PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1551EnvíaloSimple: Email Marketing y Newsletters351472502k+Nonce verification recommended
#1552EWWW Image Optimizer352257291m+Direct Query
#1553Export Featured Images35176671k+Output is not escaped
#1554Extendify358064500k+Text Domain Mismatch
#1555External Links Overview3557200800Non-prefixed global variable
#1556WP2Social Auto Publish356432159k+Unsafe printing function
#1557Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations3525522510k+Output is not escaped
#1558Flexible PDF Invoices for WooCommerce & WordPress3515556k+Non-prefixed global variable
#1559Full Width Banner Slider Wp352391402k+Output is not escaped
#1560g-FFL Cockpit3518224500Direct Query
#1561Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery355019910k+Non-prefixed global variable
#1562GD bbPress Attachments352106k+wp redirect wp redirect
#1563GeoTargeting Lite – WordPress Geolocation3566791k+Output is not escaped
#1564Glossary35169932k+Non Singular String Literal Domain
#1565HivePress – Business Directory, Listings & Classified Ads Plugin353818010k+Direct Query
#1566PDF Compressor & Watermark – iLovePDF352165600Text Domain Mismatch
#1567Import Users & Customers with Meta | WP Ultimate CSV Importer Add-on35271405k+Interpolated SQL is not prepared
#1568Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts35649160k+Output is not escaped
#1569Instapage Plugin35220454k+Output is not escaped
#1570IntenseDebate Comments35203114500Output is not escaped
#1571IP Based Login35179146600Output is not escaped
#1572iPages – FlipBook Image & PDF Viewer354671772k+Text Domain Mismatch
#1573Jarvis351019500Input is not validated
#1574Static Site Exporter355425500file system operations mkdir
#1575Jetpack VideoPress357102417k+Text Domain Mismatch
#1576KBoard 위젯 – 워드프레스 게시판3553323k+Output is not escaped
#1577Kiyoh customer review3517368500Output is not escaped
#1578Lead Form Builder & Contact Form354003459k+Output is not escaped
#1579LiteSpeed Cache352868937m+Non-prefixed global variable
#1580Log HTTP Requests357182k+Interpolated SQL is not prepared
#1581Login Page Styler – Custom WordPress Login Page Customizer & Security351251682k+Missing Arg Domain
#1582Mail Queue35251031k+Nonce verification recommended
#1583MapSVG – Vector maps, Image maps, Google Maps3574471k+Missing direct file access protection
#1584Marquee image crawler35168136700Non-prefixed global variable
#1585Mechanic Visitor Counter35240667k+Output is not escaped
#1586Media Credit3528351k+Non-prefixed global variable
#1587AI Product Search for WooCommerce – Motive Commerce Search357082400Missing direct file access protection
#1588Never Let Me Go353447400Non-prefixed global variable
#1589NGG Smart Image Search35298155400Output is not escaped
#1590Nginx Cache Controller3579961k+Text Domain Mismatch
#1591Ni WooCommerce Sales Report35236256500Text Domain Mismatch
#1592NS Cloner – Site Cloner and Multisite Duplicator3529167k+Missing direct file access protection
#1593Email Marketing for WooCommerce by Omnisend35122140k+Non-prefixed function
#1594ONet Regenerate Thumbnails35190641k+Text Domain Mismatch
#1595OPcache Manager35155751k+Output is not escaped
#1596Orderable – Restaurant & Food Ordering System35123245k+Non-prefixed global variable
#1597Paybox WooCommerce Payment Gateway3516588500Non Singular String Literal Domain
#1598Paytm Payment Gateway35921043k+Missing Arg Domain
#1599Perfecty Push Notifications352042134k+SQL query is not prepared
#1600Popular Posts3516671900Unsafe printing function