PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1551 | EnvíaloSimple: Email Marketing y Newsletters | 35 | 147 | 250 | 2k+ | Nonce verification recommended | ||
| #1552 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | Direct Query | ||
| #1553 | Export Featured Images | 35 | 176 | 67 | 1k+ | Output is not escaped | ||
| #1554 | Extendify | 35 | 80 | 64 | 500k+ | Text Domain Mismatch | ||
| #1555 | External Links Overview | 35 | 57 | 200 | 800 | Non-prefixed global variable | ||
| #1556 | WP2Social Auto Publish | 35 | 643 | 215 | 9k+ | Unsafe printing function | ||
| #1557 | Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations | 35 | 255 | 225 | 10k+ | Output is not escaped | ||
| #1558 | Flexible PDF Invoices for WooCommerce & WordPress | 35 | 15 | 55 | 6k+ | Non-prefixed global variable | ||
| #1559 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #1560 | g-FFL Cockpit | 35 | 18 | 224 | 500 | Direct Query | ||
| #1561 | Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery | 35 | 50 | 199 | 10k+ | Non-prefixed global variable | ||
| #1562 | GD bbPress Attachments | 35 | 2 | 10 | 6k+ | wp redirect wp redirect | ||
| #1563 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #1564 | Glossary | 35 | 169 | 93 | 2k+ | Non Singular String Literal Domain | ||
| #1565 | HivePress – Business Directory, Listings & Classified Ads Plugin | 35 | 38 | 180 | 10k+ | Direct Query | ||
| #1566 | PDF Compressor & Watermark – iLovePDF | 35 | 216 | 5 | 600 | Text Domain Mismatch | ||
| #1567 | Import Users & Customers with Meta | WP Ultimate CSV Importer Add-on | 35 | 27 | 140 | 5k+ | Interpolated SQL is not prepared | ||
| #1568 | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts | 35 | 64 | 91 | 60k+ | Output is not escaped | ||
| #1569 | Instapage Plugin | 35 | 220 | 45 | 4k+ | Output is not escaped | ||
| #1570 | IntenseDebate Comments | 35 | 203 | 114 | 500 | Output is not escaped | ||
| #1571 | IP Based Login | 35 | 179 | 146 | 600 | Output is not escaped | ||
| #1572 | iPages – FlipBook Image & PDF Viewer | 35 | 467 | 177 | 2k+ | Text Domain Mismatch | ||
| #1573 | Jarvis | 35 | 10 | 19 | 500 | Input is not validated | ||
| #1574 | Static Site Exporter | 35 | 54 | 25 | 500 | file system operations mkdir | ||
| #1575 | Jetpack VideoPress | 35 | 710 | 241 | 7k+ | Text Domain Mismatch | ||
| #1576 | KBoard 위젯 – 워드프레스 게시판 | 35 | 53 | 32 | 3k+ | Output is not escaped | ||
| #1577 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #1578 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output is not escaped | ||
| #1579 | LiteSpeed Cache | 35 | 286 | 893 | 7m+ | Non-prefixed global variable | ||
| #1580 | Log HTTP Requests | 35 | 7 | 18 | 2k+ | Interpolated SQL is not prepared | ||
| #1581 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | ||
| #1582 | Mail Queue | 35 | 25 | 103 | 1k+ | Nonce verification recommended | ||
| #1583 | MapSVG – Vector maps, Image maps, Google Maps | 35 | 74 | 47 | 1k+ | Missing direct file access protection | ||
| #1584 | Marquee image crawler | 35 | 168 | 136 | 700 | Non-prefixed global variable | ||
| #1585 | Mechanic Visitor Counter | 35 | 240 | 66 | 7k+ | Output is not escaped | ||
| #1586 | Media Credit | 35 | 28 | 35 | 1k+ | Non-prefixed global variable | ||
| #1587 | AI Product Search for WooCommerce – Motive Commerce Search | 35 | 70 | 82 | 400 | Missing direct file access protection | ||
| #1588 | Never Let Me Go | 35 | 34 | 47 | 400 | Non-prefixed global variable | ||
| #1589 | NGG Smart Image Search | 35 | 298 | 155 | 400 | Output is not escaped | ||
| #1590 | Nginx Cache Controller | 35 | 79 | 96 | 1k+ | Text Domain Mismatch | ||
| #1591 | Ni WooCommerce Sales Report | 35 | 236 | 256 | 500 | Text Domain Mismatch | ||
| #1592 | NS Cloner – Site Cloner and Multisite Duplicator | 35 | 29 | 16 | 7k+ | Missing direct file access protection | ||
| #1593 | Email Marketing for WooCommerce by Omnisend | 35 | 12 | 21 | 40k+ | Non-prefixed function | ||
| #1594 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | ||
| #1595 | OPcache Manager | 35 | 155 | 75 | 1k+ | Output is not escaped | ||
| #1596 | Orderable – Restaurant & Food Ordering System | 35 | 12 | 324 | 5k+ | Non-prefixed global variable | ||
| #1597 | Paybox WooCommerce Payment Gateway | 35 | 165 | 88 | 500 | Non Singular String Literal Domain | ||
| #1598 | Paytm Payment Gateway | 35 | 92 | 104 | 3k+ | Missing Arg Domain | ||
| #1599 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | SQL query is not prepared | ||
| #1600 | Popular Posts | 35 | 166 | 71 | 900 | Unsafe printing function |