UnescapedDBParameter

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 506:\n $sql = $wpdb->prepare( "SELECT p.ID, p.post_title, \n\t\t\t\tMAX(CASE WHEN pm.meta_key = '_wp_attachment_metadata' THEN pm.meta_value END) AS metadata\n\t\t\t\tFROM $wpdb->posts p\n\t\t\t\tINNER JOIN $wpdb->postmeta pm ON pm.post_id = p.ID\n\t\t\t\tWHERE post_type = 'attachment'\n\t\t\t\tAND pm.meta_key = '_wp_attachment_metadata'\n\t\t\t\tAND p.post_mime_type LIKE 'image/%%'\n\t\t\t\t$whereIsIn\n\t\t\t\tGROUP BY p.ID\n\t\t\t\t$orderSql\n\t\t\t\tLIMIT %d, %d", $skip, $limit \n\t\t\t)\n$whereIsIn assigned unsafely at line 495:\n $whereIsIn = 'AND p.ID IN (' . implode( ',', $in ) . ')'\n$in assigned unsafely at line 491:\n $in = $this->get_filtered_post_ids( $filterBy )\n$filterBy used without escaping.

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 521:\n $sql = $wpdb->prepare( "SELECT p.ID, p.post_title, \n\t\t\t\tMAX(CASE WHEN pm.meta_key = '_wp_attachment_metadata' THEN pm.meta_value END) AS metadata\n\t\t\t\tFROM $wpdb->posts p\n\t\t\t\tINNER JOIN $wpdb->postmeta pm ON pm.post_id = p.ID\n\t\t\t\tWHERE post_type = 'attachment'\n\t\t\t\tAND pm.meta_key = '_wp_attachment_metadata'\n\t\t\t\tAND p.post_mime_type LIKE 'image/%%'\n\t\t\t\t$whereIsIn\n\t\t\t\tAND p.post_title LIKE %s\n\t\t\t\tGROUP BY p.ID\n\t\t\t\t$orderSql\n\t\t\t\tLIMIT %d, %d", ( '%' . $search . '%' ), $skip, $limit \n\t\t\t)\n$whereIsIn assigned unsafely at line 495:\n $whereIsIn = 'AND p.ID IN (' . implode( ',', $in ) . ')'\n$in assigned unsafely at line 491:\n $in = $this->get_filtered_post_ids( $filterBy )\n$filterBy used without escaping.