ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $activation_keys used in $wpdb->get_results("SELECT user_email, activation_key FROM $wpdb->signups WHERE activation_key IN ({$activation_keys})")\n$activation_keys assigned unsafely at line 679:\n $activation_keys = implode( ',', $activation_keys )\n$activation_keys assigned unsafely at line 673:\n $activation_keys = array_map( 'sanitize_text_field', explode( ',', $activation_keys ) )

Unescaped parameter $delete_sql used in $wpdb->query($delete_sql)\n$delete_sql assigned unsafely at line 506:\n $delete_sql = apply_filters( 'unconfirmed_delete_sql', $wpdb->prepare( "DELETE FROM $wpdb->signups WHERE activation_key = %s", $key ), $key, $this->is_multisite )\n$key used without escaping.

Unescaped parameter $paged_query used in $wpdb->get_results($paged_query)\n$paged_query assigned unsafely at line 297:\n $paged_query = apply_filters( 'unconfirmed_paged_query', join( ' ', $sql ), $sql, $args, $r )\n$sql used without escaping.\n$args used without escaping.\n$r assigned unsafely at line 230:\n $r = wp_parse_args( $args, $defaults )

Affected Plugins

Plugins that have instances of this rule violation