PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2251 | DreamHost Automated Migration | 62 | 15 | 23 | 20k+ | Output is not escaped | ||
| #2252 | Migrate To Liquid Web & Nexcess | 62 | 15 | 23 | 2k+ | Output is not escaped | ||
| #2253 | Notibar – Notification Bar for WordPress | 62 | 47 | 64 | 8k+ | wp function not compatible with requires wp | ||
| #2254 | Pressable Automated Migration | 62 | 15 | 23 | 3k+ | Output is not escaped | ||
| #2255 | Migrate to WordPress.com | 62 | 15 | 28 | 2k+ | Output is not escaped | ||
| #2256 | IndexNow Plugin | 63 | 14 | 91 | 100k+ | error log error log | ||
| #2257 | MooWoodle – WordPress Moodle LMS Integration, Sell Moodle Courses via WooCommerce | 63 | 10 | 45 | 800 | No Caching | ||
| #2258 | Contact Form to Chat Apps | Click to Chat to Order – FormyChat | 63 | 30 | 134 | 3k+ | Direct Query | ||
| #2259 | Beautiful taxonomy filters | 64 | 38 | 78 | 2k+ | Non-prefixed global variable | ||
| #2260 | Collapsing Archives | 64 | 36 | 9 | 3k+ | date date | ||
| #2261 | DataFeedWatch Connector for WooCommerce | 64 | 16 | 112 | 600 | Non-prefixed hook name | ||
| #2262 | DoFollow Case by Case | 64 | 4 | 60 | 1k+ | Direct Query | ||
| #2263 | Pageviews | 64 | 15 | 12 | 1k+ | Missing Translators Comment | ||
| #2264 | Product Import Export for WooCommerce – Import Export Product CSV Suite | 64 | 246 | 766 | 80k+ | Non-prefixed global variable | ||
| #2265 | Stancer for WooCommerce | 64 | 2 | 108 | 400 | Non-prefixed global variable | ||
| #2266 | JTL-Connector for WooCommerce | 64 | 7 | 166 | 1k+ | Direct Query | ||
| #2267 | WP REST Cache | 64 | 11 | 113 | 10k+ | Direct Query | ||
| #2268 | AdSimple Cookie Consent Banner | 65 | 55 | 109 | 600 | wp function not compatible with requires wp | ||
| #2269 | Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini | 65 | 6 | 33 | 8k+ | Interpolated SQL is not prepared | ||
| #2270 | SQL Buddy – Database Management Made Easy | 65 | 12 | 16 | 5k+ | SQL query is not prepared | ||
| #2271 | WebberZone Top 10 — Popular Posts | 65 | 37 | 179 | 10k+ | Database parameter is not escaped | ||
| #2272 | AC Advanced Flamingo Settings | 66 | 6 | 32 | 700 | Nonce verification recommended | ||
| #2273 | CP Media Player – Audio Player and Video Player | 66 | 224 | 48 | 3k+ | Text Domain Mismatch | ||
| #2274 | Burst Statistics – Simple WordPress Analytics (Google Analytics Alternative) | 66 | 33 | 410 | 200k+ | Direct Query | ||
| #2275 | FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration | 66 | 26 | 30 | 6k+ | Missing direct file access protection | ||
| #2276 | Leadpages | 66 | 6 | 62 | 10k+ | Direct Query | ||
| #2277 | WP Redis | 66 | 11 | 25 | 9k+ | Interpolated SQL is not prepared | ||
| #2278 | Editoria11y Accessibility Checker | 67 | 69 | 55 | 1k+ | Text Domain Mismatch | ||
| #2279 | Multilingual Forms for Fluent Forms with WPML | 67 | 52 | 16 | 1k+ | Text Domain Mismatch | ||
| #2280 | Recurio – Ultimate Subscription for WooCommerce | 67 | 311 | 1k+ | Direct Query | |||
| #2281 | WebToffee WooCommerce Product Feeds – Google Shopping, Pinterest, TikTok Ads, & More | 67 | 178 | 2,899 | 2k+ | Non-prefixed hook name | ||
| #2282 | Member Swipe for BuddyPress | 68 | 9 | 13 | 500 | Missing direct file access protection | ||
| #2283 | Collapsing Categories | 68 | 29 | 8 | 4k+ | Missing direct file access protection | ||
| #2284 | Export media with selected content (by DKZR) | 68 | 10 | 14 | 40k+ | Direct Query | ||
| #2285 | Faire for WooCommerce | 68 | 4 | 86 | 800 | Direct Query | ||
| #2286 | Hreflang Manager – Hreflang Implementation for International SEO | 68 | 21 | 15 | 8k+ | wp function not compatible with requires wp | ||
| #2287 | One Stop Shop for WooCommerce | 68 | 23 | 83 | 10k+ | Input is not sanitized | ||
| #2288 | Shiptastic Integration for DHL | 68 | 54 | 36 | 10k+ | Missing Translators Comment | ||
| #2289 | Export and Import Users and Customers | 68 | 223 | 662 | 60k+ | Non-prefixed global variable | ||
| #2290 | Thank You Page for WooCommerce | 68 | 6 | 27 | 10k+ | Non-prefixed global variable | ||
| #2291 | Ever Accounting – Accounting & Invoicing Solution for Small Businesses | 68 | 69 | 661 | 1k+ | Non-prefixed hook name | ||
| #2292 | Solid Mail – SMTP email and logging made by SolidWP | 68 | 16 | 17 | 60k+ | Database parameter is not escaped | ||
| #2293 | AdOpt | Easy Multi-Regulations Cookie Banner. | 69 | 22 | 27 | 7k+ | Missing direct file access protection | ||
| #2294 | Ambrosite Next/Previous Post Link Plus | 69 | 12 | 24 | 5k+ | Interpolated SQL is not prepared | ||
| #2295 | DOKU Payment | 69 | 53 | 46 | 400 | wp function not compatible with requires wp | ||
| #2296 | Scroll Down Arrow | 69 | 30 | 30 | 800 | Missing Arg Domain | ||
| #2297 | Search by SKU for Woocommerce | 69 | 13 | 10 | 10k+ | Direct Query | ||
| #2298 | Ambrosite Next/Previous Page Link Plus | 70 | 11 | 21 | 900 | Interpolated SQL is not prepared | ||
| #2299 | AppScenic – Smart AI Dropshipping | 70 | 16 | 41 | 3k+ | Dynamic hook name | ||
| #2300 | FAZ Cookie Manager | 70 | 315 | 900 | Non-prefixed hook name |