PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2351Retainful – WooCommerce Abandoned Cart, Newsletters, Email Marketing, Signup Forms and Automation7915261k+Non-prefixed hook name
#2352SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers794566200k+Non-prefixed hook name
#2353Notifima – WooCommerce Stock Manager, Inventory Management, Waitlist79121423k+Text Domain Mismatch
#2354Antispam Bee80438700k+Nonce verification recommended
#2355wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce80465900Non-prefixed global variable
#2356Interlinks Manager – Internal Links Optimizer8017137k+Database parameter is not escaped
#2357Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later802125800Non-prefixed global variable
#2358Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder809473210k+Non-prefixed global variable
#2359Melapress File Monitor8016906k+Non-prefixed global variable
#2360Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce80945080k+Non-prefixed hook name
#2361GoCardless for WooCommerce80601k+Non-prefixed class
#2362ActivityPub81673056k+Non-prefixed global variable
#2363AI81117930k+Non-prefixed global variable
#2364Great Restaurant Menu WP81891001k+Text Domain Mismatch
#2365Bulky – Bulk Edit Products for WooCommerce8132110k+Non-prefixed hook name
#2366ElasticPress81136558k+Non-prefixed hook name
#2367Migrate Guru – Site Migration & Cloning8178200k+Database parameter is not escaped
#2368Stream8158080k+Direct Query
#2369SurveyX Builder – Easy Feedback, Poll, Quiz & Survey81222k+Interpolated SQL is not prepared
#2370ShipStation for WooCommerce813440k+Non-prefixed class
#2371BlogVault Backup & Staging82532280k+Missing direct file access protection
#2372Cloudways WordPress Migrator826920k+Database parameter is not escaped
#2373ForumWP – Forum & Discussion Board8222444800Non-prefixed global variable
#2374MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall825522200k+Missing direct file access protection
#2375Posts and Users Stats82183600Non-prefixed global variable
#2376Tasty Recipes Lite827662k+Non-prefixed global variable
#2377Easy Booking – WooCommerce Booking & Reservation Plugin8260664k+Non-prefixed global variable
#2378Search Insights – Privacy-Friendly Search Analytics827503k+Non-prefixed global variable
#2379The WP Remote WordPress Plugin82512430k+Missing direct file access protection
#2380Advanced Appointment Booking & Scheduling8311133k+Text Domain Mismatch
#2381PDF Generator for WordPress83101981k+Non-prefixed global variable
#2382Wbcom Designs – Birthday Widget for BuddyPress8416313400Text Domain Mismatch
#2383WP All Import – Import Add-On for ACF8434650k+Non-prefixed global variable
#2384Floating Button – Easily Create Sticky, Fixed & Floating Buttons8461844k+Non-prefixed global variable
#2385Lightweight Cookie Notice – Cookie Banner for Cookie Consent848185k+Database parameter is not escaped
#2386Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers8417370k+Direct Query
#2387SearchIQ – The Search Solution847181k+Database parameter is not escaped
#2388Username Changer84371340k+wp function not compatible with requires wp
#2389404 to 301 – Redirect Manager, 404 Error Logs & Notifications8524100k+Database parameter is not escaped
#2390Auto Subpage Menu8556800Database parameter is not escaped
#2391GazChap's WooCommerce Auto Category Product Thumbnails85481k+trademarked term
#2392No External Links857265k+Database parameter is not escaped
#2393Power Captcha reCAPTCHA85471k+Database parameter is not escaped
#2394Real Thumbnail Generator: Efficient regeneration of thumbnails in all sizes855581k+Non-prefixed constant
#2395Save and Continue Link Recovery for Gravity Forms85165400Text Domain Mismatch
#2396Boxtal – Shipping solution863929k+Non-prefixed global variable
#2397CBX User Online & Last Login86387800Non-prefixed global variable
#2398Counters Block – Animated Number Counters, Stats & Dynamic KPIs865143k+Missing direct file access protection
#2399Helpful – Article Feedback Plugin86817600Database parameter is not escaped
#2400EP Exporter for Contact Form 7 (CF7)8619400Database parameter is not escaped