PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1701 | Enormail Sign Up Forms | 36 | 133 | 126 | 400 | Output is not escaped | ||
| #1702 | Events Manager and WPML Compatibility | 36 | 101 | 177 | 1k+ | Direct Query | ||
| #1703 | Friendly Functions for Welcart | 36 | 311 | 83 | 1k+ | Non Singular String Literal Domain | ||
| #1704 | Genesis Sandbox Featured Content Widget | 36 | 229 | 24 | 1k+ | Text Domain Mismatch | ||
| #1705 | GetPaid > Wallet | 36 | 174 | 227 | 700 | Text Domain Mismatch | ||
| #1706 | Google SEO Pressor for Rich snippets | 36 | 51 | 160 | 400 | Missing nonce verification | ||
| #1707 | Google Webfont Optimizer | 36 | 45 | 49 | 700 | Output is not escaped | ||
| #1708 | Header Footer Code Manager | 36 | 81 | 180 | 600k+ | Non-prefixed global variable | ||
| #1709 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | Output is not escaped | ||
| #1710 | HTTP Requests Manager | 36 | 98 | 90 | 1k+ | Output is not escaped | ||
| #1711 | IntelliWidget Per Page Custom Menus and Dynamic Content | 36 | 586 | 162 | 600 | Output is not escaped | ||
| #1712 | Libro de Reclamaciones y Quejas | 36 | 266 | 124 | 4k+ | Text Domain Mismatch | ||
| #1713 | LONG URL MAKER | 36 | 39 | 71 | 1k+ | Direct Query | ||
| #1714 | LocalWeb All In One | 36 | 34 | 297 | 5k+ | Non-prefixed global variable | ||
| #1715 | Media Deduper | 36 | 60 | 99 | 9k+ | Missing Arg Domain | ||
| #1716 | Microsoft Clarity | 36 | 48 | 163 | 200k+ | Nonce verification recommended | ||
| #1717 | NextGEN Custom Fields | 36 | 215 | 131 | 1k+ | SQL query is not prepared | ||
| #1718 | Peter’s Post Notes | 36 | 224 | 102 | 3k+ | Output is not escaped | ||
| #1719 | Plugins Garbage Collector (Database Cleanup) | 36 | 32 | 51 | 10k+ | Missing nonce verification | ||
| #1720 | Post Views Stats Counter | 36 | 142 | 241 | 700 | Non-prefixed global variable | ||
| #1721 | ActiveCampaign Postmark for WordPress | 36 | 47 | 75 | 50k+ | Text Domain Mismatch | ||
| #1722 | WowStore – Store Builder & Product Blocks for WooCommerce | 36 | 56 | 437 | 4k+ | Non-prefixed global variable | ||
| #1723 | افزونه رسمی ترب | 36 | 42 | 86 | 30k+ | Exception output is not escaped | ||
| #1724 | Better Find and Replace – AI-Powered Suggestions | 36 | 67 | 129 | 40k+ | Missing direct file access protection | ||
| #1725 | Recent Posts | 36 | 106 | 30 | 500 | Text Domain Mismatch | ||
| #1726 | Optimize Database after Deleting Revisions | 36 | 644 | 127 | 60k+ | Output is not escaped | ||
| #1727 | Search & Replace | 36 | 50 | 53 | 100k+ | Missing nonce verification | ||
| #1728 | Speed Optimizer – The All-In-One Performance-Boosting Plugin | 36 | 45 | 96 | 1m+ | Non-prefixed hook name | ||
| #1729 | ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution | 36 | 63 | 669 | 100k+ | Non-prefixed global variable | ||
| #1730 | SMTP for SendGrid – YaySMTP | 36 | 27 | 96 | 1k+ | Non-prefixed global variable | ||
| #1731 | StaticPress | 36 | 88 | 79 | 500 | Output is not escaped | ||
| #1732 | Subscribe to Comments | 36 | 129 | 163 | 10k+ | Output is not escaped | ||
| #1733 | Supplier Order Email | 36 | 54 | 105 | 400 | Output is not escaped | ||
| #1734 | SureContact – Newsletters, Email Marketing, Automation, Revenue Tracking & CRM | 36 | 314 | 132 | 7k+ | Text Domain Mismatch | ||
| #1735 | SurveyJS: Drag & Drop Form Builder | 36 | 12 | 134 | 500 | Missing Version | ||
| #1736 | Sync QCloud COS | 36 | 63 | 109 | 600 | Non-prefixed function | ||
| #1737 | Bulk Product Editor plugin allows you to create and edit your WooCommerce products and categories with Google Sheets. | 36 | 50 | 105 | 400 | Direct Query | ||
| #1738 | Advance Side Cart, Ajax Cart & Floating Cart for WooCommerce | 36 | 37 | 121 | 6k+ | Non-prefixed global variable | ||
| #1739 | Plugin Name: Traffic Counter Widget Plugin | 36 | 71 | 107 | 600 | Output is not escaped | ||
| #1740 | Zoho ZeptoMail | 36 | 32 | 110 | 5k+ | Request data is not unslashed | ||
| #1741 | Ubigeo de Perú para Woocommerce y WordPress | 36 | 191 | 235 | 4k+ | Non-prefixed function | ||
| #1742 | Uji Countdown | 36 | 284 | 98 | 4k+ | Text Domain Mismatch | ||
| #1743 | PDF Flipbook, WPBakery Addon – Unreal FlipBook | 36 | 400 | 92 | 1k+ | Non Singular String Literal Domain | ||
| #1744 | When Last Login | 36 | 52 | 123 | 50k+ | Non-prefixed global variable | ||
| #1745 | Widget Indicadores Económicos (Chile) | 36 | 53 | 20 | 500 | Output is not escaped | ||
| #1746 | Viva Payments – Viva Wallet WooCommerce Payment Gateway | 36 | 97 | 32 | 1k+ | Non Singular String Literal Domain | ||
| #1747 | Extended Coupon Features for WooCommerce FREE | 36 | 219 | 63 | 10k+ | Text Domain Mismatch | ||
| #1748 | CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce | 36 | 165 | 69 | 5k+ | Text Domain Mismatch | ||
| #1749 | Hide admin notices – Admin Notification Center | 36 | 114 | 67 | 8k+ | Output is not escaped | ||
| #1750 | WP-Cleanup | 36 | 79 | 29 | 400 | Output is not escaped |