Unescaped parameter $attachments used in $wpdb->get_results("SELECT `post_id` FROM {$wpdb->postmeta} WHERE `meta_key` = '_wp_attached_file' AND `meta_value` IN('" . implode( "', '", $attachments ) . "')")\n$attachments assigned unsafely at line 62:\n $attachments = array_filter( $attachments )\n$attachments assigned unsafely at line 49:\n $attachments = array_map(\n function ( $attachment ) {\n if ( is_array( $attachment ) ) {\n $split = explode( '/uploads/', $attachment[0] );\n\n return esc_sql( end( $split ) );\n }\n\n return null;\n },\n $attachments\n )\n$attachment used without escaping.\n$split used without escaping.\n$attachment[0] used without escaping.
Unescaped parameter $pivot_table used in $wpdb->get_results($wpdb->prepare( 'SELECT mp_segments.id, COUNT(*) as count FROM ' . $pivot_table . ' as mp_segment_pivot INNER JOIN ' . $segment_table . ' as mp_segments ON mp_segment_pivot.segment_id = mp_segments.id AND mp_segment_pivot.status = %s GROUP BY mp_segments.id', Subscriber::STATUS_SUBSCRIBED ))\n$pivot_table assigned unsafely at line 176:\n $pivot_table = $wpdb->prefix . 'mailpoet_subscriber_segment'\n$lists assigned unsafely at line 178:\n $lists = $wpdb->get_results( 'SELECT * FROM ' . $segment_table, ARRAY_A )\n$segment_table assigned unsafely at line 175:\n $segment_table = $wpdb->prefix . 'mailpoet_segments'
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $query used in $wpdb->get_row($query)\n$query assigned unsafely at line 37:\n $query = $wpdb->prepare( "SELECT * FROM {$this->get_table()} WHERE `id` = %s AND deleted_at IS NULL AND `status` = 1", $id )
Unescaped parameter $segment_table used in $wpdb->get_results('SELECT * FROM ' . $segment_table)\n$segment_table assigned unsafely at line 175:\n $segment_table = $wpdb->prefix . 'mailpoet_segments'\n$pivot_table assigned unsafely at line 176:\n $pivot_table = $wpdb->prefix . 'mailpoet_subscriber_segment'\n$lists assigned unsafely at line 178:\n $lists = $wpdb->get_results( 'SELECT * FROM ' . $segment_table, ARRAY_A )
Unescaped parameter $statement used in $wpdb->query($statement)\n$statement assigned unsafely at line 180:\n $statement = $wpdb->prepare( "UPDATE {$this->get_table()} SET {$attrs} WHERE `id` IN({$ids_sql})", $data )\n$ids_sql assigned unsafely at line 178:\n $ids_sql = $this->in_sql( $ids )