PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2101 | WP Author Security | 42 | 40 | 13 | 500 | Output is not escaped | ||
| #2102 | WP Bulk Delete | 42 | 7 | 130 | 100k+ | Direct Query | ||
| #2103 | WP Fingerprint | 42 | 34 | 47 | 9k+ | Direct Query | ||
| #2104 | WP Media Category Management | 42 | 10 | 176 | 6k+ | Nonce verification recommended | ||
| #2105 | Advanced All in One Admin Search by WP Spotlight | 42 | 25 | 25 | 900 | Missing Version | ||
| #2106 | Auto Alt Text | 43 | 52 | 13 | 4k+ | Exception output is not escaped | ||
| #2107 | F4 Total Stock Value for WooCommerce | 43 | 27 | 12 | 1k+ | Output is not escaped | ||
| #2108 | Pods Gravity Forms Add-On | 43 | 79 | 1k+ | Missing nonce verification | |||
| #2109 | Post title marquee scroll | 43 | 43 | 25 | 1k+ | Output is not escaped | ||
| #2110 | Qodax Checkout Manager – Checkout Field Editor for WooCommerce | 43 | 17 | 27 | 400 | Interpolated SQL is not prepared | ||
| #2111 | Secure Passkeys | 43 | 145 | 83 | 1k+ | Exception output is not escaped | ||
| #2112 | Term Management Tools | 43 | 9 | 26 | 10k+ | Non-prefixed hook name | ||
| #2113 | User Role Editor | 43 | 117 | 145 | 700k+ | Output is not escaped | ||
| #2114 | Analytify – Google Analytics Dashboard For WordPress (GA4 analytics tracking) | 43 | 208 | 483 | 20k+ | Non-prefixed function | ||
| #2115 | WP Mail Log | 43 | 40 | 29 | 10k+ | Text Domain Mismatch | ||
| #2116 | Advanced Dynamic Pricing and Discount Rules for WooCommerce | 44 | 2 | 813 | 20k+ | Non-prefixed namespace | ||
| #2117 | Checkout Upsell Funnel for WooCommerce | 44 | 6 | 244 | 600 | Non-prefixed global variable | ||
| #2118 | Debug Bar Console | 44 | 23 | 9 | 1k+ | Missing Arg Domain | ||
| #2119 | EasyFonts – Host Google Fonts Locally, Fast & Auto-Optimize, GDPR Compliant | 44 | 5 | 70 | 1k+ | Interpolated SQL is not prepared | ||
| #2120 | ELEX WooCommerce Role Based Pricing | 44 | 213 | 196 | 2k+ | Non-prefixed global variable | ||
| #2121 | Github Embed | 44 | 18 | 35 | 1k+ | Non-prefixed global variable | ||
| #2122 | Proxy & VPN Blocker | 44 | 74 | 1k+ | Nonce verification recommended | |||
| #2123 | Simple Full Screen Background Image | 44 | 23 | 13 | 10k+ | Output is not escaped | ||
| #2124 | SKT Addons for Elementor | 44 | 611 | 383 | 1k+ | Text Domain Mismatch | ||
| #2125 | Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro | 45 | 26 | 117 | 20k+ | Non-prefixed hook name | ||
| #2126 | Icons Font Loader – Load Web Fonts and Icon Libraries | 45 | 47 | 33 | 2k+ | Text Domain Mismatch | ||
| #2127 | JetHost Total Care – Security & Enhancements | 45 | 10 | 85 | 800 | Direct Query | ||
| #2128 | Jetpack Search | 45 | 925 | 426 | 5k+ | Text Domain Mismatch | ||
| #2129 | Related Posts By PickPlugins | 45 | 4 | 84 | 3k+ | Non-prefixed global variable | ||
| #2130 | ARI Stream Quiz – WordPress Quizzes Builder | 46 | 21 | 239 | 2k+ | Non-prefixed global variable | ||
| #2131 | Easy Subscribe | 46 | 132 | 800 | Direct Query | |||
| #2132 | GetAutoSEO AI Tool | 46 | 10 | 262 | 2k+ | Direct Query | ||
| #2133 | Gravity Forms Constant Contact | 46 | 36 | 27 | 3k+ | Non-prefixed class | ||
| #2134 | Import Social Events | 46 | 26 | 355 | 3k+ | Non-prefixed global variable | ||
| #2135 | Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator | 46 | 13 | 25 | 7k+ | Request data is not unslashed | ||
| #2136 | Podcast Player – Your Podcasting Companion | 46 | 14 | 133 | 10k+ | Non-prefixed global variable | ||
| #2137 | Repeater Fields for Gravity Forms | 46 | 134 | 41 | 1k+ | wp function not compatible with requires wp | ||
| #2138 | WP All Import – Import SEO Settings for Yoast SEO | 46 | 19 | 26 | 20k+ | Nonce verification recommended | ||
| #2139 | Auto Focus Keyword for SEO | 47 | 13 | 44 | 2k+ | Interpolated SQL is not prepared | ||
| #2140 | 404 Image Redirection (Replace Broken Images) | 47 | 118 | 85 | 600 | Text Domain Mismatch | ||
| #2141 | Better Badge – Custom Product Badges for WooCommerce | 47 | 22 | 47 | 500 | Non Singular String Literal Domain | ||
| #2142 | Delete Duplicate Posts | 47 | 9 | 50 | 10k+ | Direct Query | ||
| #2143 | DPO Pay for WooCommerce | 47 | 28 | 41 | 1k+ | Non Singular String Literal Text | ||
| #2144 | Show IDs by Echo | 47 | 21 | 13 | 2k+ | Output is not escaped | ||
| #2145 | Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator | 47 | 44 | 83 | 10k+ | Missing direct file access protection | ||
| #2146 | Log Emails | 47 | 19 | 29 | 6k+ | Non-prefixed global variable | ||
| #2147 | Real Media Library: Media Library Folder & File Manager | 47 | 1 | 365 | 100k+ | Direct Query | ||
| #2148 | Security Ninja For MainWP | 47 | 246 | 71 | 500 | Text Domain Mismatch | ||
| #2149 | Simple Custom Post Order | 47 | 9 | 76 | 300k+ | Direct Query | ||
| #2150 | Userback | 47 | 13 | 20 | 2k+ | Output is not escaped |