WordPress.DB.RestrictedFunctions.mysql_mysql_real_escape_string

mysql mysql real escape string

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

critical weight

Why It Shows Up

The scan found `mysql_*`, `mysqli_*`, PDO MySQL, or related database functions in plugin code.

Why It Matters

Bypassing `$wpdb` can ignore WordPress database configuration, escaping conventions, character sets, and compatibility layers.

How to Fix

  • Replace raw MySQL calls with `$wpdb` methods or higher-level WordPress APIs.
  • Use `$wpdb->prepare()` for dynamic values.
  • If a third-party library requires a database connection, isolate it and document why WordPress APIs cannot be used.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1rtMedia for WordPress, BuddyPress and bbPress213636338k+Non-prefixed constant
#2Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More212,5721,2771m+Output is not escaped
#3Database Access with Adminer229832,5531k+Non-prefixed global variable
#4ManageWP Worker225075651m+Non-prefixed class
#5WP Umbrella: Update Backup Restore & Monitoring2292191970k+Exception output is not escaped
#6WP-WebAuthn229573962k+Exception output is not escaped
#7Easy Modal245642997k+Unsafe printing function
#8Database Manager – WP Adminer241,0052,75220k+Non-prefixed global variable
#9UpdraftPlus: WP Backup & Migration Plugin242772993m+Non-prefixed global variable
#10Advanced WordPress Reset – Debug, Recover & Reset WP2547546420k+Output is not escaped
#11Advanced Category Excluder31349160700Output is not escaped
#12404 Notifier403941700Output is not escaped