Unescaped parameter $attach_id used in $wpdb->get_results("SELECT ID FROM {$wpdb->prefix}posts WHERE ID ='{$attach_id}' AND post_title ='image-failed' AND post_type = 'attachment' AND guid LIKE '%$image_title%'")\n$attach_id assigned unsafely at line 91:\n $attach_id = $attachment_id[0]['ID']\n$image_title assigned unsafely at line 71:\n $image_title=preg_replace('/\\\\.[^.\\\\s]{3,4}$/', '', $img_url)\n$attachment_id[0]['ID'] used without escaping.\n$img_url assigned unsafely at line 62:\n $img_url = urldecode($encodedurl)\n$encodedurl assigned unsafely at line 61:\n $encodedurl = urlencode($img_url)
Unescaped parameter $data_array['user_pass'] used in $wpdb->get_results("UPDATE {$wpdb->prefix}users SET user_pass = '{$data_array['user_pass']}' WHERE ID = $retID")\n$data_array['user_pass'] assigned unsafely at line 85:\n $data_array['user_pass']=wp_hash_password($data_array['user_pass'])\n$data_array['user_pass'] assigned unsafely at line 74:\n $data_array['user_pass'] = wp_generate_password( 12, false )\n$retID assigned unsafely at line 95:\n $retID = wp_insert_user($data_array)\n$data_array assigned unsafely at line 69:\n $data_array = apply_filters('smack_csv_modify_userdata_filter', $data_array)
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $data_key used in $wpdb->get_results($wpdb->prepare("select type , name from {$wpdb->prefix}bp_xprofile_fields where id= $data_key" ))\n$data_key assigned unsafely at line 37:\n $data_key => \n$data_value used without escaping.\n$get_buddy_fields assigned unsafely at line 38:\n $get_buddy_fields = $wpdb->get_results($wpdb->prepare("select type , name from {$wpdb->prefix}bp_xprofile_fields where id= $data_key" ), ARRAY_A)
Unescaped parameter $fimg_name used in $wpdb->get_results("SELECT ID FROM {$wpdb->prefix}posts WHERE post_title ='image-failed' AND post_type = 'attachment' AND guid LIKE '%$fimg_name%'")\n$fimg_name assigned unsafely at line 411:\n $fimg_name = isset($get_path_values['fimg_name']) ? $get_path_values['fimg_name'] : ''\n$get_path_values['fimg_name'] used without escaping.
Unescaped parameter $fimg_name used in $wpdb->get_var("SELECT ID FROM ".$wpdb->prefix."posts WHERE post_type = 'attachment' AND guid LIKE '%$fimg_name'")\n$fimg_name assigned unsafely at line 231:\n $fimg_name = preg_replace('/[^a-zA-Z0-9._\\-\\s]/', '', $fimg_name)\n$fimg_name assigned unsafely at line 230:\n $fimg_name = str_replace(' ', '-', trim($fimg_name))\n$fimg_name assigned unsafely at line 229:\n $fimg_name = @basename($f_img)\n$f_img assigned unsafely at line 210:\n $f_img = $media_dir['url'].'/'.$f_img\n$media_dir['url'] used without escaping.