PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1501Wp Default Sender Email by IT Pixelz3468225500Output is not escaped
#1502WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters3421945360k+wp function not compatible with requires wp
#1503WP Mail Logging3476258300k+Nonce verification recommended
#1504WP Popup Builder – Popup Forms and Marketing Lead Generation343571433k+Text Domain Mismatch
#1505Thumbnail Slider With Lightbox34244141700Output is not escaped
#1506Thumbnail carousel slider342771432k+Output is not escaped
#1507WP Ultimate Post Grid34114744k+Missing direct file access protection
#1508Vertical Image Slider342641381k+Output is not escaped
#1509Live Visitor Counter341081144k+Interpolated SQL is not prepared
#1510WPLMS MyCred AddOn3438373800Text Domain Mismatch
#1511Xml Sitemap Generator347247400SQL query is not prepared
#1512Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades34571195100k+Output is not escaped
#1513Zero Spam for WordPress347939320k+Non-prefixed global variable
#1514zipMoney(Zip Co) Payments Plugin for WooCommerce34147702k+Text Domain Mismatch
#1515CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress352010100k+Missing Arg Domain
#1516AfterSalesPro Plugin3524111400Nonce verification recommended
#1517Akismet Anti-spam: Spam Protection3533996m+Non-prefixed global variable
#1518AnsPress – Question and answer35227783k+Non-prefixed function
#1519Antideo Email Validator353898800Missing nonce verification
#1520Tuskcode Map Pro for Bing Maps3559359600Direct Query
#1521Aurora Heatmap35141820k+Non-prefixed global variable
#1522Author Box WP Lens35169491k+Unsafe printing function
#1523Automatic Internal Links for SEO by Pagup35301651k+error log error log
#1524Axeptio – Cookie Banner – GDPR Consent & Compliance with a friendly touch355138k+Database parameter is not escaped
#1525BackWPup – WordPress Backup & Restore Plugin3511779500k+Non-prefixed global variable
#1526Block User Account352801431k+Unsafe printing function
#1527BORICA Payments by BORICA AD35537196500Text Domain Mismatch
#1528BotWriter – AI Writer & SEO Content Generator35165043k+Direct Query
#1529Registration Options for BuddyPress35471321k+Non-prefixed function
#1530Brozzme DB Prefix & Tools Addons35244210k+Request data is not unslashed
#1531BSK Forms Blacklist358315501k+Output is not escaped
#1532CatFolders – WordPress Media Library Folders & Categories3535766k+Direct Query
#1533CF7 Views – Complete Entry Management for Contact Form 7351721811k+Output is not escaped
#1534CM E-Mail Blacklist – Simple email filtering for safer registration35269205800Output is not escaped
#1535CompressX — AVIF & WebP Converter, Media Replacement352642340k+Missing nonce verification
#1536Cookies and Content Security Policy3526141210k+Output is not escaped
#1537Core Framework35706210k+Text Domain Mismatch
#1538Custom 404 Pro3550277k+wp function not compatible with requires wp
#1539Custom Order Status for WooCommerce35415510k+Non-prefixed hook name
#1540Datafeedr Product Sets356022065k+Output is not escaped
#1541PiWeb Disable payment method / Partial payment for WooCommerce35552214k+Non-prefixed class
#1542DOOFINDER Search and Discovery for WP & WooCommerce351511202k+Text Domain Mismatch
#1543DynamicTags35116162k+Text Domain Mismatch
#1544Easy Dash for LearnDash3562388700Text Domain Mismatch
#1545Product Bundle Builder for WooCommerce351521386k+Text Domain Mismatch
#1546Easy Social Icons3518215820k+Output is not escaped
#1547Elementor Website Builder – more than just a page builder354642810m+Non-prefixed global variable
#1548Email Subscription Popup — Newsletter & GDPR Consent356831931k+Output is not escaped
#1549Email Validator for Contact Form 73511174500SQL query is not prepared
#1550Embed Privacy35104110k+slow db query meta key