PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2051Log cleaner for Solid Security4165478k+Text Domain Mismatch
#2052Mihdan: Yandex Turbo Feed4165391k+Output is not escaped
#2053Mollie Forms41145653k+Request data is not unslashed
#2054Most Popular Categories41672600Output is not escaped
#2055Native Emoji4154375k+Unsafe printing function
#2056Omnibus — show the lowest price41353710k+Output is not escaped
#2057Optimus – WordPress Image Optimizer41522030k+Unsafe printing function
#2058OSS Aliyun4119404k+Request data is not unslashed
#2059Plugin Activation Tracker4136241k+Text Domain Mismatch
#2060Smart Post – Post Grid, Post Carousel, Post Slider Gutenberg Blocks for Blog & News4153720k+Non-prefixed global variable
#2061Simple Google Photos Grid414821k+Output is not escaped
#2062Simple Revision Control4122421k+Dynamic hook name
#2063Smoove connector for Elementor forms412260600Nonce verification recommended
#2064Solid Post Likes412563500Direct Query
#2065SQL Chart Builder413852600Text Domain Mismatch
#2066Feedback Company416336800Output is not escaped
#2067Threat Scan Plugin412917400Output is not escaped
#2068Visibility Logic for Elementor41274330k+Output is not escaped
#2069Abandoned Cart Recovery for WooCommerce41202024k+Request data is not unslashed
#2070M-Pesa(Kenya) Checkout for Woocommerce4146381k+Text Domain Mismatch
#2071WP Lorem ipsum413729500Unsafe printing function
#2072WP Media folders4119743k+Direct Query
#2073WP Test Email41322820k+Unsafe printing function
#2074WPC Smart Price Filter for WooCommerce411953600Nonce verification recommended
#2075Agoda Affiliate Partners Text Link Generator42440500Interpolated SQL is not prepared
#2076BP Auto Group Join425555700Output is not escaped
#2077Comment Reply Email422123500Unsafe printing function
#2078Companion Revision Manager – Revision Control4218284k+Unsafe printing function
#2079Contador de Visitas423725500SQL query is not prepared
#2080Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin42472181400Text Domain Mismatch
#2081Delete Expired Transients4249655k+Direct Query
#2082Etsy Shop4258213k+Unsafe printing function
#2083Geo Blocker – Control Site Access by Region and IP4210641k+Direct Query
#2084hCaptcha for WP421151870k+Exception output is not escaped
#2085Image Uploader for Welcart4227243k+Output is not escaped
#2086WP All Import – Import SEO Settings for Rank Math SEO4218447k+Nonce verification recommended
#2087iyzico for WooCommerce42345410k+Unsafe printing function
#2088LeadSnap4214841k+Input is not validated
#2089Manage User Columns4215271k+Request data is not unslashed
#2090Mass Delete Unused Tags42219800Output is not escaped
#2091Post Types Order424543600k+wp function not compatible with requires wp
#2092WP Email Log – PostBox42281700Nonce verification recommended
#2093Product Price History for WooCommerce42101800Nonce verification recommended
#2094Republish Old Posts4283242k+Output is not escaped
#2095Reusable Blocks Extended42381520k+Output is not escaped
#2096Sendcloud Shipping4278565k+Output is not escaped
#2097Set All First Images As Featured424413700Text Domain Mismatch
#2098Simple Googlebot Visit4232671k+Non Singular String Literal Domain
#2099StifLi Flex MCP – MCP Server with undo for ChatGPT, Claude & Gemini4221101k+Interpolated SQL is not prepared
#2100WC Price History4218234k+Database parameter is not escaped