #1316 | Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages | 32 | 53 | 776 | 8k+ | Nonce verification recommended | ||
| #1317 | WP Gravity Forms HubSpot | 32 | 771 | 160 | 600 | Text Domain Mismatch | ||
| #1318 | CRM Perks Integration for Gravity Forms and Salesforce | 32 | 807 | 178 | 1k+ | Text Domain Mismatch | ||
| #1319 | WP Gravity Forms Zoho CRM and Bigin | 32 | 750 | 174 | 400 | Text Domain Mismatch | ||
| #1320 | GlotPress | 32 | 403 | 103 | 500 | Unsafe printing function | ||
| #1321 | Insights from Google PageSpeed | 32 | 414 | 475 | 20k+ | Text Domain Mismatch | ||
| #1322 | Gwolle Guestbook | 32 | 269 | 527 | 20k+ | Output is not escaped | ||
| #1323 | Honeypot Toolkit | 32 | 155 | 770 | 400 | Missing nonce verification | ||
| #1324 | HTML5 jQuery Audio Player | 32 | 251 | 153 | 1k+ | Unsafe printing function | ||
| #1325 | Jetpack VaultPress Backup | 32 | 554 | 211 | 20k+ | Text Domain Mismatch | ||
| #1326 | Manager for IcoMoon | 32 | 270 | 68 | 400 | Short PHP open tag found | ||
| #1327 | MapPress Maps for WordPress | 32 | 695 | 133 | 30k+ | Missing Arg Domain | ||
| #1328 | WP Mobile Menu – The Mobile-Friendly Responsive Menu | 32 | 990 | 195 | 80k+ | Output is not escaped | ||
| #1329 | Organization chart | 32 | 187 | 334 | 5k+ | SQL query is not prepared | ||
| #1330 | DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce | 32 | 166 | 119 | 5k+ | Output is not escaped | ||
| #1331 | PilotPress | 32 | 150 | 285 | 900 | Output is not escaped | ||
| #1332 | Plugin Organizer | 32 | 326 | 257 | 10k+ | Output is not escaped | ||
| #1333 | TS Poll – Survey, Versus Poll, Image Poll, Video Poll | 32 | 570 | 171 | 4k+ | Text Domain Mismatch | ||
| #1334 | Volunteer Sign Up Sheets | 32 | 967 | 401 | 1k+ | Output is not escaped | ||
| #1335 | Relevanssi – A Better Search | 32 | 86 | 266 | 100k+ | Missing direct file access protection | ||
| #1336 | Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio | 32 | 436 | 163 | 1k+ | Output is not escaped | ||
| #1337 | Restrict Usernames Emails Characters | 32 | 327 | 367 | 1k+ | Output is not escaped | ||
| #1338 | WowRevenue – Product Bundles & Bulk Discounts | 32 | 13 | 2,027 | 1k+ | Non-prefixed global variable | ||
| #1339 | Simple Ajax Chat – Add a Fast, Secure Chat Box | 32 | 108 | 266 | 2k+ | Output is not escaped | ||
| #1340 | Sky Addons for Elementor | 32 | 85 | 351 | 2k+ | Non-prefixed namespace | ||
| #1341 | Split Test For Elementor | 32 | 98 | 132 | 3k+ | Non-prefixed global variable | ||
| #1342 | Stock Locations for WooCommerce | 32 | 549 | 360 | 1k+ | Output is not escaped | ||
| #1343 | Stock Sync for WooCommerce | 32 | 362 | 232 | 1k+ | Text Domain Mismatch | ||
| #1344 | Subscribe2 – Form, Email Subscribers & Newsletters | 32 | 32 | 410 | 10k+ | Direct Query | ||
| #1345 | System Dashboard | 32 | 91 | 205 | 1k+ | Request data is not unslashed | ||
| #1346 | Thrive Automator | 32 | 84 | 84 | 10k+ | SQL query is not prepared | ||
| #1347 | TK Google Fonts GDPR Compliant | 32 | 582 | 34 | 1k+ | Output is not escaped | ||
| #1348 | Tumult Hype Animations | 32 | 56 | 117 | 1k+ | Output is not escaped | ||
| #1349 | Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor | 32 | 57 | 293 | 4k+ | Post Not In exclude | ||
| #1350 | WebwinkelKeur: Webshop keurmerk & reviews for WordPress | 32 | 200 | 47 | 4k+ | Short PHP open tag found |