PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2451Easy Demo Importer – A Modern One-Click Demo Import Solution932492k+Non-prefixed hook name
#2452League Table – WordPress Table Plugin931091k+Missing direct file access protection
#2453WooCommerce Analytics932520k+Direct Query
#2454Certify – Certificate Management & Verification9422500Database parameter is not escaped
#2455Make Connector941980k+Non-prefixed constant
#2456XO Security945330k+wp function not compatible with requires wp
#2457Blocks9513600Database parameter is not escaped
#2458Check & Log Email – Easy Email Testing & Mail logging95311100k+Non-prefixed constant
#2459Pixelavo – Server Side Tracking & Pixel + AI Ads Tools95122k+Direct Query
#2460WCBoost – Variation Swatches9511150k+Non-prefixed hook name
#2461WING Website Migrator9524400Discouraged PHP function
#2462ActiveLayer Anti-Spam: Spam Protection for Forms & Comments9622k+Database parameter is not escaped
#2463Catch Themes Demo Import96155k+Non-prefixed hook name
#2464Better Search Replace9711m+Database parameter is not escaped
#2465BtW Importer – Free Blogger/Blogspot Migration972400Database parameter is not escaped