ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

116

Instances found

Total Impact

14K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $column used in $wpdb->get_col($wpdb->prepare( "SELECT {$column} FROM {$table} WHERE {$column} LIKE %s", $key ))\n$column assigned unsafely at line 307:\n $column = is_multisite() ? 'meta_key' : 'option_name'\n$key assigned unsafely at line 309:\n $key = 'wpf_background_process_%'\n$results assigned unsafely at line 311:\n $results = $wpdb->get_col( $wpdb->prepare( "SELECT {$column} FROM {$table} WHERE {$column} LIKE %s", $key ) )

Unescaped parameter $column used in $wpdb->get_row($wpdb->prepare(\n\t\t\t\t\t"\n\t\t\t\t\tSELECT *\n\t\t\t\t\tFROM {$table}\n\t\t\t\t\tWHERE {$column} LIKE %s\n\t\t\t\t\tORDER BY {$key_column} ASC\n\t\t\t\t\tLIMIT 1\n\t\t\t\t",\n\t\t\t\t\t$key\n\t\t\t\t))\n$column assigned unsafely at line 424:\n $column = is_multisite() ? 'meta_key' : 'option_name'\n$key assigned unsafely at line 428:\n $key = $this->identifier . '_%'

Unescaped parameter $column used in $wpdb->get_var($wpdb->prepare(\n\t\t\t\t\t"\n\t\t\tSELECT COUNT(*)\n\t\t\tFROM {$table}\n\t\t\tWHERE {$column} LIKE %s\n\t\t\t",\n\t\t\t\t\t$key\n\t\t\t\t))\n$column assigned unsafely at line 343:\n $column = is_multisite() ? 'meta_key' : 'option_name'\n$key assigned unsafely at line 345:\n $key = $this->identifier . '_%'

Affected Plugins

Plugins that have instances of this rule violation

WP Remote Users Sync

wp-remote-users-sync

issues

installs

WP Fusion Lite – Marketing Automation and CRM Integration for WordPress

wp-fusion-lite

issues

installs

Unescaped parameter $query used in $wpdb->get_col($query)\n$query assigned unsafely at line 810:\n $query = $wpdb->prepare( $sql, $params )\n$sql assigned unsafely at line 800:\n $sql = "\n\t\t\t\tSELECT DISTINCT meta_key\n\t\t\t\tFROM {$table} m\n\t\t\t\tWHERE m.meta_key NOT IN (" . implode( ',', array_fill( 0, count( $exclude ), '%s' ) ) . ')\n\t\t\t\tAND m.meta_key NOT LIKE\n\t\t\t\t' . implode( ' AND m.meta_key NOT LIKE ', array_fill( 0, count( $exclude_like ), '%s' ) ) . '\n\t\t\t\tORDER BY m.meta_key ASC\n\t\t\t;'\n$table assigned unsafely at line 798:\n $table = Wprus::get_table( 'usermeta' )\n$exclude assigned unsafely at line 796:\n $exclude = $this->get_excluded_meta()\n$exclude_like assigned unsafely at line 797:\n $exclude_like = $this->get_excluded_meta_like()

Unescaped parameter $query used in $wpdb->get_col($query)\n$query assigned unsafely at line 1991:\n $query = $wpdb->prepare( "SELECT lr.lr_id\n\t\t\t\t\tFROM $wpdb->posts p\n\t\t\t\t\tINNER JOIN $tbl_r lr\n\t\t\t\t\tON lr.wp_id = p.ID\n\t\t\t\t\tWHERE p.ID IN ($wpIdsPlaceHolders)" . $sqlOrderBy, $wpIds )\n$tbl_r assigned unsafely at line 1986:\n $tbl_r = $wpdb->prefix . 'lrsync'\n$wpIds assigned unsafely at line 1987:\n $wpIds = $this->get_media_from_collection( $wp_col_id )\n$wp_col_id used without escaping.