ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

26K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $now used in $wpdb->get_col("SELECT option_name FROM $wpdb->options WHERE option_name LIKE '\_wcce\_session\_expires\_%' AND option_value < '$now'")\n$now assigned unsafely at line 211:\n $now = time()

Unescaped parameter $option_names used in $wpdb->query("DELETE FROM $wpdb->options WHERE option_name IN ('$option_names')")\n$option_names assigned unsafely at line 232:\n $option_names = implode( "','", $chunk )\n$chunk used without escaping.

Unescaped parameter $wholesale_roles_query used in $wpdb->get_results($wholesale_roles_query)\n$wholesale_roles_query assigned unsafely at line 362:\n $wholesale_roles_query .= ' )'\n$query_result assigned unsafely at line 364:\n $query_result = $wpdb->get_results( $wholesale_roles_query, ARRAY_A )

Unescaped parameter TABLES[ 'enquiry' ] . "` (\n `id` bigint(20) NOT NULL AUTO_INCREMENT,\n `product_info` text NOT NULL,\n `user_id` bigint(20) NOT NULL DEFAULT 0,\n `user_name` varchar(50) NOT NULL,\n `user_email` varchar(50) NOT NULL,\n `user_additional_fields` text NOT NULL,\n `pin_msg_id` bigint(20) DEFAULT NULL,\n `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,\n PRIMARY KEY (`id`)\n ) $collate;"\n ) used in $wpdb->query("CREATE TABLE IF NOT EXISTS `{$wpdb->prefix}" . Utill::TABLES[ 'enquiry' ] . "` (\n `id` bigint(20) NOT NULL AUTO_INCREMENT,\n `product_info` text NOT NULL,\n `user_id` bigint(20) NOT NULL DEFAULT 0,\n `user_name` varchar(50) NOT NULL,\n `user_email` varchar(50) NOT NULL,\n `user_additional_fields` text NOT NULL,\n `pin_msg_id` bigint(20) DEFAULT NULL,\n `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,\n PRIMARY KEY (`id`)\n ) $collate;")

Affected Plugins

Plugins that have instances of this rule violation

Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices

woocommerce-wholesale-prices

issues

20K

installs

CatalogX — Catalog Mode, Enquiry & Quotes for WooCommerce

woocommerce-catalog-enquiry

issues

installs

Unescaped parameter TABLES[ 'message' ] . "` (\n `chat_message_id` bigint(20) NOT NULL AUTO_INCREMENT,\n `to_user_id` bigint(20) NOT NULL,\n `from_user_id` bigint(20) NOT NULL,\n `chat_message` text NOT NULL,\n `product_id` text NOT NULL,\n `enquiry_id` bigint(20) NOT NULL,\n `status` varchar(20) NOT NULL,\n `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,\n `attachment` bigint(20),\n `reaction` varchar(20),\n `star` boolean,\n `reply` text DEFAULT NULL,\n PRIMARY KEY (`chat_message_id`)\n ) $collate;"\n ) used in $wpdb->query("CREATE TABLE IF NOT EXISTS `{$wpdb->prefix}" . Utill::TABLES[ 'message' ] . "` (\n `chat_message_id` bigint(20) NOT NULL AUTO_INCREMENT,\n `to_user_id` bigint(20) NOT NULL,\n `from_user_id` bigint(20) NOT NULL,\n `chat_message` text NOT NULL,\n `product_id` text NOT NULL,\n `enquiry_id` bigint(20) NOT NULL,\n `status` varchar(20) NOT NULL,\n `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,\n `attachment` bigint(20),\n `reaction` varchar(20),\n `star` boolean,\n `reply` text DEFAULT NULL,\n PRIMARY KEY (`chat_message_id`)\n ) $collate;")