PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2051 | Log cleaner for Solid Security | 41 | 65 | 47 | 8k+ | Text Domain Mismatch | ||
| #2052 | Mihdan: Yandex Turbo Feed | 41 | 65 | 39 | 1k+ | Output is not escaped | ||
| #2053 | Mollie Forms | 41 | 14 | 565 | 3k+ | Request data is not unslashed | ||
| #2054 | Most Popular Categories | 41 | 67 | 2 | 600 | Output is not escaped | ||
| #2055 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #2056 | Omnibus — show the lowest price | 41 | 35 | 37 | 10k+ | Output is not escaped | ||
| #2057 | Optimus – WordPress Image Optimizer | 41 | 52 | 20 | 30k+ | Unsafe printing function | ||
| #2058 | OSS Aliyun | 41 | 19 | 40 | 4k+ | Request data is not unslashed | ||
| #2059 | Plugin Activation Tracker | 41 | 36 | 24 | 1k+ | Text Domain Mismatch | ||
| #2060 | Smart Post – Post Grid, Post Carousel, Post Slider Gutenberg Blocks for Blog & News | 41 | 537 | 20k+ | Non-prefixed global variable | |||
| #2061 | Simple Google Photos Grid | 41 | 48 | 2 | 1k+ | Output is not escaped | ||
| #2062 | Simple Revision Control | 41 | 22 | 42 | 1k+ | Dynamic hook name | ||
| #2063 | Smoove connector for Elementor forms | 41 | 22 | 60 | 600 | Nonce verification recommended | ||
| #2064 | Solid Post Likes | 41 | 25 | 63 | 500 | Direct Query | ||
| #2065 | SQL Chart Builder | 41 | 38 | 52 | 600 | Text Domain Mismatch | ||
| #2066 | Feedback Company | 41 | 63 | 36 | 800 | Output is not escaped | ||
| #2067 | Threat Scan Plugin | 41 | 29 | 17 | 400 | Output is not escaped | ||
| #2068 | Visibility Logic for Elementor | 41 | 27 | 43 | 30k+ | Output is not escaped | ||
| #2069 | Abandoned Cart Recovery for WooCommerce | 41 | 20 | 202 | 4k+ | Request data is not unslashed | ||
| #2070 | M-Pesa(Kenya) Checkout for Woocommerce | 41 | 46 | 38 | 1k+ | Text Domain Mismatch | ||
| #2071 | WP Lorem ipsum | 41 | 37 | 29 | 500 | Unsafe printing function | ||
| #2072 | WP Media folders | 41 | 19 | 74 | 3k+ | Direct Query | ||
| #2073 | WP Test Email | 41 | 32 | 28 | 20k+ | Unsafe printing function | ||
| #2074 | WPC Smart Price Filter for WooCommerce | 41 | 19 | 53 | 600 | Nonce verification recommended | ||
| #2075 | Agoda Affiliate Partners Text Link Generator | 42 | 4 | 40 | 500 | Interpolated SQL is not prepared | ||
| #2076 | BP Auto Group Join | 42 | 55 | 55 | 700 | Output is not escaped | ||
| #2077 | Comment Reply Email | 42 | 21 | 23 | 500 | Unsafe printing function | ||
| #2078 | Companion Revision Manager – Revision Control | 42 | 18 | 28 | 4k+ | Unsafe printing function | ||
| #2079 | Contador de Visitas | 42 | 37 | 25 | 500 | SQL query is not prepared | ||
| #2080 | Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin | 42 | 472 | 181 | 400 | Text Domain Mismatch | ||
| #2081 | Delete Expired Transients | 42 | 49 | 65 | 5k+ | Direct Query | ||
| #2082 | Etsy Shop | 42 | 58 | 21 | 3k+ | Unsafe printing function | ||
| #2083 | Geo Blocker – Control Site Access by Region and IP | 42 | 10 | 64 | 1k+ | Direct Query | ||
| #2084 | hCaptcha for WP | 42 | 115 | 18 | 70k+ | Exception output is not escaped | ||
| #2085 | Image Uploader for Welcart | 42 | 27 | 24 | 3k+ | Output is not escaped | ||
| #2086 | WP All Import – Import SEO Settings for Rank Math SEO | 42 | 18 | 44 | 7k+ | Nonce verification recommended | ||
| #2087 | iyzico for WooCommerce | 42 | 34 | 54 | 10k+ | Unsafe printing function | ||
| #2088 | LeadSnap | 42 | 14 | 84 | 1k+ | Input is not validated | ||
| #2089 | Manage User Columns | 42 | 15 | 27 | 1k+ | Request data is not unslashed | ||
| #2090 | Mass Delete Unused Tags | 42 | 21 | 9 | 800 | Output is not escaped | ||
| #2091 | Post Types Order | 42 | 45 | 43 | 600k+ | wp function not compatible with requires wp | ||
| #2092 | WP Email Log – PostBox | 42 | 2 | 81 | 700 | Nonce verification recommended | ||
| #2093 | Product Price History for WooCommerce | 42 | 101 | 800 | Nonce verification recommended | |||
| #2094 | Republish Old Posts | 42 | 83 | 24 | 2k+ | Output is not escaped | ||
| #2095 | Reusable Blocks Extended | 42 | 38 | 15 | 20k+ | Output is not escaped | ||
| #2096 | Sendcloud Shipping | 42 | 78 | 56 | 5k+ | Output is not escaped | ||
| #2097 | Set All First Images As Featured | 42 | 44 | 13 | 700 | Text Domain Mismatch | ||
| #2098 | Simple Googlebot Visit | 42 | 32 | 67 | 1k+ | Non Singular String Literal Domain | ||
| #2099 | StifLi Flex MCP – MCP Server with undo for ChatGPT, Claude & Gemini | 42 | 2 | 110 | 1k+ | Interpolated SQL is not prepared | ||
| #2100 | WC Price History | 42 | 18 | 23 | 4k+ | Database parameter is not escaped |