PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

Use `$wpdb->prepare()` for values.
Use explicit allowlists for table names, column names, order fields, and directions.
Sanitize and validate request data before it reaches query construction.

References

WordPress database access WordPress validating, sanitizing, and escaping

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Added	Updated	Top Issue
#251	NotifSMS – SMS Notifications OTP & 2FA for WordPress & WooCommerce	22	1,353	1,412	2k+	11 years ago	7 months ago	Non-prefixed global variable
#252	User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration	22	287	1,432	20k+	15 years ago	9 days ago	Non-prefixed global variable
#253	WPBITS Addons For Elementor Page Builder	22	996	1,399	2k+	6 years ago	5 months ago	Non-prefixed global variable
#254	WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell	22	5,996	2,790	5k+	5 years ago	10 days ago	Text Domain Mismatch
#255	ShopWP	22	430	225	700	8 years ago	2 years ago	Text Domain Mismatch
#256	WPSSO Core – Complete Schema Markup and Meta Tags	22	1,407	412	5k+	13 years ago	13 days ago	Missing Translators Comment
#257	WUPO Group Attributes for WooCommerce	22	592	1,391	400	6 years ago	1 year ago	Non-prefixed global variable
#258	YaySMTP – WP Mail SMTP with Email Logs, Tracking & Reports	22	654	435	10k+	6 years ago	12 days ago	Exception output is not escaped
#259	YITH WooCommerce Ajax Search	22	408	1,659	30k+	13 years ago	12 days ago	Non-prefixed global variable
#260	ЮKassa для WooCommerce	22	590	168	9k+	6 years ago	4 days ago	Short PHP open tag found
#261	Recipe Cards For Your Food Blog from Zip Recipes	22	1,126	1,731	1k+	12 years ago	17 days ago	Non-prefixed global variable
#262	Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce	23	1,185	1,027	1k+	10 years ago	4 days ago	Text Domain Mismatch
#263	Gutenberg Blocks – ACF Blocks Suite	23	1,097	1,449	400	7 years ago	1 year ago	Non-prefixed global variable
#264	Advanced Custom Fields: Extended	23	1,885	329	100k+	7 years ago	1 month ago	Text Domain Mismatch
#265	Custom WooCommerce Checkout Fields Editor	23	755	1,386	2k+	9 years ago	1 year ago	Non-prefixed global variable
#266	Admin and Site Enhancements (ASE)	23	136	330	200k+	4 years ago	7 days ago	Nonce verification recommended
#267	Advanced Menu Manager Pro – Built for Content-heavy WordPress Sites to Add, Filter, Lock, and Edit Menus Easily	23	545	1,397	500	10 years ago	6 months ago	Non-prefixed global variable
#268	Advanced Product Labels for WooCommerce	23	921	559	20k+	10 years ago	1 month ago	Text Domain Mismatch
#269	AI Engine – The Chatbot, AI Framework & MCP for WordPress	23	411	544	100k+	4 years ago	2 days ago	error log error log
#270	Fullscreen Menu	23	537	1,287	2k+	7 years ago	5 months ago	Non-prefixed global variable
#271	AR for WordPress	23	149	508	400	9 years ago	13 days ago	Non-prefixed global variable
#272	Autocomplete Address and Location Picker for WooCommerce	23	630	1,299	2k+	5 years ago	7 months ago	Non-prefixed global variable
#273	BA Book Everything	23	1,184	1,086	10k+	8 years ago	1 month ago	Output is not escaped
#274	Kadence Security – Password, Two Factor Authentication, and Brute Force Protection	23	1,053	967	700k+	16 years ago	1 month ago	Missing Translators Comment
#275	Booking calendar, Appointment Booking System	23	1,079	1,125	4k+	11 years ago	3 months ago	Output is not escaped
#276	Brave Popup Builder – Popup, Optins, Lead Generation, Survey & Interactive Content	23	238	294	20k+	7 years ago	5 months ago	error log print r
#277	BSK PDF Manager	23	1,576	625	7k+	13 years ago	2 months ago	Text Domain Mismatch
#278	BuddyDrive	23	722	1,597	1k+	13 years ago	1 year ago	Non-prefixed global variable
#279	Announcement & Notification Banner – Bulletin	23	930	1,576	2k+	6 years ago	4 months ago	Non-prefixed global variable
#280	Business Directory Plugin – Easy Listing Directories for WordPress	23	611	1,058	10k+	15 years ago	1 month ago	Non-prefixed global variable
#281	Captivate Sync	23	174	557	1k+	7 years ago	5 months ago	Non-prefixed global variable
#282	Geo Controller	23	203	544	1k+	11 years ago	1 month ago	Non-prefixed global variable
#283	All In One Login — Login Page Security and Customization for WordPress with Google reCAPTCHA, Social Login, Temporary Login, 2FA, and more.	23	750	1,359	60k+	7 years ago	4 days ago	Non-prefixed global variable
#284	Church Admin	23	1,643	4,202	900	15 years ago	5 months ago	Direct Query
#285	Classified Listing – AI-Powered Classified ads & Business Directory	23	155	2,074	9k+	8 years ago	4 days ago	Non-prefixed global variable
#286	CLUEVO LMS, E-Learning Platform	23	1,843	1,176	400	7 years ago	1 year ago	Text Domain Mismatch
#287	Content Aware Sidebars – Fastest Widget Area Plugin	23	993	1,738	30k+	15 years ago	7 months ago	Non-prefixed global variable
#288	Content Egg – Affiliate Product Importer & Price Comparison	23	1,231	1,257	10k+	11 years ago	7 days ago	Non-prefixed global variable
#289	Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor)	23	306	587	100k+	12 years ago	1 month ago	Dynamic hook name
#290	Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe	23	9,310	26,642	900	11 years ago	9 days ago	Non-prefixed global variable
#291	Free Theme Builder for Elementor – CRT Addons (Header, Footer, Archive, WooCommerce & 50+ Widgets)	23	791	2,331	400	2 years ago	3 days ago	Non-prefixed global variable
#292	Auto Post Cleaner	23	715	1,378	1k+	5 years ago	2 months ago	Non-prefixed global variable
#293	Disable Bloat for WordPress & WooCommerce	23	863	1,325	10k+	6 years ago	1 year ago	Non-prefixed global variable
#294	Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy	23	170	821	40k+	11 years ago	2 days ago	Non-prefixed global variable
#295	Double Opt-In for Contact Form 7 & Avada – Secure, GDPR-Compliant Email Verification	23	675	643	1k+	4 years ago	4 months ago	Unsafe printing function
#296	Easy Age Verify	23	1,138	2,631	1k+	7 years ago	16 days ago	Non-prefixed global variable
#297	Easy Digital Downloads – eCommerce Payments and Subscriptions made easy	23	3,723	10,283	40k+	14 years ago	10 days ago	Non-prefixed namespace
#298	Marijuana Age Verify	23	1,154	2,630	1k+	7 years ago	18 days ago	Non-prefixed global variable
#299	EazyDocs – AI Powered Knowledge Base, Wiki, Documentation & FAQ Builder	23	356	1,515	2k+	4 years ago	2 days ago	Non-prefixed global variable
#300	ElementsReady Addons for Elementor	23	231	666	3k+	5 years ago	11 months ago	Non-prefixed global variable