PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2301 | Search and Replace | 70 | 7 | 9 | 10k+ | Input is not sanitized | ||
| #2302 | Simple Login Captcha | 70 | 20 | 19 | 10k+ | date date | ||
| #2303 | Export Users With Meta | 70 | 13 | 13 | 2k+ | Direct Query | ||
| #2304 | BuddyPress Default Data | 71 | 8 | 21 | 400 | Interpolated SQL is not prepared | ||
| #2305 | Event SEO: Event Schema / Structured Data: Google Rich Snippet Schema for Event | 71 | 24 | 49 | 700 | Non-prefixed global variable | ||
| #2306 | Privyr CRM – Instant Lead Alerts for Contact Forms | 71 | 2 | 25 | 4k+ | Non-prefixed function | ||
| #2307 | Discount Rules for WooCommerce | 71 | 10 | 454 | 100k+ | Non-prefixed global variable | ||
| #2308 | WooCommerce Shipping | 71 | 48 | 70k+ | Direct Query | |||
| #2309 | Cloudinary – Deliver Images and Videos at Scale | 72 | 691 | 134 | 5k+ | Text Domain Mismatch | ||
| #2310 | EU Order Withdrawal Button for WooCommerce | 72 | 52 | 406 | 4k+ | Non-prefixed hook name | ||
| #2311 | Media Library Organizer – Folders, File Manager & Media Categories | 72 | 20 | 130 | 20k+ | Non-prefixed global variable | ||
| #2312 | Shipping Rate By Cities | 72 | 4 | 21 | 700 | Direct Query | ||
| #2313 | Templ Optimizer | 72 | 6 | 63 | 1k+ | Direct Query | ||
| #2314 | TinyPNG – JPEG, PNG & WebP image compression | 72 | 40 | 73 | 100k+ | Non-prefixed global variable | ||
| #2315 | EU Withdrawal Button for WooCommerce | 73 | 27 | 400 | Missing nonce verification | |||
| #2316 | EXMAGE – WordPress Image Links | 73 | 14 | 34 | 7k+ | Missing Arg Domain | ||
| #2317 | Permalinks Moved Permanently | 73 | 7 | 7 | 700 | Database parameter is not escaped | ||
| #2318 | TOCHAT.BE | 73 | 2 | 71 | 800 | Request data is not unslashed | ||
| #2319 | Bing URL Submissions Plugin | 74 | 10 | 38 | 40k+ | error log error log | ||
| #2320 | Edit Author Slug | 74 | 5 | 8 | 100k+ | Output is not escaped | ||
| #2321 | Fast Speed Index | 74 | 9 | 12 | 500 | Direct Query | ||
| #2322 | Product Layouts for WooCommerce | 74 | 5 | 75 | 1k+ | Direct Query | ||
| #2323 | QODE Optimizer | 74 | 1 | 249 | 30k+ | Non-prefixed global variable | ||
| #2324 | Sublium Subscriptions – Subscriptions for WooCommerce – Recurring Payments, Subscription Plans & Installments | 74 | 35 | 22 | 400 | wp function not compatible with requires wp | ||
| #2325 | FlowForms – Conversational Form Builder | 75 | 17 | 400 | Nonce verification recommended | |||
| #2326 | FluentPlayer – Video Player With Forms & Lead Capture | 75 | 10 | 40 | 1k+ | Database parameter is not escaped | ||
| #2327 | WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation | 75 | 2 | 60 | 1k+ | Database parameter is not escaped | ||
| #2328 | PopupAlly | 75 | 40 | 10 | 2k+ | Missing direct file access protection | ||
| #2329 | Addonify – WooCommerce Wishlist | 76 | 30 | 43 | 1k+ | Non-prefixed global variable | ||
| #2330 | Ajax Search Lite – Live Search & Filter | 76 | 126 | 264 | 80k+ | Non-prefixed hook name | ||
| #2331 | CiviCRM Member Sync | 76 | 8 | 70 | 800 | Non-prefixed global variable | ||
| #2332 | FileBird Document Library | 76 | 23 | 13 | 5k+ | Text Domain Mismatch | ||
| #2333 | Rearrange Products for WooCommerce | 76 | 1 | 22 | 20k+ | Input is not sanitized | ||
| #2334 | StoreAgent – WooCommerce AI Chatbot & AI Content Tools | 76 | 202 | 500 | Non-prefixed global variable | |||
| #2335 | UTM Event Tracker and Analytics, UTM Grabber | 76 | 2 | 19 | 900 | Interpolated SQL is not prepared | ||
| #2336 | Action Network | 76 | 19 | 17 | 400 | error log error log | ||
| #2337 | Loyalty Points Rewards and Referral for WooCommerce – WPLoyalty | 76 | 2,207 | 760 | 3k+ | Text Domain Mismatch | ||
| #2338 | Better Search – Relevant search results for WordPress | 77 | 18 | 117 | 5k+ | Dynamic hook name | ||
| #2339 | Dual Currency Display | 77 | 1 | 24 | 900 | Direct Query | ||
| #2340 | Index WP Users For Speed | 77 | 10 | 35 | 1k+ | Non-prefixed global variable | ||
| #2341 | Internet Archive Wayback Machine Link Fixer | 77 | 2 | 22 | 1k+ | Database parameter is not escaped | ||
| #2342 | Posts List | 77 | 11 | 15 | 7k+ | Non-prefixed hook name | ||
| #2343 | SureRank SEO – Smart Assistant with Meta Tags, Social Preview, XML Sitemap, and Schema | 77 | 58 | 95 | 300k+ | Non-prefixed hook name | ||
| #2344 | Claspo – Popups, Spin the Wheel & Email Capture | 78 | 107 | 16 | 1k+ | wp function not compatible with requires wp | ||
| #2345 | Recent Posts | 78 | 7 | 2 | 400 | Database parameter is not escaped | ||
| #2346 | SearchWP Live Ajax Search | 78 | 8 | 23 | 50k+ | Non-prefixed global variable | ||
| #2347 | WooCommerce Square | 78 | 6 | 266 | 80k+ | Non-prefixed hook name | ||
| #2348 | Real Category Management: Content Management in Category Folders | 79 | 4 | 73 | 2k+ | Non-prefixed constant | ||
| #2349 | Retainful – WooCommerce Abandoned Cart, Newsletters, Email Marketing, Signup Forms and Automation | 79 | 15 | 26 | 1k+ | Non-prefixed hook name | ||
| #2350 | Rox Appointment Booking – Appointment Booking Scheduling Solution | 79 | 4 | 15 | 1k+ | Database parameter is not escaped |