PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1301annasta Filters for WooCommerce321,0734412k+Text Domain Mismatch
#1302APCu Manager3215112610k+Output is not escaped
#1303Author Avatars List/Block32851354k+Non-prefixed hook name
#1304Auto YouTube Importer323381731k+Text Domain Mismatch
#1305Better Chat Support for Messenger32731031k+Interpolated SQL is not prepared
#1306Blog2Social: Social Media Auto Post & Scheduler32795750k+Direct Query
#1307BuddyPress for LearnDash321902841k+Output is not escaped
#1308Quantity Discounts, Breaks & Product Bundles for Woocommerce By Bundler32147319400Direct Query
#1309Code Manager32217261500Nonce verification recommended
#1310Vimeotheque – Vimeo WordPress Plugin & Video Gallery326422642k+Unsafe printing function
#1311Ultimate WooCommerce Filters32322207600Unsafe printing function
#1312CSV Import and Exporter32831381k+Non-prefixed global variable
#1313Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)325601985k+Text Domain Mismatch
#1314Fable Extra32792824k+Non-prefixed global variable
#1315FA Lite – WP responsive slider plugin32726140500Unsafe printing function
#1316Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages32537768k+Nonce verification recommended
#1317WP Gravity Forms HubSpot32771160600Text Domain Mismatch
#1318CRM Perks Integration for Gravity Forms and Salesforce328071781k+Text Domain Mismatch
#1319WP Gravity Forms Zoho CRM and Bigin32750174400Text Domain Mismatch
#1320GlotPress32403103500Unsafe printing function
#1321Insights from Google PageSpeed3241447520k+Text Domain Mismatch
#1322Gwolle Guestbook3226952720k+Output is not escaped
#1323Honeypot Toolkit32155770400Missing nonce verification
#1324HTML5 jQuery Audio Player322511531k+Unsafe printing function
#1325Jetpack VaultPress Backup3255421120k+Text Domain Mismatch
#1326Manager for IcoMoon3227068400Short PHP open tag found
#1327MapPress Maps for WordPress3269513330k+Missing Arg Domain
#1328WP Mobile Menu – The Mobile-Friendly Responsive Menu3299019580k+Output is not escaped
#1329Organization chart321873345k+SQL query is not prepared
#1330DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce321661195k+Output is not escaped
#1331PilotPress32150285900Output is not escaped
#1332Plugin Organizer3232625710k+Output is not escaped
#1333TS Poll – Survey, Versus Poll, Image Poll, Video Poll325701714k+Text Domain Mismatch
#1334Volunteer Sign Up Sheets329674011k+Output is not escaped
#1335Relevanssi – A Better Search3286266100k+Missing direct file access protection
#1336Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio324361631k+Output is not escaped
#1337Restrict Usernames Emails Characters323273671k+Output is not escaped
#1338WowRevenue – Product Bundles & Bulk Discounts32132,0271k+Non-prefixed global variable
#1339Simple Ajax Chat – Add a Fast, Secure Chat Box321082662k+Output is not escaped
#1340Sky Addons for Elementor32853512k+Non-prefixed namespace
#1341Split Test For Elementor32981323k+Non-prefixed global variable
#1342Stock Locations for WooCommerce325493601k+Output is not escaped
#1343Stock Sync for WooCommerce323622321k+Text Domain Mismatch
#1344Subscribe2 – Form, Email Subscribers & Newsletters323241010k+Direct Query
#1345System Dashboard32912051k+Request data is not unslashed
#1346Thrive Automator32848410k+SQL query is not prepared
#1347TK Google Fonts GDPR Compliant32582341k+Output is not escaped
#1348Tumult Hype Animations32561171k+Output is not escaped
#1349Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor32572934k+Post Not In exclude
#1350WebwinkelKeur: Webshop keurmerk & reviews for WordPress32200474k+Short PHP open tag found