PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1651 | WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets | 35 | 35 | 22 | 100k+ | Missing direct file access protection | ||
| #1652 | WP Cassify | 35 | 106 | 143 | 700 | Missing nonce verification | ||
| #1653 | WP Datepicker | 35 | 225 | 181 | 7k+ | Output is not escaped | ||
| #1654 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #1655 | WPGraphQL | 35 | 10 | 86 | 30k+ | Non-prefixed hook name | ||
| #1656 | Mail logging – WP Mail Catcher | 35 | 232 | 157 | 20k+ | Text Domain Mismatch | ||
| #1657 | WP Open Street Map | 35 | 59 | 111 | 3k+ | Input is not validated | ||
| #1658 | WP-PageNavi | 35 | 84 | 95 | 500k+ | Non Singular String Literal Domain | ||
| #1659 | WP-Persian | 35 | 144 | 37 | 7k+ | Unsafe printing function | ||
| #1660 | WP All Import – Property Import for WP Residence | 35 | 41 | 32 | 700 | Output is not escaped | ||
| #1661 | video carousel slider with lightbox | 35 | 350 | 136 | 1k+ | Output is not escaped | ||
| #1662 | Integration for WooCommerce and QuickBooks | 35 | 263 | 125 | 1k+ | Output is not escaped | ||
| #1663 | WP Views Counter | 35 | 81 | 42 | 2k+ | Output is not escaped | ||
| #1664 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #1665 | WPPerformanceTester | 35 | 94 | 44 | 1k+ | Output is not escaped | ||
| #1666 | WPZOOM Addons for Elementor – Starter Templates & Widgets | 35 | 160 | 130 | 20k+ | Output is not escaped | ||
| #1667 | WPZOOM Portfolio Lite – Filterable Portfolio Plugin | 35 | 42 | 92 | 20k+ | Non-prefixed global variable | ||
| #1668 | xili-tidy-tags | 35 | 224 | 157 | 1k+ | Output is not escaped | ||
| #1669 | XServer Migrator | 35 | 39 | 53 | 10k+ | Interpolated SQL is not prepared | ||
| #1670 | Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts | 35 | 48 | 114 | 5k+ | Non-prefixed hook name | ||
| #1671 | Yes/No Chart | 35 | 136 | 139 | 2k+ | Unsafe printing function | ||
| #1672 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #1673 | Product Labels For Woocommerce (Sale Badges) | 36 | 90 | 48 | 10k+ | Output is not escaped | ||
| #1674 | Advanced Export for WP & WPMU | 36 | 124 | 55 | 700 | Output is not escaped | ||
| #1675 | Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder | 36 | 3 | 322 | 10k+ | Nonce verification recommended | ||
| #1676 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #1677 | BlockStrap Page Builder – Bootstrap Blocks | 36 | 81 | 89 | 2k+ | Missing direct file access protection | ||
| #1678 | BP Disable Activation Reloaded | 36 | 147 | 28 | 800 | Output is not escaped | ||
| #1679 | BP Group Documents | 36 | 27 | 195 | 600 | Non-prefixed global variable | ||
| #1680 | BP Profile Search | 36 | 321 | 85 | 5k+ | Output is not escaped | ||
| #1681 | WOLF – WordPress Posts Bulk Editor and Manager Professional | 36 | 1 | 574 | 4k+ | Request data is not unslashed | ||
| #1682 | Bulk Post Update Date | 36 | 96 | 66 | 10k+ | Unsafe printing function | ||
| #1683 | Better WordPress Recent Comments | 36 | 319 | 69 | 600 | Text Domain Mismatch | ||
| #1684 | Simple SEO | 36 | 164 | 113 | 10k+ | Non Singular String Literal Domain | ||
| #1685 | Multi Step for Contact Form 7 | 36 | 61 | 106 | 10k+ | Missing nonce verification | ||
| #1686 | CM Header and Footer – Add custom scripts and styles to your header and footer with ease | 36 | 230 | 198 | 1k+ | Output is not escaped | ||
| #1687 | Code Snippets | 36 | 34 | 203 | 1m+ | Nonce verification recommended | ||
| #1688 | Conditional Payments for WooCommerce | 36 | 292 | 184 | 10k+ | Text Domain Mismatch | ||
| #1689 | Continuous Image Carousel With Lightbox | 36 | 255 | 129 | 1k+ | Output is not escaped | ||
| #1690 | CP Blocks | 36 | 46 | 38 | 1k+ | wp function not compatible with requires wp | ||
| #1691 | Crelly Slider | 36 | 421 | 185 | 10k+ | Unsafe printing function | ||
| #1692 | Custom Category Post Order | 36 | 80 | 83 | 500 | Text Domain Mismatch | ||
| #1693 | Doneren met Mollie | 36 | 420 | 351 | 4k+ | SQL query is not prepared | ||
| #1694 | Duplicate Post – duplicate pages, copy content, clone posts | 36 | 76 | 81 | 5k+ | wp function not compatible with requires wp | ||
| #1695 | Dynamic Copyright Year | 36 | 972 | 43 | 800 | Output is not escaped | ||
| #1696 | Dynamic Front-End Heartbeat Control | 36 | 217 | 111 | 1k+ | Text Domain Mismatch | ||
| #1697 | Dynamic Visibility for Elementor | 36 | 56 | 89 | 50k+ | Non-prefixed hook name | ||
| #1698 | WP CTA – Call Now Button, Sticky Button & Call to Action Builder | 36 | 1 | 433 | 2k+ | Non-prefixed global variable | ||
| #1699 | Easy Support Videos – Embed videos in the admin | 36 | 160 | 95 | 500 | Output is not escaped | ||
| #1700 | Enhanced Media Library | 36 | 361 | 117 | 60k+ | Unsafe printing function |