Unescaped parameter $base_query used in $wpdb->get_results($base_query)\n$base_query assigned unsafely at line 1316:\n $base_query = $wpdb->prepare("\n\t\t\t\t\t\tSELECT DISTINCT t.term_id, t.name, tt.parent, coalesce(tr.term_taxonomy_id, 0) as have_items\n\t\t\t\t\t\tFROM\n\t\t\t\t\t\t$wpdb->terms t INNER JOIN $wpdb->term_taxonomy tt ON t.term_id = tt.term_id\n\t\t\t\t\t\tLEFT JOIN (\n\t\t\t\t\t\t\tSELECT DISTINCT term_taxonomy_id FROM $wpdb->term_relationships\n\t\t\t\t\t\t\t\tINNER JOIN ($items_query) as posts ON $wpdb->term_relationships.object_id = posts.ID\n\t\t\t\t\t\t) as tr ON tt.term_taxonomy_id = tr.term_taxonomy_id\n\t\t\t\t\t\tWHERE tt.taxonomy = %s ORDER BY t.name ASC", $taxonomy_slug\n\t\t\t\t\t)\n$items_query assigned unsafely at line 1256:\n $items_query = $items_query->request\n$items_query->request used without escaping.
Unescaped parameter $childrens_in used in $wpdb->get_results($wpdb->prepare(\n\t\t\t\t\t\t"SELECT * FROM $wpdb->postmeta\n\t\t\t\t\t\t\tWHERE post_id = %d AND \n\t\t\t\t\t\t\t\t\t\tmeta_key = %s AND\n\t\t\t\t\t\t\t\t\t\tmeta_id IN ($childrens_in)",\n\t\t\t\t\t\t\t$item->get_id(),\n\t\t\t\t\t\t\t$metadatum->get_id() \n\t\t\t\t\t))\n$childrens_in assigned unsafely at line 54:\n $childrens_in = implode(',', $childrens)\n$childrens assigned unsafely at line 52:\n $childrens = $childrens->meta_value\n$childrens->meta_value used without escaping.
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $column used in $wpdb->get_row($wpdb->prepare( "\n\t\tSELECT *\n\t\tFROM {$table}\n\t\tWHERE {$column} LIKE %s\n\t\tORDER BY {$key_column} ASC\n\t\tLIMIT 1\n\t", $key ))\n$column assigned unsafely at line 317:\n $column = 'meta_key'\n$key_column assigned unsafely at line 318:\n $key_column = 'meta_id'\n$value_column assigned unsafely at line 319:\n $value_column = 'meta_value'\n$key assigned unsafely at line 322:\n $key = $wpdb->esc_like( $this->identifier . '_batch_' ) . '%'
Unescaped parameter $column used in $wpdb->get_var($wpdb->prepare( "\n\t\tSELECT COUNT(*)\n\t\tFROM {$table}\n\t\tWHERE {$column} LIKE %s\n\t", $key ))\n$column assigned unsafely at line 234:\n $column = 'meta_key'\n$key assigned unsafely at line 237:\n $key = $wpdb->esc_like( $this->identifier . '_batch_' ) . '%'
Unescaped parameter $core_query used in $wpdb->query($core_query)\n$core_query assigned unsafely at line 534:\n $core_query = $wpdb->prepare( "UPDATE $wpdb->posts SET $column = %s WHERE ID IN ($update_q)", $v )\n$update_q assigned unsafely at line 533:\n $update_q = $this->_build_select( "post_id" )