Unescaped parameter $order_ids_string used in $wpdb->get_results("\n\t\t\tSELECT o.id\n\t\t\tFROM {$wpdb->wc_orders} AS o\n\t\t\tWHERE o.type = 'shop_order_refund'\n\t\t\tAND o.status = 'wc-completed'\n\t\t\tAND o.parent IN ( {$order_ids_string} )\n\t\t\tORDER BY o.date_created_gmt ASC\n\t\t\t")\n$order_ids_string assigned unsafely at line 692:\n $order_ids_string = implode( ',', $order_ids )\n$order_ids used without escaping.
Unescaped parameter $order_ids_string used in $wpdb->get_results("\n\t\t\tSELECT p.id\n\t\t\tFROM {$wpdb->posts} AS p\n\t\t\tWHERE p.post_type = 'shop_order_refund'\n\t\t\tAND p.post_status = 'wc-completed'\n\t\t\tAND p.post_parent IN ( {$order_ids_string} )\n\t\t\tORDER BY p.post_date ASC\n\t\t\t")\n$order_ids_string assigned unsafely at line 692:\n $order_ids_string = implode( ',', $order_ids )\n$order_ids used without escaping.
Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 115:\n $query = "SELECT * FROM {$table_name} WHERE queue_id IN ('{$queue_ids_string}')"\n$table_name assigned unsafely at line 112:\n $table_name = self::get_queue_table_name()\n$queue_ids_string assigned unsafely at line 113:\n $queue_ids_string = join( "','", $queue_ids )\n$queue_ids used without escaping.
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 164:\n $query = "UPDATE {$table_name} SET batch_id = 0 WHERE batch_id NOT IN ('{$active_batches_string}') AND status IN ('new', 'awaiting')"\n$table_name assigned unsafely at line 153:\n $table_name = self::get_queue_table_name()\n$active_batches_string assigned unsafely at line 162:\n $active_batches_string = join( "','", $active_batches )\n$active_batches assigned unsafely at line 160:\n $active_batches = as_get_scheduled_actions( $args, 'ids' )
Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 230:\n $query .= $where . "ORDER BY queue_id DESC LIMIT {$offset}, {$per_page}"\n$where assigned unsafely at line 227:\n $where .= "AND record_id = '{$search}' "\n$search assigned unsafely at line 226:\n $search = sanitize_text_field( $_REQUEST[ 's' ] )\nNote: sanitize_text_field() is not a safe escaping function.\n$_REQUEST['s'] used without escaping.