PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1601Popup with fancybox35196168900Unsafe printing function
#1602Post Draft Preview354969700Text Domain Mismatch
#1603PrettyLinks – Affiliate Link Management, URL Shortener, Link Cloaking, Tracking & Branded Short Links3514200k+Database parameter is not escaped
#1604Product Delivery Date for WooCommerce – Lite35171271k+Text Domain Mismatch
#1605Quran multilanguage Text & Audio35177166500Output is not escaped
#1606Related Posts by Taxonomy351319710k+Output is not escaped
#1607Related Posts for WordPress3520718010k+Output is not escaped
#1608ReOrder Posts within Categories35392077k+Non-prefixed global variable
#1609WP Responsive Tabs horizontal vertical and accordion Tabs355982122k+Output is not escaped
#1610Internal Links Manager3518812110k+Output is not escaped
#1611SEUR Oficial35252981k+Non-prefixed global variable
#1612ShopMagic Abandoned Cart Recovery for WooCommerce3516232k+Non-prefixed global variable
#1613Product Feed for Google Shopping, Microsoft Advertising and 40+ Channels for WooCommerce Merchant3583762k+Output is not escaped
#1614Simple History – Track, Log, and Audit WordPress Changes3532122300k+Non-prefixed global variable
#1615Simple Image Sizes35537560k+Unsafe printing function
#1616Simple Yearly Archive35102366k+Unsafe printing function
#1617SiteGround Migrator351137470k+Missing Arg Domain
#1618Spacious Toolkit354894700Non-prefixed global variable
#1619Spots3519549800Output is not escaped
#1620Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons353329310k+Non-prefixed global variable
#1621StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More35524600Non-prefixed global variable
#1622String locator3552319100k+Non-prefixed global variable
#1623Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress35106145500Non-prefixed global variable
#1624Tapfiliate353549400Nonce verification recommended
#1625TBThemes Theme Import358448400Text Domain Mismatch
#1626Transcoder3542111400Non-prefixed function
#1627Two Factor Authentication3510813920k+Output is not escaped
#1628Uptime Robot Plugin for WordPress35398324600Text Domain Mismatch
#1629Video Grid352531061k+Output is not escaped
#1630Video Gallery35336178600Output is not escaped
#1631Void Elementor Post Grid Addon for Elementor Page builder35189933k+Text Domain Mismatch
#1632W4 Post List35501383k+Non-prefixed global variable
#1633WC Cancel Order35521225k+Non-prefixed hook name
#1634Spreadconnect35128126700Output is not escaped
#1635WC Ukraine Shipping – Integration of Nova Poshta and Ukrposhta for WooCommerce355041647k+Text Domain Mismatch
#1636Wired Impact Volunteer Management352531751k+Output is not escaped
#1637ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce355134410k+Request data is not unslashed
#1638CardCom Payment Gateway35201843k+Text Domain Mismatch
#1639WP Courseware for WooCommerce3555491k+Text Domain Mismatch
#1640DPD Baltic Shipping35912022k+Text Domain Mismatch
#1641Abandoned Cart Lite for WooCommerce358416120k+Non-prefixed global variable
#1642Japanized for WooCommerce3566810k+Non-prefixed class
#1643Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing354923050k+Non-prefixed hook name
#1644PDF Invoices & Packing Slips for WooCommerce3535966300k+Non-prefixed hook name
#1645Brevo for WooCommerce351166730k+Output is not escaped
#1646Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices35225220k+Direct Query
#1647Wooplatnica352724400Non-prefixed class
#1648Access Areas for WordPress351795400Direct Query
#1649WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets353520100k+Missing direct file access protection
#1650WP Cassify35106143700Missing nonce verification