PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2001FameTheme Demo Importer4087430k+Nonce verification recommended
#2002FAQ Concertina404316600Output is not escaped
#2003Invisible Anti-Spam & CAPTCHA — reCAPTCHA Alternative for All Forms402724k+Direct Query
#2004GetPaid > Item Inventory4011252400Text Domain Mismatch
#2005Product Enquiry for WooCommerce4057413k+Output is not escaped
#2006Hostinger Reach – AI-Powered Email Marketing for WordPress409451m+Direct Query
#2007iNext Woo Pincode Checker403682700Missing nonce verification
#2008Internal Linking of Related Contents40714471k+Output is not escaped
#2009Invite Anyone40321301k+Non-prefixed hook name
#2010Links shortcode407313900Unsafe printing function
#2011WP All Import – Listings Import for Listify403427400Output is not escaped
#2012LJ Multi Column Archive4017251k+Output is not escaped
#2013LLM Bot Tracker – AI Crawler Detection & Analytics401890800Database parameter is not escaped
#2014Mass Email To Users408481800Output is not escaped
#2015Multiple Featured Images4050225k+Output is not escaped
#2016NextGEN Gallery Sidebar Widget405910500Output is not escaped
#2017Page Comments Off Please4017291k+Nonce verification recommended
#2018Paystack MemberPress407176400Output is not escaped
#2019Quiz Cat – WordPress Quiz Plugin40151694k+Output is not escaped
#2020Random Banner40591251k+Output is not escaped
#2021REST API Custom Fields404416800Text Domain Mismatch
#2022Role Based Redirect4020962k+Non-prefixed global variable
#2023Search Live4013271600Output is not escaped
#2024Select Post Export405118500Output is not escaped
#2025Show Pages URL List40292341k+Non-prefixed global variable
#2026Simple Statistics for Feeds4064131800Nonce verification recommended
#2027Statify Widget4052134k+Output is not escaped
#2028Thin Out Revisions409335800Non Singular String Literal Domain
#2029Timeline History403117500Output is not escaped
#2030UTM Leads Tracker – XLPlugins402138400Output is not escaped
#2031WC Search Orders By Product404766800Nonce verification recommended
#2032Webo-facto40411021k+Nonce verification recommended
#2033NP Quote Request for WooCommerce40911459k+Non-prefixed global variable
#2034Total Sales Counts for WooCommerce4012162700SQL query is not prepared
#2035Wallet for WooCommerce403252420k+Non-prefixed hook name
#2036Word Balloon402012510k+Request data is not unslashed
#2037WP All Import – Job Listing Import for WP Job Manager4035272k+Output is not escaped
#2038WP Multisite Content Copier/Updater4019144800Interpolated SQL is not prepared
#2039WP Reroute Email401411061k+Output is not escaped
#2040WPS Menu Exporter40472210k+Output is not escaped
#2041Yektanet Ecommerce40451031k+Request data is not unslashed
#2042Antispam411141400Missing nonce verification
#2043AxiaChat AI – Free AI Chatbot (Answers Customers Automatically)4111352k+Interpolated SQL is not prepared
#2044Cache control by Cacholong418730500Non Singular String Literal Domain
#2045CMS Tree Page View – Reorder Pages with a Drag-and-Drop Tree411219650k+Unsafe printing function
#2046Collapsed Archives415441k+Output is not escaped
#2047Duplicate Post Page Menu & Custom Post Type41351110k+Text Domain Mismatch
#2048Duplicate Page and Post41262180k+Unsafe printing function
#2049SNORDIAN's H5PxAPIkatchu4111988500SQL query is not prepared
#2050Hash Form – Drag & Drop Form Builder4192753k+Non-prefixed global variable