PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #301 | ElementsReady Addons for Elementor | 23 | 231 | 666 | 3k+ | Non-prefixed global variable | ||
| #302 | Error Log Monitor | 23 | 694 | 1,414 | 20k+ | Non-prefixed global variable | ||
| #303 | Essential Real Estate | 23 | 529 | 5,060 | 8k+ | Non-prefixed global variable | ||
| #304 | EventON – Events Calendar | 23 | 2,585 | 1,021 | 6k+ | Text Domain Mismatch | ||
| #305 | Events Addon for Elementor | 23 | 779 | 1,339 | 7k+ | Non-prefixed global variable | ||
| #306 | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder with AI | 23 | 395 | 1,342 | 90k+ | Non-prefixed global variable | ||
| #307 | Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light | 23 | 386 | 999 | 500 | Non-prefixed global variable | ||
| #308 | Export WordPress Pages to Static HTML & PDF — Static Site Export | 23 | 490 | 301 | 4k+ | Text Domain Mismatch | ||
| #309 | Ezoic | 23 | 432 | 516 | 10k+ | Output is not escaped | ||
| #310 | Featured Images in RSS for Mailchimp & More | 23 | 780 | 1,299 | 20k+ | Non-prefixed global variable | ||
| #311 | Filr – Secure document library | 23 | 775 | 1,317 | 800 | Non-prefixed global variable | ||
| #312 | Finpose – Accounting for WooCommerce | 23 | 1,649 | 1,307 | 400 | Non-prefixed global variable | ||
| #313 | Image Photo Gallery Final Tiles Grid | 23 | 578 | 1,502 | 20k+ | Non-prefixed global variable | ||
| #314 | Five-Star Ratings Shortcode | 23 | 604 | 1,317 | 600 | Non-prefixed global variable | ||
| #315 | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | 23 | 4,746 | 1,279 | 30k+ | Non Singular String Literal Domain | ||
| #316 | Freshdesk (official) | 23 | 194 | 386 | 900 | Non-prefixed function | ||
| #317 | Front End PM | 23 | 978 | 2,264 | 5k+ | Non-prefixed global variable | ||
| #318 | Tracking and Consent Manager – WP Full Picture | 23 | 1,280 | 3,223 | 3k+ | Non-prefixed global variable | ||
| #319 | Fuse Social Floating Sidebar | 23 | 1,840 | 1,573 | 10k+ | Non-prefixed global variable | ||
| #320 | FV Flowplayer Video Player | 23 | 1,311 | 1,454 | 20k+ | Output is not escaped | ||
| #321 | GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | 23 | 3,662 | 2,971 | 10k+ | Output is not escaped | ||
| #322 | The GDPR Framework By Data443 | 23 | 1,287 | 517 | 10k+ | Short PHP open tag found | ||
| #323 | Anti-Malware Security and Brute-Force Firewall | 23 | 543 | 965 | 100k+ | Output is not escaped | ||
| #324 | Gmedia Photo Gallery | 23 | 350 | 1,121 | 7k+ | Non-prefixed global variable | ||
| #325 | Groundhogg — CRM, Newsletters, and Marketing Automation | 23 | 136 | 914 | 2k+ | Non-prefixed global variable | ||
| #326 | Interactive Content – H5P | 23 | 565 | 380 | 40k+ | Non Singular String Literal Domain | ||
| #327 | Happy Addons for Elementor | 23 | 573 | 444 | 400k+ | Output is not escaped | ||
| #328 | Houzez Property Feed | 23 | 1,464 | 1,615 | 1k+ | Text Domain Mismatch | ||
| #329 | Ibtana – Ecommerce Product Addons | 23 | 1,547 | 1,718 | 6k+ | Non Singular String Literal Domain | ||
| #330 | Iks Menu – WordPress Category Accordion Menu & FAQs | 23 | 615 | 1,293 | 10k+ | Non-prefixed global variable | ||
| #331 | Image Carousel For Divi | 23 | 569 | 1,309 | 1k+ | Non-prefixed global variable | ||
| #332 | Payment forms, Buy now buttons, and Invoicing System | GetPaid | 23 | 387 | 1,258 | 5k+ | Non-prefixed global variable | ||
| #333 | IP Geo Block | 23 | 399 | 589 | 9k+ | Output is not escaped | ||
| #334 | Jetpack – WP Security, Backup, Speed, & Growth | 23 | 2,821 | 1,303 | 3m+ | Text Domain Mismatch | ||
| #335 | Joli FAQ SEO – WordPress FAQ Plugin | 23 | 1,083 | 1,526 | 700 | Non-prefixed global variable | ||
| #336 | Justified Gallery | 23 | 589 | 1,417 | 8k+ | Non-prefixed global variable | ||
| #337 | Kenta Companion | 23 | 657 | 1,419 | 2k+ | Non-prefixed global variable | ||
| #338 | King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder | 23 | 1,831 | 3,878 | 10k+ | Non-prefixed global variable | ||
| #339 | KiviCare – Clinic & Patient Management System (EHR) | 23 | 206 | 850 | 2k+ | Direct Query | ||
| #340 | Masteriyo LMS – LMS Course Builder, Quizzes & Certificates | 23 | 192 | 2,123 | 5k+ | Non-prefixed global variable | ||
| #341 | License Manager for WooCommerce | 23 | 129 | 819 | 6k+ | Request data is not unslashed | ||
| #342 | Like Button Rating ♥ LikeBtn | 23 | 1,231 | 617 | 4k+ | Unsafe printing function | ||
| #343 | Link Whisper Free | 23 | 3,882 | 5,303 | 30k+ | Text Domain Mismatch | ||
| #344 | Locatoraid Store Locator | 23 | 319 | 645 | 1k+ | Non-prefixed global variable | ||
| #345 | Custom Login Page Customizer | 23 | 687 | 1,408 | 90k+ | Non-prefixed global variable | ||
| #346 | Login With Ajax – Fast Logins, 2FA, Redirects | 23 | 623 | 520 | 10k+ | Output is not escaped | ||
| #347 | MailPoet – Newsletters, Email Marketing, and Automation | 23 | 931 | 719 | 500k+ | Exception output is not escaped | ||
| #348 | Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits | 23 | 525 | 1,541 | 30k+ | Non-prefixed global variable | ||
| #349 | Master Slider – Responsive Touch Slider | 23 | 800 | 408 | 60k+ | Output is not escaped | ||
| #350 | MasterStudy LMS WordPress Plugin – for Online Courses and Education | 23 | 1,419 | 4,875 | 10k+ | Non-prefixed global variable |
