ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

150K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 270:\n $query = $wpdb->prepare( $query, $params )\n$query assigned unsafely at line 264:\n $query .= ' AND date = %s'\n$params[] used without escaping.

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 130:\n $query = "SELECT post_content FROM $table_posts\r\n where post_content LIKE '%{$job_form_widget_type}%'\r\n AND post_status = 'publish' ORDER by post_date DESC LIMIT 0,1"\n$table_posts assigned unsafely at line 128:\n $table_posts = $wpdb->prefix . 'posts'\n$table_posts assigned unsafely at line 25:\n $table_posts = $wpdb->prefix . 'posts'\n$job_form_widget_type assigned unsafely at line 127:\n $job_form_widget_type = 'sjb-wpb-jobdetails'\n$results assigned unsafely at line 134:\n $results = $wpdb->get_results($query, ARRAY_A)\n$table_postmeta assigned unsafely at line 24:\n $table_postmeta = $wpdb->prefix . 'postmeta'

Unescaped parameter $sql_query used in $wpdb->query($sql_query)\n$sql_query assigned unsafely at line 100:\n $sql_query.= implode(" UNION ALL ", $sql_query_sel)\n$sql_query_sel used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

WP Job Openings – Job Listing, Career Page and Recruitment Plugin

Unescaped parameter $table_postmeta used in $wpdb->get_results("SELECT post_id FROM $table_postmeta \r\n LEFT JOIN $table_posts ON $table_postmeta.post_id = $table_posts.ID\r\n where meta_key = '_elementor_data' AND meta_value LIKE '%{$job_form_widget_type}%'\r\n AND $table_posts.post_status = 'publish'\r\n ")\n$table_postmeta assigned unsafely at line 24:\n $table_postmeta = $wpdb->prefix . 'postmeta'\n$table_posts assigned unsafely at line 25:\n $table_posts = $wpdb->prefix . 'posts'\n$results assigned unsafely at line 26:\n $results = $wpdb->get_results("SELECT post_id FROM $table_postmeta \r\n LEFT JOIN $table_posts ON $table_postmeta.post_id = $table_posts.ID\r\n where meta_key = '_elementor_data' AND meta_value LIKE '%{$job_form_widget_type}%'\r\n AND $table_posts.post_status = 'publish'\r\n ", ARRAY_A)\n$job_form_widget_type assigned unsafely at line 23:\n $job_form_widget_type = '"widgetType":"job-details"'

Unescaped parameter $where used in $wpdb->get_results($wpdb->prepare( "SELECT {$wpdb->posts}.ID, COUNT(applications.ID) AS applications_count FROM {$wpdb->posts} {$join} {$where} GROUP BY {$wpdb->posts}.ID ORDER BY applications_count DESC, {$wpdb->posts}.ID{$limit}", $values ))\n$where assigned unsafely at line 226:\n $where .= " AND ({$status_placeholder})"\n$limit assigned unsafely at line 237:\n $limit .= ' LIMIT %d'\n$status_placeholder assigned unsafely at line 225:\n $status_placeholder = rtrim( str_repeat( "{$wpdb->posts}.post_status = %s OR ", count( $status ) ), ' OR ' )\n$parsed_args['numberjobs'] used without escaping.\n$status assigned unsafely at line 224:\n $status = array_map( 'sanitize_text_field', $parsed_args['job_status'] )\n$parsed_args['job_status'] used without escaping.