PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2151Userback4713202k+Output is not escaped
#2152FedaPay Gateway for WooCommerce472411700Output is not escaped
#2153WP Prefix Changer472716900Missing Arg Domain
#2154XML Sitemap & Google News47270224100k+Non-prefixed global variable
#2155AffiliateWP – Store Credit484721400Output is not escaped
#2156Comment Notifier481055400Non-prefixed global variable
#2157Easy Share Solution For WordPress481533900Output is not escaped
#2158Jetpack Social4882925430k+Text Domain Mismatch
#2159Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories4863273100k+Non-prefixed global variable
#2160Seznam Webmaster48478700Output is not escaped
#2161Easy Updates Manager4813182300k+Non-prefixed global variable
#2162WP Remote Users Sync483551176k+Text Domain Mismatch
#2163WS Action Scheduler Cleaner4813802k+error log error log
#2164CIO Custom Fields Importer49238400Output is not escaped
#2165Easy Property Listings4960665k+wp function not compatible with requires wp
#2166Import into Easy Property Listings49335241k+Text Domain Mismatch
#2167Anti-Spam Protection – No API Key, GDPR Friendly4921061k+Direct Query
#2168GamiPress – Multimedia Content491125500Nonce verification recommended
#2169Plugins Last Updated Column492114700Output is not escaped
#2170ReCrawler4910404k+Direct Query
#2171Simple MyISAM to InnoDB4911221k+Output is not escaped
#2172WP Sitemap Page494314200k+Missing Translators Comment
#2173WP Smart Import : Import any XML File to WordPress49283021k+Non-prefixed global variable
#2174User Activity Tracking and Log50302632k+Non-prefixed global variable
#2175WPML Multilingual for BuddyPress and BuddyBoss5118216k+SQL query is not prepared
#2176GamiPress – Reset User511427400Interpolated SQL is not prepared
#2177Lite Video Embed513571k+Output is not escaped
#2178OnSale Page for WooCommerce5130442k+Text Domain Mismatch
#2179Popular Brand Icons – Simple Icons5120123k+Output is not escaped
#2180The Cache Purger5116161k+Non Singular String Literal Text
#2181Check Pincode For WooCommerce5255400Direct Query
#2182Firelight Lightbox527897200k+Non-prefixed global variable
#2183Fullscreen Galleria523710800Output is not escaped
#2184GSheetConnector for Gravity Forms – Send Gravity Forms Entries to Google Sheets in Real-Time5226271k+Exception output is not escaped
#2185SKU Generator for WooCommerce5229122k+Output is not escaped
#2186WPVibe – MCP Server for WordPress. Connect Claude, ChatGPT, Gemini & Cursor5219584k+Interpolated SQL is not prepared
#2187Wenprise Pinyin Slug5230344k+Text Domain Mismatch
#2188Automattic For Agencies Client5324918420k+Text Domain Mismatch
#2189File Manager53416810k+Missing direct file access protection
#2190워드프레스 결제 심플페이 – 우커머스 결제 플러그인5379921k+Missing direct file access protection
#2191Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely53349020k+Database parameter is not escaped
#2192Texty – SMS Notification for WordPress, WooCommerce, Dokan and more5331348k+Output is not escaped
#2193Ultimate Gift Cards for WooCommerce5344507k+Non-prefixed global variable
#2194aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder5483822k+Non-prefixed global variable
#2195Booking Calendar54288850k+Mixed line endings
#2196Customizable Post Listings544213700Deprecated parameter: the_author parameter 1
#2197Cyr-To-Lat541648300k+Dynamic hook name
#2198Discount Rules for WooCommerce – Disco | Dynamic Pricing, Conditions, Bulk, Bundle, BOGO541612k+Request data is not unslashed
#2199Expanding Archives543793k+Output is not escaped
#2200Extended User Search In WP-Admin5414171k+SQL query is not prepared