PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1851Database for Contact Form 738341287k+Missing nonce verification
#1852CRUDLab Disable Comments382054700Missing nonce verification
#1853Custom Menu Wizard Widget38326302k+Output is not escaped
#1854Customize Posts3831771k+Non-prefixed hook name
#1855Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included)3838183600Non-prefixed global variable
#1856Datafeedr WooCommerce Importer38112565k+Text Domain Mismatch
#1857Decent Comments3893282k+Output is not escaped
#1858Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster38371025k+Interpolated SQL is not prepared
#1859Easy WP Cleaner38581242k+Non-prefixed global variable
#1860Export User Data38187626k+Text Domain Mismatch
#1861Front-end Editor387862500Output is not escaped
#1862Goal Tracker – Custom Event Tracking for GA438541252k+Output is not escaped
#1863GoDaddy Payments for WooCommerce3858652k+Output is not escaped
#1864Great Caroussel3860131500SQL query is not prepared
#1865Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration38160821k+Unsafe printing function
#1866HashThemes Demo Importer3871446k+Output is not escaped
#1867Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs38361062k+Non-prefixed global variable
#1868ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More38208930k+Direct Query
#1869Import to Photo Gallery from NextGen gallery388083400Direct Query
#1870Coding Chicken – JetEngine Importer385529400Missing direct file access protection
#1871Insert PHP Code Snippet3816422790k+Output is not escaped
#18723D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery383537780k+Non Singular String Literal Domain
#1873Maintenance Redirect3824413210k+Missing Arg Domain
#1874Jock On Air Now (JOAN)38121224500Output is not escaped
#1875Lana Downloads Manager38146783k+Unsafe printing function
#1876LWS Cleaner388112920k+Direct Query
#1877Migrate Store: Export and Import WooCommerce Settings3837331k+Non-prefixed global variable
#1878Most And Least Read Posts Widget38130241k+Output is not escaped
#1879MX Time Zone Clocks38219411k+Output is not escaped
#1880Name Directory385203093k+Output is not escaped
#1881Contact Form Widget38541071k+Request data is not unslashed
#1882Podlove Subscribe button38148452k+Output is not escaped
#1883Popular Widget386130700Unsafe printing function
#1884Post views Stats3837511k+Non-prefixed global variable
#1885PostLinks3810710700Output is not escaped
#1886qTranslate X Cleanup and WPML Import38167102800Text Domain Mismatch
#1887Quick Download Button38341232k+Non-prefixed global variable
#1888RDP Wiki Embed386926400Output is not escaped
#1889Like This3860171k+Output is not escaped
#1890Invoice1233813988400Text Domain Mismatch
#1891LinkBoss – Semantic AI Internal Linking3828572k+Missing Arg Domain
#1892Simple Google Sitemap XML383882k+Output is not escaped
#1893Simple Visitor Counter384127700Output is not escaped
#1894Smart Maintenance Mode381371281k+Output is not escaped
#1895Social Snap — Social Share Buttons & Click to Tweet38616910k+Direct Query
#1896SRS Simple Hits Counter3843988k+Output is not escaped
#1897Tag Manager – Header, Body And Footer389731920k+Non-prefixed global variable
#1898Accessibility Tools & Alt Text Finder3836563k+Text Domain Mismatch
#1899Trackserver3817356400Input is not sanitized
#1900Plugin Name: Traffic Stats Widget Plugin3869107600Output is not escaped