PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1651WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets353522100k+Missing direct file access protection
#1652WP Cassify35106143700Missing nonce verification
#1653WP Datepicker352251817k+Output is not escaped
#1654Database Backup for WordPress351288870k+Output is not escaped
#1655WPGraphQL35108630k+Non-prefixed hook name
#1656Mail logging – WP Mail Catcher3523215720k+Text Domain Mismatch
#1657WP Open Street Map35591113k+Input is not validated
#1658WP-PageNavi358495500k+Non Singular String Literal Domain
#1659WP-Persian35144377k+Unsafe printing function
#1660WP All Import – Property Import for WP Residence354132700Output is not escaped
#1661video carousel slider with lightbox353501361k+Output is not escaped
#1662Integration for WooCommerce and QuickBooks352631251k+Output is not escaped
#1663WP Views Counter3581422k+Output is not escaped
#1664WPFront User Role Editor3533357830k+Output is not escaped
#1665WPPerformanceTester3594441k+Output is not escaped
#1666WPZOOM Addons for Elementor – Starter Templates & Widgets3516013020k+Output is not escaped
#1667WPZOOM Portfolio Lite – Filterable Portfolio Plugin35429220k+Non-prefixed global variable
#1668xili-tidy-tags352241571k+Output is not escaped
#1669XServer Migrator35395310k+Interpolated SQL is not prepared
#1670Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts35481145k+Non-prefixed hook name
#1671Yes/No Chart351361392k+Unsafe printing function
#1672Year Make Model Search for WooCommerce351881621k+Output is not escaped
#1673Product Labels For Woocommerce (Sale Badges)36904810k+Output is not escaped
#1674Advanced Export for WP & WPMU3612455700Output is not escaped
#1675Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder36332210k+Nonce verification recommended
#1676Blaze Demo Importer36101948k+Output is not escaped
#1677BlockStrap Page Builder – Bootstrap Blocks3681892k+Missing direct file access protection
#1678BP Disable Activation Reloaded3614728800Output is not escaped
#1679BP Group Documents3627195600Non-prefixed global variable
#1680BP Profile Search36321855k+Output is not escaped
#1681WOLF – WordPress Posts Bulk Editor and Manager Professional3615744k+Request data is not unslashed
#1682Bulk Post Update Date36966610k+Unsafe printing function
#1683Better WordPress Recent Comments3631969600Text Domain Mismatch
#1684Simple SEO3616411310k+Non Singular String Literal Domain
#1685Multi Step for Contact Form 7366110610k+Missing nonce verification
#1686CM Header and Footer – Add custom scripts and styles to your header and footer with ease362301981k+Output is not escaped
#1687Code Snippets36342031m+Nonce verification recommended
#1688Conditional Payments for WooCommerce3629218410k+Text Domain Mismatch
#1689Continuous Image Carousel With Lightbox362551291k+Output is not escaped
#1690CP Blocks3646381k+wp function not compatible with requires wp
#1691Crelly Slider3642118510k+Unsafe printing function
#1692Custom Category Post Order368083500Text Domain Mismatch
#1693Doneren met Mollie364203514k+SQL query is not prepared
#1694Duplicate Post – duplicate pages, copy content, clone posts3676815k+wp function not compatible with requires wp
#1695Dynamic Copyright Year3697243800Output is not escaped
#1696Dynamic Front-End Heartbeat Control362171111k+Text Domain Mismatch
#1697Dynamic Visibility for Elementor36568950k+Non-prefixed hook name
#1698WP CTA – Call Now Button, Sticky Button & Call to Action Builder3614332k+Non-prefixed global variable
#1699Easy Support Videos – Embed videos in the admin3616095500Output is not escaped
#1700Enhanced Media Library3636111760k+Unsafe printing function