PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1401 | Quick Restaurant Reservations | 33 | 654 | 179 | 500 | Text Domain Mismatch | ||
| #1402 | Frisbii Pay | 33 | 91 | 292 | 1k+ | Non-prefixed global variable | ||
| #1403 | Rename wp-login.php to anything you want | 33 | 251 | 117 | 500 | Output is not escaped | ||
| #1404 | Review Slider for WooCommerce | 33 | 160 | 422 | 400 | Non-prefixed global variable | ||
| #1405 | Reviews Plus | 33 | 223 | 378 | 1k+ | Non-prefixed function | ||
| #1406 | Live Sales Notification (Recent Sales Popups) | 33 | 114 | 120 | 400 | SQL query is not prepared | ||
| #1407 | Schema & Structured Data for WP & AMP | 33 | 63 | 246 | 100k+ | Non-prefixed global variable | ||
| #1408 | Sessions | 33 | 196 | 103 | 900 | Output is not escaped | ||
| #1409 | TaxCloud for WooCommerce | 33 | 23 | 261 | 500 | Non-prefixed function | ||
| #1410 | SMTP2GO for WordPress – Email Made Easy | 33 | 186 | 111 | 30k+ | Output is not escaped | ||
| #1411 | Social Rocket – Social Sharing Plugin | 33 | 1,016 | 255 | 1k+ | Unsafe printing function | ||
| #1412 | Spiffy Calendar | 33 | 473 | 243 | 3k+ | Output is not escaped | ||
| #1413 | Spin Wheel – Interactive spinning wheel that offers coupons | 33 | 680 | 313 | 500 | Unsafe printing function | ||
| #1414 | Sublanguage | 33 | 266 | 287 | 700 | Output is not escaped | ||
| #1415 | WP Twitter Auto Publish | 33 | 442 | 171 | 4k+ | Output is not escaped | ||
| #1416 | Uix Shortcodes | 33 | 246 | 444 | 400 | Non-prefixed global variable | ||
| #1417 | Display Posts As List, Grid, Thumbs | 33 | 442 | 241 | 900 | Output is not escaped | ||
| #1418 | Variation Swatches for WooCommerce | 33 | 469 | 116 | 50k+ | Text Domain Mismatch | ||
| #1419 | Website Monetization by MageNet | 33 | 60 | 87 | 20k+ | Output is not escaped | ||
| #1420 | Rich Showcase for Google Reviews | 33 | 213 | 278 | 100k+ | Output is not escaped | ||
| #1421 | Wonder Slider Lite | 33 | 273 | 187 | 8k+ | Output is not escaped | ||
| #1422 | Product Addons for Woocommerce – Product Options with Custom Fields | 33 | 124 | 114 | 30k+ | Output is not escaped | ||
| #1423 | Hyyan WooCommerce Polylang Integration | 33 | 141 | 220 | 8k+ | Nonce verification recommended | ||
| #1424 | CartBounty – Save and recover abandoned carts for WooCommerce | 33 | 370 | 399 | 10k+ | Output is not escaped | ||
| #1425 | Pay. Payment Methods for WooCommerce | 33 | 316 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #1426 | WOW Slider | 33 | 176 | 101 | 3k+ | Output is not escaped | ||
| #1427 | Books Gallery – Book Showcase, Library & Affiliate Plugin | 33 | 1,753 | 178 | 2k+ | Output is not escaped | ||
| #1428 | WP Edit | 33 | 337 | 137 | 40k+ | Unsafe printing function | ||
| #1429 | WP Social AutoConnect | 33 | 290 | 144 | 400 | Output is not escaped | ||
| #1430 | Connector for Gravity Forms and Google Sheets | 33 | 692 | 155 | 3k+ | Text Domain Mismatch | ||
| #1431 | WebToffee WP Backup and Migration | 33 | 132 | 222 | 5k+ | Non-prefixed global variable | ||
| #1432 | WP Multilang – Translation and Multilingual Plugin | 33 | 53 | 118 | 10k+ | Database parameter is not escaped | ||
| #1433 | Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management | 33 | 538 | 3k+ | Direct Query | |||
| #1434 | WP-UserOnline | 33 | 111 | 161 | 10k+ | Output is not escaped | ||
| #1435 | WPReplace内容字符替换插件 | 33 | 209 | 195 | 800 | Non Singular String Literal Domain | ||
| #1436 | XML Sitemaps | 33 | 65 | 62 | 2k+ | Output is not escaped | ||
| #1437 | Advanced Coupons for WooCommerce Coupons & Store Credit | 34 | 74 | 214 | 20k+ | Non-prefixed global variable | ||
| #1438 | Assistant – Every Day Productivity Apps | 34 | 124 | 97 | 4k+ | Exception output is not escaped | ||
| #1439 | Audit Trail | 34 | 90 | 107 | 10k+ | Unsafe printing function | ||
| #1440 | Automatic YouTube Gallery – Embed Auto-Updating YouTube Video Galleries, Feeds, Playlists & Channels | 34 | 86 | 255 | 9k+ | Direct Query | ||
| #1441 | Beeketing for WooCommerce – Marketing Automation to Boost Sales | 34 | 113 | 123 | 600 | SQL query is not prepared | ||
| #1442 | Buckets | 34 | 68 | 76 | 500 | Output is not escaped | ||
| #1443 | Campi Moduli Italiani | 34 | 72 | 363 | 500 | Unquoted Complex Placeholder | ||
| #1444 | SMS Abandoned Cart Recovery ✦ CartBoss | 34 | 67 | 72 | 400 | SQL query is not prepared | ||
| #1445 | Cornerstone | 34 | 161 | 174 | 30k+ | Nonce verification recommended | ||
| #1446 | CSS JS Manager, Async JavaScript, Defer Render Blocking CSS | 34 | 76 | 106 | 1k+ | Input is not validated | ||
| #1447 | Custom Post Type Attachment | 34 | 153 | 49 | 800 | wp function not compatible with requires wp | ||
| #1448 | Debug Log Manager Tool | 34 | 44 | 143 | 3k+ | Nonce verification recommended | ||
| #1449 | Download After Email – Subscribe & Download Form Plugin | 34 | 22 | 356 | 7k+ | Input is not validated | ||
| #1450 | Dr. Flex | 34 | 83 | 51 | 1k+ | Output is not escaped |