ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

900

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $cv_used_nonces used in $wpdb->get_var($wpdb->prepare(\n\t\t\t\t"SELECT COUNT(*) FROM $cv_used_nonces WHERE nonce = %s",\n\t\t\t\t$nonce_token\n\t\t\t))\n$cv_used_nonces assigned unsafely at line 1074:\n $cv_used_nonces = $wpdb->prefix . 'cv_used_nonces'\n$table_exists assigned unsafely at line 1076:\n $table_exists = $wpdb->get_var(\n\t\t\t$wpdb->prepare(\n\t\t\t\t'SHOW TABLES LIKE %s',\n\t\t\t\t$cv_used_nonces\n\t\t\t)\n\t\t)

Unescaped parameter $cv_used_nonces used in $wpdb->get_var($wpdb->prepare(\n\t\t\t\t"SELECT COUNT(*) FROM $cv_used_nonces WHERE nonce = %s",\n\t\t\t\t$nonce_token\n\t\t\t))\n$cv_used_nonces assigned unsafely at line 2475:\n $cv_used_nonces = $wpdb->prefix . 'cv_used_nonces'\n$table_exists assigned unsafely at line 2477:\n $table_exists = $wpdb->get_var(\n\t\t\t$wpdb->prepare(\n\t\t\t\t'SHOW TABLES LIKE %s',\n\t\t\t\t$cv_used_nonces\n\t\t\t)\n\t\t)

Unescaped parameter $cv_used_nonces used in $wpdb->get_var("SHOW TABLES LIKE '{$cv_used_nonces}'")

Unescaped parameter $cv_used_nonces used in $wpdb->get_var("SHOW TABLES LIKE '{$cv_used_nonces}'")\n$cv_used_nonces assigned unsafely at line 2475:\n $cv_used_nonces = $wpdb->prefix . 'cv_used_nonces'\n$table_exists assigned unsafely at line 2477:\n $table_exists = $wpdb->get_var(\n\t\t\t$wpdb->prepare(\n\t\t\t\t'SHOW TABLES LIKE %s',\n\t\t\t\t$cv_used_nonces\n\t\t\t)\n\t\t)

Affected Plugins

Plugins that have instances of this rule violation

CheckView Automated Testing

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 1957:\n $query = $wpdb->prepare( 'Select * from ' . $table_name . ' where uid=%s order by id ASC', $uid )\n$table_name assigned unsafely at line 1956:\n $table_name = $wpdb->prefix . 'cv_entry_meta'\n$table_name assigned unsafely at line 1933:\n $table_name = $wpdb->prefix . 'cv_entry'\n$uid assigned unsafely at line 1922:\n $uid = isset( $uid ) ? sanitize_text_field( $uid ) : null\nNote: sanitize_text_field() is not a safe escaping function.\n$uid assigned unsafely at line 1921:\n $uid = $request->get_param( 'uid' )\n$request used without escaping.