Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 608:\n $query = self::build_db_logs_query(\n\t\t\t\t$filters,\n\t\t\t\t$limit,\n\t\t\t\t$offset,\n\t\t\t\t$order\n\t\t\t)\n$filters used without escaping.\n$limit used without escaping.\n$offset used without escaping.\n$order used without escaping.
Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 123:\n $sql = $wpdb->prepare( "SELECT option_name FROM {$tbl} WHERE option_name LIKE %s", $search_string )\n$tbl assigned unsafely at line 121:\n $tbl = $wpdb->prefix . 'options'\n$search_string assigned unsafely at line 122:\n $search_string = WBG_PRFX . '%'
Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 68:\n $sql = $wpdb->prepare( "SELECT option_name FROM {$tbl} WHERE option_name LIKE %s", $search_string )\n$tbl assigned unsafely at line 66:\n $tbl = $wpdb->prefix . 'options'\n$search_string assigned unsafely at line 67:\n $search_string = 'wbg_%'
Unescaped parameter $wbg_authors_by_cat used in $wpdb->get_results($wbg_authors_by_cat)\n$wbg_authors_by_cat assigned unsafely at line 67:\n $wbg_authors_by_cat = "SELECT DISTINCT pm.meta_value\\r\\n FROM {$wpdb->posts} p\\r\\n LEFT JOIN {$wpdb->term_relationships} rel ON rel.object_id = p.ID\\r\\n LEFT JOIN {$wpdb->term_taxonomy} tax ON tax.term_taxonomy_id = rel.term_taxonomy_id\\r\\n LEFT JOIN {$wpdb->terms} t ON t.term_id = tax.term_id\\r\\n LEFT JOIN {$wpdb->postmeta} pm ON pm.post_id = p.ID\\r\\n WHERE post_status = 'publish'\\r\\n AND post_type = 'books'\\r\\n AND t.name = '" . htmlspecialchars( $wbg_category_s ) . "'\\r\\n AND tax.taxonomy = 'book_category'\\r\\n AND pm.meta_key = 'wbg_author'\\r\\n ORDER BY pm.meta_value {$wbg_display_author_order}"\n$wbg_category_s assigned unsafely at line 14:\n $wbg_category_s = ( isset( $_GET['wbg_category_s'] ) ? sanitize_text_field( urldecode( $_GET['wbg_category_s'] ) ) : '' )\nNote: sanitize_text_field() is not a safe escaping function.\n$_GET['wbg_category_s'] used without escaping.
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $wbg_display_author_order used in $wpdb->get_results("SELECT DISTINCT meta_value FROM {$wpdb->postmeta} pm, {$wpdb->posts} p WHERE meta_key = 'wbg_author' and p.post_type = 'books' ORDER BY meta_value {$wbg_display_author_order}")\n$wbg_display_author_order used without escaping.