PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1751WP Custom Cursors | WordPress Cursor Plugin366913909k+Text Domain Mismatch
#1752WP-EMail36340951k+Unsafe printing function
#1753WP Header Images361741336k+Unsafe printing function
#1754WP Mail36202201500Output is not escaped
#1755WP Sort Order361342116k+Direct Query
#1756WP Super Edit36351852k+Nonce verification recommended
#1757WP fail2ban Blocklist3661633k+SQL query is not prepared
#1758WPLMS H5P361111061k+Text Domain Mismatch
#1759Wppao Sitemap36128219k+Output is not escaped
#1760wpShopGermany IT-RECHT KANZLEI363747500Input is not sanitized
#1761Database Snapshots – WPvivid36661081k+Direct Query
#1762YayExtra – WooCommerce Extra Product Options36114721k+Non-prefixed global variable
#1763Zeno – AI-Powered Chatbot36311131400Text Domain Mismatch
#1764Redirectioner372344101k+Output is not escaped
#1765Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs37393610k+Missing direct file access protection
#1766AJAX Hits Counter + Popular Posts Widget37247441k+Output is not escaped
#1767Anything Popup371641852k+Non-prefixed global variable
#1768avalex – Automatisch sichere Rechtstexte3725851k+Direct Query
#1769Avatar Privacy3782361k+Missing direct file access protection
#1770Random Posts and Pages Widget37322151k+Output is not escaped
#1771Banhammer – Monitor Site Traffic, Block Bad Users and Bots371041741k+Output is not escaped
#1772Customize WordPress Emails and Alerts – Better Notifications for WP37644730k+Missing Arg Domain
#1773Contact Zalo Report SW374439900Missing Arg Domain
#1774ClickRank – Ai SEO Automation37102261k+Direct Query
#1775Lightweight Subscribe To Comments37105701k+Unsafe printing function
#1776CookieAdmin – Cookie Consent Banner374386400k+Nonce verification recommended
#1777CorvusPay WooCommerce Payment Gateway37291411k+Missing nonce verification
#1778Disclaimer Popup37313531k+Text Domain Mismatch
#1779Donation Block For PayPal3723106600Input is not validated
#1780Pricing Table WordPress Plugin – Easy Pricing Tables3733216110k+Output is not escaped
#1781Easy Testimonial Slider and Form3714144700Request data is not unslashed
#1782Encyclopedia / Glossary / Wiki37263481k+Output is not escaped
#1783Excerpt Editor37170142500Unsafe printing function
#1784Exploit Scanner37251308k+Non-prefixed global variable
#1785Get Custom Field Values3740441k+Output is not escaped
#1786果果推送3731561k+Nonce verification recommended
#1787GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM3759269600Direct Query
#1788Google for WooCommerce37328121800k+Exception output is not escaped
#1789XML Sitemap Generator for Google3743791m+Input is not validated
#1790GoPay for WooCommerce37661031k+Non-prefixed global variable
#1791Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder378311320k+SQL query is not prepared
#1792Horizontal scrolling announcements372151408k+Output is not escaped
#1793Humans TXT3715986400Output is not escaped
#1794JS Help Desk – AI-Powered Support & Ticketing System37174067k+Missing nonce verification
#1795Language Switcher37811051k+Missing Translators Comment
#1796LearnPress – Course Review37674320k+Output is not escaped
#1797Media Sweep – WordPress Media Cleaner37561371k+Interpolated SQL is not prepared
#1798Metorik – Reports & Email Automation for WooCommerce37757010k+Output is not escaped
#1799CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor37479040k+Dynamic hook name
#1800My Post Order37100114400Output is not escaped