ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $metakeys used in $wpdb->get_results('SELECT post_id as pID, meta_key, meta_value FROM ' . $wpdb->postmeta . ' WHERE ' . $metakeys . ' ORDER BY meta_key')\n$metakeys assigned unsafely at line 889:\n $metakeys = ltrim($metakeys, ' OR ')\n$metakeys assigned unsafely at line 884:\n $metakeys = ''\n$k assigned unsafely at line 885:\n $k => \n$plugin[$k] used without escaping.

Unescaped parameter $mime_types used in $wpdb->get_results($wpdb->prepare(\n 'SELECT DISTINCT YEAR( post_date ) AS year, MONTH( post_date ) AS month\n FROM ' . $wpdb->posts . '\n WHERE post_type = %s AND post_mime_type IN ("' . $mime_types . '") ORDER BY post_date DESC ', 'attachment'\n ))\n$mime_types assigned unsafely at line 411:\n $mime_types = implode('","', self::$allowed_mime_type)\n$allowed_mime_type used without escaping.

Unescaped parameter $mime_types used in $wpdb->get_results($wpdb->prepare(\n 'SELECT ID FROM ' . $wpdb->posts . ' WHERE post_type="attachment" AND post_mime_type IN ("' . $mime_types . '") LIMIT %d OFFSET %d', array(\n $limit,\n $ofset\n )\n ))\n$mime_types assigned unsafely at line 2135:\n $mime_types = implode('","', self::$allowed_mime_type)\n$allowed_mime_type used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Site Kit by Google – Analytics, Search Console, AdSense, Speed

google-site-kit

issues

installs

Google for WooCommerce

google-listings-and-ads

issues

900K

installs