Unescaped parameter $postmeta_name used in $wpdb->query($wpdb->prepare("UPDATE $postmeta_name SET meta_value = REPLACE(meta_value, '%s', '%s')", [$old_url, $new_url]))\n$postmeta_name assigned unsafely at line 826:\n $postmeta_name = $wpdb->prefix . 'postmeta'\n$postmeta_result assigned unsafely at line 827:\n $postmeta_result = $wpdb->query($wpdb->prepare("UPDATE $postmeta_name SET meta_value = REPLACE(meta_value, '%s', '%s')", [$old_url, $new_url]))\n$old_url assigned unsafely at line 816:\n $old_url = esc_url_raw($_POST['old_url'])\n$new_url assigned unsafely at line 817:\n $new_url = esc_url_raw($_POST['new_url'])\n$_POST['old_url'] used without escaping.\n$_POST['new_url'] used without escaping.
Unescaped parameter $posts_name used in $wpdb->query($wpdb->prepare("UPDATE $posts_name SET post_content = REPLACE(post_content, '%s', '%s')", [$old_url, $new_url]))\n$posts_name assigned unsafely at line 821:\n $posts_name = $wpdb->prefix . 'posts'\n$posts_result assigned unsafely at line 823:\n $posts_result = $wpdb->query($wpdb->prepare("UPDATE $posts_name SET post_content = REPLACE(post_content, '%s', '%s')", [$old_url, $new_url]))\n$old_url assigned unsafely at line 816:\n $old_url = esc_url_raw($_POST['old_url'])\n$new_url assigned unsafely at line 817:\n $new_url = esc_url_raw($_POST['new_url'])\n$_POST['old_url'] used without escaping.\n$_POST['new_url'] used without escaping.
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 353:\n $query = self::build_query( $args )\n$args used without escaping.