PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1951 | Paystack Add-On for Gravity Forms | 39 | 96 | 31 | 400 | Text Domain Mismatch | ||
| #1952 | Query Multiple Taxonomies | 39 | 55 | 41 | 500 | Output is not escaped | ||
| #1953 | Quform Mailchimp | 39 | 65 | 147 | 800 | Nonce verification recommended | ||
| #1954 | Quform Zapier | 39 | 60 | 123 | 1k+ | Nonce verification recommended | ||
| #1955 | Redirect 404 Error Page to Homepage or Custom Page with Logs | 39 | 27 | 53 | 10k+ | Nonce verification recommended | ||
| #1956 | Re Gallery – Responsive Image & Photo Gallery | 39 | 16 | 121 | 700 | Missing nonce verification | ||
| #1957 | REST API Helper | 39 | 108 | 85 | 500 | Unsafe printing function | ||
| #1958 | Serial Number for Contact Form 7 | 39 | 105 | 53 | 2k+ | Non Singular String Literal Domain | ||
| #1959 | Taxonomy Thumbnail | 39 | 27 | 58 | 3k+ | Non-prefixed function | ||
| #1960 | Shared Files – File Upload & Download Manager | 39 | 5 | 184 | 4k+ | Nonce verification recommended | ||
| #1961 | Show All Comments | 39 | 108 | 92 | 400 | Nonce verification recommended | ||
| #1962 | Simple Membership WP user Import | 39 | 22 | 46 | 4k+ | Request data is not unslashed | ||
| #1963 | Smart Archives Reloaded | 39 | 78 | 36 | 1k+ | Non Singular String Literal Domain | ||
| #1964 | Easy Category Icons | 39 | 50 | 43 | 600 | Text Domain Mismatch | ||
| #1965 | ThemeKit For WordPress | 39 | 149 | 49 | 700 | Output is not escaped | ||
| #1966 | Traffic Monitor | 39 | 6 | 143 | 1k+ | Direct Query | ||
| #1967 | Accessibility by UserWay | 39 | 22 | 35 | 80k+ | Direct Query | ||
| #1968 | Smart Variation Swatches and Attribute Filters for WooCommerce | 39 | 39 | 50 | 3k+ | Output is not escaped | ||
| #1969 | Virtuaria Correios – Frete, Etiqueta, Rastreio e Declaração | 39 | 18 | 81 | 500 | Nonce verification recommended | ||
| #1970 | Website LLMs.txt | 39 | 13 | 149 | 40k+ | Non-prefixed global variable | ||
| #1971 | Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types | 39 | 89 | 117 | 20k+ | Unsafe printing function | ||
| #1972 | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x | 39 | 7 | 222 | 20k+ | Non-prefixed hook name | ||
| #1973 | WP Limit Login Attempts | 39 | 26 | 67 | 10k+ | Direct Query | ||
| #1974 | WP Most Popular | 39 | 50 | 35 | 2k+ | Output is not escaped | ||
| #1975 | AidWP – Donation & Payment Forms (Stripe Powered) | 39 | 193 | 800 | Non-prefixed global variable | |||
| #1976 | SEO Auto Linker | 39 | 97 | 62 | 3k+ | Unsafe printing function | ||
| #1977 | Categories to Tags Converter | 39 | 86 | 38 | 50k+ | Output is not escaped | ||
| #1978 | YITH Custom Login | 39 | 86 | 33 | 5k+ | Output is not escaped | ||
| #1979 | 404 Notifier | 40 | 39 | 41 | 700 | Output is not escaped | ||
| #1980 | ACF Theme Code for Advanced Custom Fields | 40 | 478 | 40 | 10k+ | Output is not escaped | ||
| #1981 | ACF to Custom Database Tables | 40 | 36 | 64 | 600 | Nonce verification recommended | ||
| #1982 | Add & Replace Affiliate Links for Amazon | 40 | 39 | 52 | 600 | Output is not escaped | ||
| #1983 | Admin Search | 40 | 31 | 47 | 1k+ | Output is not escaped | ||
| #1984 | Advanced Admin Search | 40 | 79 | 48 | 600 | Non Singular String Literal Text | ||
| #1985 | Advanced Country Blocker | 40 | 23 | 77 | 2k+ | Exception output is not escaped | ||
| #1986 | Advanced IP Blocker | 40 | 94 | 49 | 2k+ | Exception output is not escaped | ||
| #1987 | Allow Multiple Accounts | 40 | 115 | 19 | 9k+ | Non Singular String Literal Domain | ||
| #1988 | Atomic Edge Security – Firewall, Malware Scan and Login Security | 40 | 12 | 184 | 700 | Non-prefixed global variable | ||
| #1989 | AutoConvert Greeklish Permalinks | 40 | 116 | 13 | 30k+ | Text Domain Mismatch | ||
| #1990 | Broken Link Notifier | 40 | 11 | 193 | 1k+ | Non-prefixed global variable | ||
| #1991 | BuddyPress Profile Completion | 40 | 28 | 30 | 500 | Output is not escaped | ||
| #1992 | Coming soon Page | 40 | 24 | 18 | 500 | Text Domain Mismatch | ||
| #1993 | Country State City Dropdown CF7 | 40 | 35 | 54 | 5k+ | Direct Query | ||
| #1994 | Coupon Generator for WooCommerce | 40 | 39 | 28 | 10k+ | Unsafe printing function | ||
| #1995 | Cron Logger | 40 | 49 | 36 | 1k+ | Output is not escaped | ||
| #1996 | Cryptocurrency Widgets Pack | 40 | 222 | 52 | 700 | Unsafe printing function | ||
| #1997 | Delete Me | 40 | 116 | 17 | 7k+ | Output is not escaped | ||
| #1998 | Easy Image Collage | 40 | 96 | 18 | 4k+ | Unsafe printing function | ||
| #1999 | Enhanced Custom Permalinks | 40 | 51 | 82 | 1k+ | Nonce verification recommended | ||
| #2000 | Eventer | 40 | 61 | 55 | 1k+ | Output is not escaped |