PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2451 | Easy Demo Importer – A Modern One-Click Demo Import Solution | 93 | 2 | 49 | 2k+ | Non-prefixed hook name | ||
| #2452 | League Table – WordPress Table Plugin | 93 | 10 | 9 | 1k+ | Missing direct file access protection | ||
| #2453 | WooCommerce Analytics | 93 | 25 | 20k+ | Direct Query | |||
| #2454 | Certify – Certificate Management & Verification | 94 | 2 | 2 | 500 | Database parameter is not escaped | ||
| #2455 | Make Connector | 94 | 1 | 9 | 80k+ | Non-prefixed constant | ||
| #2456 | XO Security | 94 | 5 | 3 | 30k+ | wp function not compatible with requires wp | ||
| #2457 | Blocks | 95 | 1 | 3 | 600 | Database parameter is not escaped | ||
| #2458 | Check & Log Email – Easy Email Testing & Mail logging | 95 | 3 | 11 | 100k+ | Non-prefixed constant | ||
| #2459 | Pixelavo – Server Side Tracking & Pixel + AI Ads Tools | 95 | 12 | 2k+ | Direct Query | |||
| #2460 | WCBoost – Variation Swatches | 95 | 1 | 11 | 50k+ | Non-prefixed hook name | ||
| #2461 | WING Website Migrator | 95 | 2 | 4 | 400 | Discouraged PHP function | ||
| #2462 | ActiveLayer Anti-Spam: Spam Protection for Forms & Comments | 96 | 2 | 2k+ | Database parameter is not escaped | |||
| #2463 | Catch Themes Demo Import | 96 | 1 | 5 | 5k+ | Non-prefixed hook name | ||
| #2464 | Better Search Replace | 97 | 1 | 1m+ | Database parameter is not escaped | |||
| #2465 | BtW Importer – Free Blogger/Blogspot Migration | 97 | 2 | 400 | Database parameter is not escaped |