PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2201 | Extended User Search In WP-Admin | 54 | 14 | 17 | 1k+ | SQL query is not prepared | ||
| #2202 | MSN Partner Hub | 54 | 21 | 25 | 1k+ | Missing direct file access protection | ||
| #2203 | AI Agent by SiteGround | 54 | 28 | 6 | 1m+ | Exception output is not escaped | ||
| #2204 | SimplyBook.me – Booking and reservations calendar | 54 | 31 | 13 | 30k+ | Exception output is not escaped | ||
| #2205 | WP Call Button – Easy Click to Call Button for WordPress | 54 | 21 | 38 | 40k+ | Non-prefixed global variable | ||
| #2206 | WebinarPress – Webinar System for WordPress | 54 | 61 | 499 | 900 | Non-prefixed global variable | ||
| #2207 | Accordions | 55 | 1 | 101 | 20k+ | slow db query meta query | ||
| #2208 | Easy Quotes | 55 | 11 | 31 | 700 | Direct Query | ||
| #2209 | Enhanced Category Pages | 55 | 23 | 25 | 2k+ | Direct Query | ||
| #2210 | Go Live Update Urls | 55 | 11 | 49 | 80k+ | Non-prefixed hook name | ||
| #2211 | Fast Page & Post Duplicator | 55 | 12 | 25 | 60k+ | Direct Query | ||
| #2212 | Page Tagger | 55 | 30 | 10 | 2k+ | Output is not escaped | ||
| #2213 | Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder | 55 | 54 | 692 | 700k+ | Non-prefixed hook name | ||
| #2214 | ProductFrame – Curated products from affiliate feeds | 55 | 3 | 85 | 400 | Direct Query | ||
| #2215 | AI Copilot – ChatGPT Chatbot & AI Engine for Post Automation | 56 | 65 | 20 | 1k+ | Text Domain Mismatch | ||
| #2216 | Fluent Connect – Connect ThriveCart with your WordPress and FluentCRM | 56 | 37 | 54 | 600 | curl curl setopt | ||
| #2217 | Subscriptions for WooCommerce with Stripe Recurring Payments | 56 | 10 | 467 | 800 | Non-prefixed global variable | ||
| #2218 | WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance | 56 | 5 | 774 | 1m+ | Non-prefixed global variable | ||
| #2219 | Pantheon Migrations | 57 | 15 | 26 | 1k+ | Output is not escaped | ||
| #2220 | iConvert Promoter | 57 | 98 | 217 | 2k+ | Non-prefixed global variable | ||
| #2221 | Internal Link Juicer: SEO Auto Linker for WordPress | 57 | 12 | 61 | 90k+ | Database parameter is not escaped | ||
| #2222 | iZooto – Web Push Notifications | 57 | 26 | 25 | 1k+ | wp function not compatible with requires wp | ||
| #2223 | Longer Permalinks | 57 | 27 | 21 | 8k+ | Missing Arg Domain | ||
| #2224 | Ultimate Member – Terms & Conditions | 57 | 19 | 9 | 4k+ | Output is not escaped | ||
| #2225 | Filter Orders by Product for WooCommerce | 57 | 9 | 21 | 4k+ | Nonce verification recommended | ||
| #2226 | Sequential Order Numbers for WooCommerce | 57 | 9 | 24 | 10k+ | Interpolated SQL is not prepared | ||
| #2227 | BCM Duplicate Menu | 58 | 8 | 11 | 4k+ | Nonce verification recommended | ||
| #2228 | Contact Form DB for Enfold | 58 | 21 | 14 | 700 | Output is not escaped | ||
| #2229 | License For Envato | 58 | 12 | 31 | 9k+ | Non-prefixed global variable | ||
| #2230 | VRTs – Visual Regression Tests | 58 | 61 | 118 | 900 | Database parameter is not escaped | ||
| #2231 | WP Healthcheck | 58 | 37 | 73 | 1k+ | Non-prefixed global variable | ||
| #2232 | Social Media Auto Poster – Schedule & Publish to Buffer | 58 | 23 | 211 | 7k+ | Dynamic hook name | ||
| #2233 | Age Gator | 59 | 9 | 15 | 400 | Direct Query | ||
| #2234 | Custom API for WP | 59 | 173 | 16 | 1k+ | wp function not compatible with requires wp | ||
| #2235 | etracker analytics | 59 | 16 | 9 | 1k+ | Exception output is not escaped | ||
| #2236 | UltraPress – AI Assistant, Chatbot & SEO | 59 | 12 | 38 | 800 | Non-prefixed global variable | ||
| #2237 | GST Invoice for WooCommerce | 59 | 10 | 42 | 1k+ | Missing nonce verification | ||
| #2238 | Kubio AI Page Builder | 60 | 283 | 77 | 90k+ | Missing direct file access protection | ||
| #2239 | Material Design for WordPress | 60 | 51 | 207 | 800 | Non-prefixed global variable | ||
| #2240 | Product Labels, Quick View, Buy Now, Pre-Orders, Frequently Bought Together & More for WooCommerce – Merchant | 60 | 11 | 740 | 9k+ | Non-prefixed global variable | ||
| #2241 | Order Export & Order Import for WooCommerce | 60 | 247 | 698 | 60k+ | Non-prefixed global variable | ||
| #2242 | WPSSO Schema Product Metadata for WooCommerce | 60 | 33 | 23 | 500 | Missing Translators Comment | ||
| #2243 | Academy LMS | 61 | 18 | 521 | 2k+ | Non-prefixed global variable | ||
| #2244 | CommerceBird – AI Command Center, ERP Integrations & B2B for WooCommerce (Zoho, Exact Online). | 61 | 2 | 162 | 400 | Direct Query | ||
| #2245 | Newspack Newsletters | 61 | 53 | 47 | 1k+ | Request data is not unslashed | ||
| #2246 | WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce | 61 | 22 | 74 | 1k+ | Non-prefixed global variable | ||
| #2247 | AAM Protected Media Files | 62 | 13 | 10 | 600 | Direct Query | ||
| #2248 | Add Meta Tag Keywords | 62 | 6 | 15 | 1k+ | Missing nonce verification | ||
| #2249 | Carousel Slider | 62 | 71 | 30k+ | Non-prefixed global variable | |||
| #2250 | Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages | 62 | 81 | 100 | 40k+ | Missing direct file access protection |