PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1901Unconfirmed3820791k+Nonce verification recommended
#1902VidShop – Shoppable Videos for WooCommerce38541531k+Database parameter is not escaped
#1903WholesaleX – B2B & Wholesale Plugin for WooCommerce with Wholesale Prices38331812k+Non-prefixed global variable
#1904WishSuite – Wishlist for WooCommerce38761331k+Output is not escaped
#1905Products Coming Soon for WooCommerce3815162700Output is not escaped
#1906Wholesale for WooCommerce38541221k+Output is not escaped
#1907Connect WooCommerce Shop to ERP/CRM, Verifactu and EU/VAT Compliance38231041k+Direct Query
#1908WP 404 Auto Redirect to Similar Post381664830k+Text Domain Mismatch
#1909WP-DraftsForFriends38141711k+Output is not escaped
#1910Real-Time Post Statistics for WordPress3863681k+SQL query is not prepared
#1911Responsive Vertical Icon Menu3818885700Output is not escaped
#1912ZeroBounce Email Verification & Validation38299162900Text Domain Mismatch
#1913Zoho Campaigns3831293k+Non-prefixed global variable
#1914Ad Invalid Click Protector (AICP)39785710k+Text Domain Mismatch
#1915Add-on Gravity Forms – MailPoet 3393133600Output is not escaped
#1916Additional Order Filters for WooCommerce39792552k+Nonce verification recommended
#1917Advanced Woo Labels – Product Labels & Badges for WooCommerce3917112510k+Output is not escaped
#1918Affiliate Links – Link Cloaking and Management39231133k+Non-prefixed global variable
#1919Alt Magic: AI Image Alt Text Generator for WP & Image Rename39611121k+Direct Query
#1920Better Random Redirect398840700Text Domain Mismatch
#1921Better User Search392444700SQL query is not prepared
#1922Billplz for WooCommerce39289656k+Text Domain Mismatch
#1923Bogo393013910k+Request data is not unslashed
#1924Calculator Builder – Create an Online Calculator39162211k+Non-prefixed global variable
#1925CatFolders Document Gallery & PDF Library3966323k+Output is not escaped
#1926Constant Contact + WooCommerce3927911k+Nonce verification recommended
#1927Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)39284580k+Missing nonce verification
#1928Content Visibility for Divi Builder39184592k+Non Singular String Literal Domain
#1929Custom Post Type Auto Menu395433500Text Domain Mismatch
#1930Da Reactions3915140400Request data is not unslashed
#1931Datalogics Ecommerce Delivery – Datalogics3913115500Nonce verification recommended
#1932DefendWP Firewall39162033k+Non-prefixed global variable
#1933Drip for Gravity Forms394121500Unsafe printing function
#1934Duplicate Killer – Prevent Duplicate Form Submissions39571031k+Non-prefixed global variable
#1935Caldera Forms styler for Elementor Page Builder3917312700Text Domain Mismatch
#1936Email Marketing by EmailOctopus3943623k+Non-prefixed global variable
#1937First Order Discount Woocommerce3955301k+Output is not escaped
#1938Fix Duplicates397673800Output is not escaped
#1939Flamix: Bitrix24 and WooCommerce Orders integration398131500Output is not escaped
#1940Gallery Widget3912211500Output is not escaped
#1941Maintenance Mode39861097k+Output is not escaped
#1942S2W – Import Shopify to WooCommerce3981323k+Request data is not unslashed
#1943Improved Save Button3944524k+Missing Translators Comment
#1944Insert Html Snippet3915920520k+Output is not escaped
#1945JJ NextGen JQuery Carousel391229400Output is not escaped
#1946JJ NextGen JQuery Slider392217800Output is not escaped
#1947Mail Subscribe List3917943k+Input is not validated
#1948Markup by Attribute for WooCommerce39461022k+Direct Query
#1949Menubar39171461k+Output is not escaped
#1950payever – WooCommerce Gateway39263131800Text Domain Mismatch