ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

298

Instances found

Total Impact

112K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $Theme->table used in $wpdb->get_row("SHOW TABLE STATUS LIKE '" . $wpdb->prefix . $Theme->table . "'")\n$Theme->table used without escaping.

Unescaped parameter $Theme->table used in $wpdb->query("CREATE TEMPORARY TABLE `themetmp`\n\t\t\t\t\t SELECT * FROM `" . $wpdb->prefix . $Theme->table . "`\n\t\t\t\t\t WHERE `id` = '" . esc_sql( $id ) . "'")\n$Theme->table used without escaping.

Unescaped parameter $Theme->table used in $wpdb->query("INSERT INTO `" . $wpdb->prefix . $Theme->table . "`\n\t\t\t\t\t SELECT * FROM `themetmp` WHERE `id` = '" . $nextid . "'")\n$Theme->table used without escaping.

Unescaped parameter $alltotalquery used in $wpdb->get_var($alltotalquery)\n$alltotalquery assigned unsafely at line 96:\n $alltotalquery = apply_filters('newsletters_bounces_alltotalquery', $alltotalquery)\n$alltotalquery assigned unsafely at line 95:\n $alltotalquery = "SELECT SUM(`count`) FROM `" . $wpdb -> prefix . $this -> table . "`"

Unescaped parameter $attachmentsquery used in $wpdb->get_results($attachmentsquery)\n$attachmentsquery assigned unsafely at line 3068:\n $attachmentsquery = "SELECT id, title, filename FROM " . $wpdb -> prefix . $HistoriesAttachment -> table . " WHERE history_id = '" . $history -> id . "'"\n$HistoriesAttachment->table used without escaping.\n$history->id used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution

Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages