PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2101WP Author Security424013500Output is not escaped
#2102WP Bulk Delete427130100k+Direct Query
#2103WP Fingerprint4234479k+Direct Query
#2104WP Media Category Management42101766k+Nonce verification recommended
#2105Advanced All in One Admin Search by WP Spotlight422525900Missing Version
#2106Auto Alt Text4352134k+Exception output is not escaped
#2107F4 Total Stock Value for WooCommerce4327121k+Output is not escaped
#2108Pods Gravity Forms Add-On43791k+Missing nonce verification
#2109Post title marquee scroll4343251k+Output is not escaped
#2110Qodax Checkout Manager – Checkout Field Editor for WooCommerce431727400Interpolated SQL is not prepared
#2111Secure Passkeys43145831k+Exception output is not escaped
#2112Term Management Tools4392610k+Non-prefixed hook name
#2113User Role Editor43117145700k+Output is not escaped
#2114Analytify – Google Analytics Dashboard For WordPress (GA4 analytics tracking)4320848320k+Non-prefixed function
#2115WP Mail Log43402910k+Text Domain Mismatch
#2116Advanced Dynamic Pricing and Discount Rules for WooCommerce44281320k+Non-prefixed namespace
#2117Checkout Upsell Funnel for WooCommerce446244600Non-prefixed global variable
#2118Debug Bar Console442391k+Missing Arg Domain
#2119EasyFonts – Host Google Fonts Locally, Fast & Auto-Optimize, GDPR Compliant445701k+Interpolated SQL is not prepared
#2120ELEX WooCommerce Role Based Pricing442131962k+Non-prefixed global variable
#2121Github Embed4418351k+Non-prefixed global variable
#2122Proxy & VPN Blocker44741k+Nonce verification recommended
#2123Simple Full Screen Background Image44231310k+Output is not escaped
#2124SKT Addons for Elementor446113831k+Text Domain Mismatch
#2125Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro452611720k+Non-prefixed hook name
#2126Icons Font Loader – Load Web Fonts and Icon Libraries4547332k+Text Domain Mismatch
#2127JetHost Total Care – Security & Enhancements451085800Direct Query
#2128Jetpack Search459254265k+Text Domain Mismatch
#2129Related Posts By PickPlugins454843k+Non-prefixed global variable
#2130ARI Stream Quiz – WordPress Quizzes Builder46212392k+Non-prefixed global variable
#2131Easy Subscribe46132800Direct Query
#2132GetAutoSEO AI Tool46102622k+Direct Query
#2133Gravity Forms Constant Contact4636273k+Non-prefixed class
#2134Import Social Events46263553k+Non-prefixed global variable
#2135Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator4613257k+Request data is not unslashed
#2136Podcast Player – Your Podcasting Companion461413310k+Non-prefixed global variable
#2137Repeater Fields for Gravity Forms46134411k+wp function not compatible with requires wp
#2138WP All Import – Import SEO Settings for Yoast SEO46192620k+Nonce verification recommended
#2139Auto Focus Keyword for SEO4713442k+Interpolated SQL is not prepared
#2140404 Image Redirection (Replace Broken Images)4711885600Text Domain Mismatch
#2141Better Badge – Custom Product Badges for WooCommerce472247500Non Singular String Literal Domain
#2142Delete Duplicate Posts4795010k+Direct Query
#2143DPO Pay for WooCommerce4728411k+Non Singular String Literal Text
#2144Show IDs by Echo4721132k+Output is not escaped
#2145Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator47448310k+Missing direct file access protection
#2146Log Emails4719296k+Non-prefixed global variable
#2147Real Media Library: Media Library Folder & File Manager471365100k+Direct Query
#2148Security Ninja For MainWP4724671500Text Domain Mismatch
#2149Simple Custom Post Order47976300k+Direct Query
#2150Userback4713202k+Output is not escaped