Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 41:\n $sql = "(" . $sql . ") union (select ID from " . $wpdb->posts . " where post_parent in (select ID from " . $wpdb->posts . " where post_parent = " . absint( $topic_id ) . " and post_type = 'reply') and post_type = 'attachment')"\n$sql assigned unsafely at line 38:\n $sql = "select ID from " . $wpdb->posts . " where post_parent = " . $topic_id . " and post_type = 'attachment'"\n$topic_id used without escaping.
Affected Plugins
Plugins that have instances of this rule violation