PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #201 | PAYCOMET for WooCommerce | 22 | 1,206 | 423 | 2k+ | Text Domain Mismatch | ||
| #202 | PDF Builder for WPForms | 22 | 321 | 266 | 900 | SQL query is not prepared | ||
| #203 | Smart Popup by Supsystic | 22 | 3,172 | 503 | 10k+ | Non Singular String Literal Domain | ||
| #204 | Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | 22 | 1,581 | 2,326 | 300k+ | Non-prefixed global variable | ||
| #205 | Prime Mover – Migrate WordPress Website & Backups | 22 | 1,326 | 1,600 | 10k+ | Non-prefixed global variable | ||
| #206 | Product Catalog Feed by PixelYourSite | 22 | 581 | 357 | 8k+ | Output is not escaped | ||
| #207 | Pronamic Pay | 22 | 258 | 1,077 | 2k+ | Non-prefixed global variable | ||
| #208 | PageSpeed Ninja – Cache, Minify, Defer CSS JavaScript, Critical CSS, Optimize Images, Convert WebP | 22 | 984 | 407 | 5k+ | Unsafe printing function | ||
| #209 | Request a Quote Form Plugin – Price Quote Request Management Made Easy | 22 | 241 | 1,109 | 1k+ | Non-prefixed hook name | ||
| #210 | Restrict User Access – Ultimate Membership & Content Protection | 22 | 977 | 1,840 | 10k+ | Non-prefixed global variable | ||
| #211 | Salon Booking System – Free Version | 22 | 655 | 620 | 2k+ | Missing direct file access protection | ||
| #212 | Sellsy | 22 | 586 | 490 | 400 | Non Singular String Literal Domain | ||
| #213 | Seraphinite Accelerator | 22 | 594 | 255 | 50k+ | Output is not escaped | ||
| #214 | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | 22 | 1,044 | 799 | 300k+ | Non-prefixed global variable | ||
| #215 | Simple Job Board | 22 | 634 | 1,355 | 10k+ | Non-prefixed global variable | ||
| #216 | Slick Popup: Contact Form 7 Popup Plugin | 22 | 2,322 | 316 | 2k+ | Text Domain Mismatch | ||
| #217 | Slim Jetpack | 22 | 2,586 | 1,947 | 2k+ | Text Domain Mismatch | ||
| #218 | NextScripts: Social Networks Auto-Poster | 22 | 2,408 | 1,133 | 30k+ | Output is not escaped | ||
| #219 | SportsPress – Sports Club & League Manager | 22 | 460 | 2,242 | 10k+ | Non-prefixed global variable | ||
| #220 | SSL Zen — SSL Certificate Installer & HTTPS Redirects | 22 | 779 | 1,575 | 10k+ | Non-prefixed global variable | ||
| #221 | SVG Flags – Beautiful Scalable Flags For All Countries! | 22 | 755 | 1,251 | 2k+ | Non-prefixed global variable | ||
| #222 | Swift Performance Lite | 22 | 2,346 | 1,325 | 7k+ | Text Domain Mismatch | ||
| #223 | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | 22 | 225 | 519 | 8k+ | error log error log | ||
| #224 | ThemeHunk Customizer | 22 | 3,969 | 582 | 6k+ | Text Domain Mismatch | ||
| #225 | Ultimate Carousel For Divi | 22 | 590 | 1,566 | 800 | Non-prefixed global variable | ||
| #226 | Ultimeter | 22 | 751 | 1,344 | 1k+ | Non-prefixed global variable | ||
| #227 | Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin | 22 | 530 | 2,334 | 40k+ | Direct Query | ||
| #228 | Unlimited Elements Blocks Library | 22 | 708 | 1,822 | 400 | Non-prefixed global variable | ||
| #229 | Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links | 22 | 1,044 | 1,797 | 20k+ | Non-prefixed global variable | ||
| #230 | URL Shortify – Simple and Easy URL Shortener | 22 | 1,520 | 2,689 | 10k+ | Non-prefixed global variable | ||
| #231 | Welcart e-Commerce | 22 | 10,377 | 10,896 | 10k+ | Text Domain Mismatch | ||
| #232 | UserFeedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds | 22 | 444 | 243 | 200k+ | Text Domain Mismatch | ||
| #233 | Walker Core | 22 | 1,351 | 1,436 | 800 | Non-prefixed global variable | ||
| #234 | WCFM – Frontend Manager for WooCommerce | 22 | 4,754 | 5,054 | 20k+ | Non-prefixed global variable | ||
| #235 | WCFM Marketplace – Multivendor Marketplace for WooCommerce | 22 | 1,934 | 1,966 | 10k+ | Non-prefixed global variable | ||
| #236 | WCFM Membership – WooCommerce Memberships for Multivendor Marketplace | 22 | 559 | 675 | 10k+ | Non-prefixed global variable | ||
| #237 | Wenprise WeChatPay Payment Gateway For WooCommerce | 22 | 443 | 178 | 400 | Exception output is not escaped | ||
| #238 | Fraud Prevention For WooCommerce and EDD | 22 | 572 | 1,394 | 5k+ | Non-prefixed global variable | ||
| #239 | WooCommerce | 22 | 1,359 | 6,171 | 7m+ | Non-prefixed global variable | ||
| #240 | Advanced AJAX Product Filters | 22 | 2,683 | 1,205 | 50k+ | Text Domain Mismatch | ||
| #241 | CoDesigner – All in One Elementor WooCommerce Builder | 22 | 4,131 | 774 | 5k+ | Text Domain Mismatch | ||
| #242 | ManageWP Worker | 22 | 507 | 565 | 1m+ | Non-prefixed class | ||
| #243 | WP Affiliate Disclosure | 22 | 1,358 | 1,504 | 1k+ | Non-prefixed global variable | ||
| #244 | Asset CleanUp: Page Speed Booster | 22 | 2,030 | 2,485 | 100k+ | Non-prefixed global variable | ||
| #245 | Master Accordion ( Former WP Awesome FAQ Plugin ) | 22 | 1,774 | 1,286 | 700 | Non-prefixed global variable | ||
| #246 | WP Easy Pay – Payment and Donation form Builder for Square | 22 | 893 | 1,828 | 1k+ | Non-prefixed global variable | ||
| #247 | File Manager | 22 | 740 | 520 | 1m+ | Unsafe printing function | ||
| #248 | WP Fusion Lite – Marketing Automation and CRM Integration for WordPress | 22 | 275 | 683 | 5k+ | Nonce verification recommended | ||
| #249 | WP Umbrella: Update Backup Restore & Monitoring | 22 | 918 | 916 | 70k+ | Exception output is not escaped | ||
| #250 | AidWP – Donation & Payment Forms (Stripe Powered) | 22 | 1,317 | 1,675 | 800 | Non-prefixed global variable |
