PluginCheck.Security.DirectDB.UnescapedDBParameter
Database parameter is not escaped
A value is passed into database-related code without escaping, preparation, or strict allowlisting.
Why It Shows Up
Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.
Why It Matters
Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.
How to Fix
- Use `$wpdb->prepare()` for values.
- Use explicit allowlists for table names, column names, order fields, and directions.
- Sanitize and validate request data before it reaches query construction.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #351 | Media Library File Download | 23 | 615 | 1,286 | 1k+ | Non-prefixed global variable | ||
| #352 | Media Library Assistant | 23 | 1,144 | 3,943 | 70k+ | Nonce verification recommended | ||
| #353 | MediaPress | 23 | 904 | 583 | 4k+ | Output is not escaped | ||
| #354 | Menu Image, Icons made easy | 23 | 591 | 1,406 | 100k+ | Non-prefixed global variable | ||
| #355 | Order Bump for WooCommerce | 23 | 1,720 | 1,562 | 600 | Output is not escaped | ||
| #356 | MotoPress Appointment Booking | 23 | 2,362 | 857 | 2k+ | Text Domain Mismatch | ||
| #357 | Restaurant Menu and Food Ordering | 23 | 385 | 853 | 2k+ | Non-prefixed global variable | ||
| #358 | MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar | 23 | 4,065 | 488 | 20k+ | Text Domain Mismatch | ||
| #359 | MStore API – Create Native Android & iOS Apps On The Cloud | 23 | 618 | 764 | 3k+ | SQL query is not prepared | ||
| #360 | MultiParcels Shipping For WooCommerce | 23 | 179 | 356 | 4k+ | Request data is not unslashed | ||
| #361 | MPG – Multiple Page Generator, Bulk Landing Pages & Programmatic SEO | 23 | 488 | 580 | 2k+ | Missing nonce verification | ||
| #362 | MyWorks Sync for WooCommerce & QuickBooks Online | 23 | 2,292 | 9,101 | 5k+ | Non-prefixed global variable | ||
| #363 | Next Active Directory Integration | 23 | 683 | 284 | 2k+ | Exception output is not escaped | ||
| #364 | Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery | 23 | 2,119 | 986 | 400k+ | Text Domain Mismatch | ||
| #365 | NicheTable – Responsive Comparison Table Block | 23 | 683 | 1,307 | 700 | Non-prefixed global variable | ||
| #366 | Ninja Forms – The Contact Form Builder That Grows With You | 23 | 754 | 1,525 | 600k+ | Nonce verification recommended | ||
| #367 | Nirweb support | 23 | 254 | 617 | 800 | Request data is not unslashed | ||
| #368 | Ocean Extra | 23 | 1,494 | 2,107 | 500k+ | Non-prefixed global variable | ||
| #369 | Issues and Series for Newspapers, Magazines, Publishers, Writers | 23 | 346 | 710 | 2k+ | Nonce verification recommended | ||
| #370 | Patchstack – WordPress & Plugins Security | 23 | 107 | 489 | 40k+ | Missing nonce verification | ||
| #371 | Photo Gallery by 10Web – Mobile-Friendly Image Gallery | 23 | 4,159 | 1,553 | 100k+ | Output is not escaped | ||
| #372 | Gallery PhotoBlocks | 23 | 904 | 1,345 | 3k+ | Non-prefixed global variable | ||
| #373 | ExpressTechSoftwares Discord Add-on for Paid Memberships Pro | 23 | 454 | 449 | 700 | Text Domain Mismatch | ||
| #374 | AI Popup | 23 | 1,224 | 636 | 400 | Text Domain Mismatch | ||
| #375 | Post to Google My Business (Google Business Profile) | 23 | 845 | 1,452 | 10k+ | Non-prefixed global variable | ||
| #376 | Postie | 23 | 407 | 261 | 10k+ | Output is not escaped | ||
| #377 | PowerPress Podcasting plugin by Blubrry | 23 | 4,807 | 2,394 | 20k+ | Output is not escaped | ||
| #378 | Primary Addon for Elementor | 23 | 765 | 1,306 | 7k+ | Non-prefixed global variable | ||
| #379 | Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More. | 23 | 1,485 | 444 | 1k+ | Text Domain Mismatch | ||
| #380 | Print My Blog – Print, PDF, & eBook Converter WordPress Plugin | 23 | 1,077 | 1,660 | 8k+ | Non-prefixed global variable | ||
| #381 | Product Watermark for WooCommerce | 23 | 696 | 457 | 2k+ | Output is not escaped | ||
| #382 | Protect Admin | 23 | 606 | 1,300 | 2k+ | Non-prefixed global variable | ||
| #383 | Radio Station by netmix® – Manage and play your Show Schedule in WordPress! | 23 | 934 | 3,619 | 1k+ | Non-prefixed global variable | ||
| #384 | Read More WP | 23 | 570 | 1,311 | 1k+ | Non-prefixed global variable | ||
| #385 | Real 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder | 23 | 856 | 1,365 | 10k+ | Non-prefixed global variable | ||
| #386 | Redirection | 23 | 523 | 457 | 100k+ | Non-prefixed global variable | ||
| #387 | Restaurant & Cafe Addon for Elementor | 23 | 889 | 1,326 | 2k+ | Non-prefixed global variable | ||
| #388 | Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More | 23 | 142 | 681 | 100k+ | Non-prefixed global variable | ||
| #389 | Revive.so – Bulk Rewrite and Republish Blog Posts | 23 | 332 | 228 | 1k+ | Text Domain Mismatch | ||
| #390 | Schema | 23 | 1,173 | 245 | 40k+ | Text Domain Mismatch | ||
| #391 | SecuPress with Simple SSL – Simple and Performant Security | 23 | 1,696 | 1,590 | 40k+ | Non-prefixed global variable | ||
| #392 | SEO Redirection Plugin – 301 Redirect Manager | 23 | 272 | 727 | 10k+ | Non-prefixed global variable | ||
| #393 | Seraphinite Post .DOCX Source | 23 | 1,156 | 110 | 900 | Output is not escaped | ||
| #394 | Seriously Simple Podcasting | 23 | 548 | 627 | 30k+ | Non-prefixed hook name | ||
| #395 | Local Google Analytics for WordPress – caches external requests | 23 | 551 | 199 | 3k+ | Output is not escaped | ||
| #396 | Tag, Category, and Taxonomy Manager – Autotagger Automatically Add Terms | 23 | 405 | 869 | 50k+ | Nonce verification recommended | ||
| #397 | Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management | 23 | 295 | 298 | 4k+ | Non-prefixed global variable | ||
| #398 | Image Optimizer, Resizer and CDN – Sirv | 23 | 616 | 1,004 | 1k+ | Output is not escaped | ||
| #399 | Site Reviews | 23 | 1,625 | 598 | 60k+ | Output is not escaped | ||
| #400 | Slider Hero with Video Background, Animation | 23 | 1,565 | 1,253 | 3k+ | Text Domain Mismatch |