PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#351Media Library File Download236151,2861k+Non-prefixed global variable
#352Media Library Assistant231,1443,94370k+Nonce verification recommended
#353MediaPress239045834k+Output is not escaped
#354Menu Image, Icons made easy235911,406100k+Non-prefixed global variable
#355Order Bump for WooCommerce231,7201,562600Output is not escaped
#356MotoPress Appointment Booking232,3628572k+Text Domain Mismatch
#357Restaurant Menu and Food Ordering233858532k+Non-prefixed global variable
#358MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar234,06548820k+Text Domain Mismatch
#359MStore API – Create Native Android & iOS Apps On The Cloud236187643k+SQL query is not prepared
#360MultiParcels Shipping For WooCommerce231793564k+Request data is not unslashed
#361MPG – Multiple Page Generator, Bulk Landing Pages & Programmatic SEO234885802k+Missing nonce verification
#362MyWorks Sync for WooCommerce & QuickBooks Online232,2929,1015k+Non-prefixed global variable
#363Next Active Directory Integration236832842k+Exception output is not escaped
#364Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery232,119986400k+Text Domain Mismatch
#365NicheTable – Responsive Comparison Table Block236831,307700Non-prefixed global variable
#366Ninja Forms – The Contact Form Builder That Grows With You237541,525600k+Nonce verification recommended
#367Nirweb support23254617800Request data is not unslashed
#368Ocean Extra231,4942,107500k+Non-prefixed global variable
#369Issues and Series for Newspapers, Magazines, Publishers, Writers233467102k+Nonce verification recommended
#370Patchstack – WordPress & Plugins Security2310748940k+Missing nonce verification
#371Photo Gallery by 10Web – Mobile-Friendly Image Gallery234,1591,553100k+Output is not escaped
#372Gallery PhotoBlocks239041,3453k+Non-prefixed global variable
#373ExpressTechSoftwares Discord Add-on for Paid Memberships Pro23454449700Text Domain Mismatch
#374AI Popup231,224636400Text Domain Mismatch
#375Post to Google My Business (Google Business Profile)238451,45210k+Non-prefixed global variable
#376Postie2340726110k+Output is not escaped
#377PowerPress Podcasting plugin by Blubrry234,8072,39420k+Output is not escaped
#378Primary Addon for Elementor237651,3067k+Non-prefixed global variable
#379Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.231,4854441k+Text Domain Mismatch
#380Print My Blog – Print, PDF, & eBook Converter WordPress Plugin231,0771,6608k+Non-prefixed global variable
#381Product Watermark for WooCommerce236964572k+Output is not escaped
#382Protect Admin236061,3002k+Non-prefixed global variable
#383Radio Station by netmix® – Manage and play your Show Schedule in WordPress!239343,6191k+Non-prefixed global variable
#384Read More WP235701,3111k+Non-prefixed global variable
#385Real 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder238561,36510k+Non-prefixed global variable
#386Redirection23523457100k+Non-prefixed global variable
#387Restaurant & Cafe Addon for Elementor238891,3262k+Non-prefixed global variable
#388Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More23142681100k+Non-prefixed global variable
#389Revive.so – Bulk Rewrite and Republish Blog Posts233322281k+Text Domain Mismatch
#390Schema231,17324540k+Text Domain Mismatch
#391SecuPress with Simple SSL – Simple and Performant Security231,6961,59040k+Non-prefixed global variable
#392SEO Redirection Plugin – 301 Redirect Manager2327272710k+Non-prefixed global variable
#393Seraphinite Post .DOCX Source231,156110900Output is not escaped
#394Seriously Simple Podcasting2354862730k+Non-prefixed hook name
#395Local Google Analytics for WordPress – caches external requests235511993k+Output is not escaped
#396Tag, Category, and Taxonomy Manager – Autotagger Automatically Add Terms2340586950k+Nonce verification recommended
#397Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management232952984k+Non-prefixed global variable
#398Image Optimizer, Resizer and CDN – Sirv236161,0041k+Output is not escaped
#399Site Reviews231,62559860k+Output is not escaped
#400Slider Hero with Video Background, Animation231,5651,2533k+Text Domain Mismatch