PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1801 | news ticker benaceur | 37 | 1,097 | 31 | 1k+ | Output is not escaped | ||
| #1802 | NextGEN Scroll Gallery | 37 | 33 | 28 | 1k+ | Output is not escaped | ||
| #1803 | Sendle Shipping Plugin | 37 | 91 | 64 | 800 | wp function not compatible with requires wp | ||
| #1804 | Oliver POS – WooCommerce POS for iPhone, iPad & Android | 37 | 15 | 242 | 800 | Interpolated SQL is not prepared | ||
| #1805 | WP All Export – Order Export for WooCommerce | 37 | 109 | 111 | 4k+ | Text Domain Mismatch | ||
| #1806 | Panda Pods Repeater Field | 37 | 9 | 260 | 600 | Non-prefixed global variable | ||
| #1807 | PayU CommercePro Plugin | 37 | 218 | 7k+ | error log error log | |||
| #1808 | Phoenix Media Rename | 37 | 180 | 104 | 50k+ | Output is not escaped | ||
| #1809 | PNG to JPG | 37 | 130 | 173 | 10k+ | Interpolated SQL is not prepared | ||
| #1810 | Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales | 37 | 59 | 64 | 2k+ | SQL query is not prepared | ||
| #1811 | Product Image Hover Effects WOOC – WPSHARE247 | 37 | 161 | 94 | 800 | Output is not escaped | ||
| #1812 | Publish to Schedule | 37 | 195 | 43 | 3k+ | Text Domain Mismatch | ||
| #1813 | Quentn WP | 37 | 4 | 251 | 500 | Nonce verification recommended | ||
| #1814 | rapidmail: Newsletter & E-Mail Marketing for WooCommerce | 37 | 79 | 47 | 400 | Text Domain Mismatch | ||
| #1815 | Ryviu – Review Importer & Product Reviews | 37 | 72 | 95 | 1k+ | Output is not escaped | ||
| #1816 | Simple Image XML Sitemap | 37 | 119 | 16 | 1k+ | Output is not escaped | ||
| #1817 | Lightbox slider – Responsive Lightbox Gallery | 37 | 36 | 173 | 3k+ | Non-prefixed global variable | ||
| #1818 | Tracking Code Manager | 37 | 55 | 42 | 90k+ | Output is not escaped | ||
| #1819 | Tracking Script Manager | 37 | 82 | 57 | 2k+ | Non Singular String Literal Domain | ||
| #1820 | UsersWP – Social Login | 37 | 299 | 91 | 2k+ | Text Domain Mismatch | ||
| #1821 | ValidateCertify Free | 37 | 123 | 97 | 1k+ | Text Domain Mismatch | ||
| #1822 | Virtual Classroom – Video Conferencing & Online Meeting with BigBlueButton | 37 | 45 | 140 | 400 | Nonce verification recommended | ||
| #1823 | Views for WPForms – Display & Edit WPForms Entries on your site frontend | 37 | 80 | 64 | 1k+ | Output is not escaped | ||
| #1824 | Conditional Discounts for WooCommerce – A simple yet complete woocommerce dynamic pricing plugin | 37 | 99 | 33 | 9k+ | Text Domain Mismatch | ||
| #1825 | Orders Tracking for WooCommerce | 37 | 7 | 312 | 10k+ | Request data is not unslashed | ||
| #1826 | Xendit Payment | 37 | 3 | 197 | 3k+ | Missing nonce verification | ||
| #1827 | WooCommerce PayPal Payments | 37 | 194 | 110 | 800k+ | Exception output is not escaped | ||
| #1828 | Wordable – Export Google Docs to WordPress | 37 | 47 | 63 | 2k+ | Output is not escaped | ||
| #1829 | Hustle – Email Marketing, Lead Generation, Optins, Popups | 37 | 4,894 | 5,942 | 90k+ | Non-prefixed global variable | ||
| #1830 | Fix Media Library | 37 | 53 | 71 | 1k+ | Output is not escaped | ||
| #1831 | WPForce Logout – WordPress User Login Logout Management Plugin | 37 | 567 | 32 | 8k+ | Output is not escaped | ||
| #1832 | WP Flow Plus | 37 | 175 | 146 | 800 | Output is not escaped | ||
| #1833 | Persistent Login | 37 | 338 | 108 | 6k+ | Unsafe printing function | ||
| #1834 | WP Show Stats | 37 | 197 | 103 | 400 | Output is not escaped | ||
| #1835 | Special Text Boxes | 37 | 38 | 42 | 2k+ | Direct Query | ||
| #1836 | TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More | 37 | 878 | 59 | 800 | Output is not escaped | ||
| #1837 | XT Visitor Counter | 37 | 177 | 52 | 7k+ | Output is not escaped | ||
| #1838 | Yada Wiki | 37 | 207 | 45 | 2k+ | Text Domain Mismatch | ||
| #1839 | Zoho Marketing Automation | 37 | 24 | 194 | 1k+ | Non-prefixed global variable | ||
| #1840 | Accessibility | 38 | 66 | 61 | 1k+ | Non-prefixed global variable | ||
| #1841 | Action Scheduler | 38 | 92 | 134 | 20k+ | Exception output is not escaped | ||
| #1842 | Advanced 301 and 302 Redirect | 38 | 81 | 339 | 1k+ | Non-prefixed global variable | ||
| #1843 | Advanced Media Offloader | 38 | 57 | 93 | 5k+ | error log error log | ||
| #1844 | Alphabetic Pagination | 38 | 144 | 117 | 500 | Unsafe printing function | ||
| #1845 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #1846 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #1847 | Bot Block – Stop Spam Referrals in Google Analytics | 38 | 28 | 42 | 600 | Output is not escaped | ||
| #1848 | Cache Warmer | 38 | 32 | 219 | 1k+ | Interpolated SQL is not prepared | ||
| #1849 | CC Child Pages | 38 | 63 | 152 | 9k+ | Non-prefixed global variable | ||
| #1850 | Certificate Verification | 38 | 33 | 40 | 1k+ | Output is not escaped |