PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1951Paystack Add-On for Gravity Forms399631400Text Domain Mismatch
#1952Query Multiple Taxonomies395541500Output is not escaped
#1953Quform Mailchimp3965147800Nonce verification recommended
#1954Quform Zapier39601231k+Nonce verification recommended
#1955Redirect 404 Error Page to Homepage or Custom Page with Logs39275310k+Nonce verification recommended
#1956Re Gallery – Responsive Image & Photo Gallery3916121700Missing nonce verification
#1957REST API Helper3910885500Unsafe printing function
#1958Serial Number for Contact Form 739105532k+Non Singular String Literal Domain
#1959Taxonomy Thumbnail3927583k+Non-prefixed function
#1960Shared Files – File Upload & Download Manager3951844k+Nonce verification recommended
#1961Show All Comments3910892400Nonce verification recommended
#1962Simple Membership WP user Import3922464k+Request data is not unslashed
#1963Smart Archives Reloaded3978361k+Non Singular String Literal Domain
#1964Easy Category Icons395043600Text Domain Mismatch
#1965ThemeKit For WordPress3914949700Output is not escaped
#1966Traffic Monitor3961431k+Direct Query
#1967Accessibility by UserWay39223580k+Direct Query
#1968Smart Variation Swatches and Attribute Filters for WooCommerce3939503k+Output is not escaped
#1969Virtuaria Correios – Frete, Etiqueta, Rastreio e Declaração391881500Nonce verification recommended
#1970Website LLMs.txt391314940k+Non-prefixed global variable
#1971Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types398911720k+Unsafe printing function
#1972CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x39722220k+Non-prefixed hook name
#1973WP Limit Login Attempts39266710k+Direct Query
#1974WP Most Popular3950352k+Output is not escaped
#1975AidWP – Donation & Payment Forms (Stripe Powered)39193800Non-prefixed global variable
#1976SEO Auto Linker3997623k+Unsafe printing function
#1977Categories to Tags Converter39863850k+Output is not escaped
#1978YITH Custom Login3986335k+Output is not escaped
#1979404 Notifier403941700Output is not escaped
#1980ACF Theme Code for Advanced Custom Fields404784010k+Output is not escaped
#1981ACF to Custom Database Tables403664600Nonce verification recommended
#1982Add & Replace Affiliate Links for Amazon403952600Output is not escaped
#1983Admin Search4031471k+Output is not escaped
#1984Advanced Admin Search407948600Non Singular String Literal Text
#1985Advanced Country Blocker4023772k+Exception output is not escaped
#1986Advanced IP Blocker4094492k+Exception output is not escaped
#1987Allow Multiple Accounts40115199k+Non Singular String Literal Domain
#1988Atomic Edge Security – Firewall, Malware Scan and Login Security4012184700Non-prefixed global variable
#1989AutoConvert Greeklish Permalinks401161330k+Text Domain Mismatch
#1990Broken Link Notifier40111931k+Non-prefixed global variable
#1991BuddyPress Profile Completion402830500Output is not escaped
#1992Coming soon Page402418500Text Domain Mismatch
#1993Country State City Dropdown CF74035545k+Direct Query
#1994Coupon Generator for WooCommerce40392810k+Unsafe printing function
#1995Cron Logger4049361k+Output is not escaped
#1996Cryptocurrency Widgets Pack4022252700Unsafe printing function
#1997Delete Me40116177k+Output is not escaped
#1998Easy Image Collage4096184k+Unsafe printing function
#1999Enhanced Custom Permalinks4051821k+Nonce verification recommended
#2000Eventer4061551k+Output is not escaped