PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1601 | Popup with fancybox | 35 | 196 | 168 | 900 | Unsafe printing function | ||
| #1602 | Post Draft Preview | 35 | 49 | 69 | 700 | Text Domain Mismatch | ||
| #1603 | PrettyLinks – Affiliate Link Management, URL Shortener, Link Cloaking, Tracking & Branded Short Links | 35 | 1 | 4 | 200k+ | Database parameter is not escaped | ||
| #1604 | Product Delivery Date for WooCommerce – Lite | 35 | 171 | 27 | 1k+ | Text Domain Mismatch | ||
| #1605 | Quran multilanguage Text & Audio | 35 | 177 | 166 | 500 | Output is not escaped | ||
| #1606 | Related Posts by Taxonomy | 35 | 131 | 97 | 10k+ | Output is not escaped | ||
| #1607 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output is not escaped | ||
| #1608 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non-prefixed global variable | ||
| #1609 | WP Responsive Tabs horizontal vertical and accordion Tabs | 35 | 598 | 212 | 2k+ | Output is not escaped | ||
| #1610 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output is not escaped | ||
| #1611 | SEUR Oficial | 35 | 25 | 298 | 1k+ | Non-prefixed global variable | ||
| #1612 | ShopMagic Abandoned Cart Recovery for WooCommerce | 35 | 16 | 23 | 2k+ | Non-prefixed global variable | ||
| #1613 | Product Feed for Google Shopping, Microsoft Advertising and 40+ Channels for WooCommerce Merchant | 35 | 83 | 76 | 2k+ | Output is not escaped | ||
| #1614 | Simple History – Track, Log, and Audit WordPress Changes | 35 | 32 | 122 | 300k+ | Non-prefixed global variable | ||
| #1615 | Simple Image Sizes | 35 | 53 | 75 | 60k+ | Unsafe printing function | ||
| #1616 | Simple Yearly Archive | 35 | 102 | 36 | 6k+ | Unsafe printing function | ||
| #1617 | SiteGround Migrator | 35 | 113 | 74 | 70k+ | Missing Arg Domain | ||
| #1618 | Spacious Toolkit | 35 | 48 | 94 | 700 | Non-prefixed global variable | ||
| #1619 | Spots | 35 | 195 | 49 | 800 | Output is not escaped | ||
| #1620 | Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons | 35 | 33 | 293 | 10k+ | Non-prefixed global variable | ||
| #1621 | StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More | 35 | 524 | 600 | Non-prefixed global variable | |||
| #1622 | String locator | 35 | 52 | 319 | 100k+ | Non-prefixed global variable | ||
| #1623 | Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress | 35 | 106 | 145 | 500 | Non-prefixed global variable | ||
| #1624 | Tapfiliate | 35 | 35 | 49 | 400 | Nonce verification recommended | ||
| #1625 | TBThemes Theme Import | 35 | 84 | 48 | 400 | Text Domain Mismatch | ||
| #1626 | Transcoder | 35 | 42 | 111 | 400 | Non-prefixed function | ||
| #1627 | Two Factor Authentication | 35 | 108 | 139 | 20k+ | Output is not escaped | ||
| #1628 | Uptime Robot Plugin for WordPress | 35 | 398 | 324 | 600 | Text Domain Mismatch | ||
| #1629 | Video Grid | 35 | 253 | 106 | 1k+ | Output is not escaped | ||
| #1630 | Video Gallery | 35 | 336 | 178 | 600 | Output is not escaped | ||
| #1631 | Void Elementor Post Grid Addon for Elementor Page builder | 35 | 189 | 93 | 3k+ | Text Domain Mismatch | ||
| #1632 | W4 Post List | 35 | 50 | 138 | 3k+ | Non-prefixed global variable | ||
| #1633 | WC Cancel Order | 35 | 52 | 122 | 5k+ | Non-prefixed hook name | ||
| #1634 | Spreadconnect | 35 | 128 | 126 | 700 | Output is not escaped | ||
| #1635 | WC Ukraine Shipping – Integration of Nova Poshta and Ukrposhta for WooCommerce | 35 | 504 | 164 | 7k+ | Text Domain Mismatch | ||
| #1636 | Wired Impact Volunteer Management | 35 | 253 | 175 | 1k+ | Output is not escaped | ||
| #1637 | ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce | 35 | 51 | 344 | 10k+ | Request data is not unslashed | ||
| #1638 | CardCom Payment Gateway | 35 | 201 | 84 | 3k+ | Text Domain Mismatch | ||
| #1639 | WP Courseware for WooCommerce | 35 | 55 | 49 | 1k+ | Text Domain Mismatch | ||
| #1640 | DPD Baltic Shipping | 35 | 91 | 202 | 2k+ | Text Domain Mismatch | ||
| #1641 | Abandoned Cart Lite for WooCommerce | 35 | 84 | 161 | 20k+ | Non-prefixed global variable | ||
| #1642 | Japanized for WooCommerce | 35 | 6 | 68 | 10k+ | Non-prefixed class | ||
| #1643 | Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing | 35 | 49 | 230 | 50k+ | Non-prefixed hook name | ||
| #1644 | PDF Invoices & Packing Slips for WooCommerce | 35 | 35 | 966 | 300k+ | Non-prefixed hook name | ||
| #1645 | Brevo for WooCommerce | 35 | 116 | 67 | 30k+ | Output is not escaped | ||
| #1646 | Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices | 35 | 22 | 52 | 20k+ | Direct Query | ||
| #1647 | Wooplatnica | 35 | 27 | 24 | 400 | Non-prefixed class | ||
| #1648 | Access Areas for WordPress | 35 | 17 | 95 | 400 | Direct Query | ||
| #1649 | WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets | 35 | 35 | 20 | 100k+ | Missing direct file access protection | ||
| #1650 | WP Cassify | 35 | 106 | 143 | 700 | Missing nonce verification |