This is a very simple threat scan that looks for things out of place in the content directory as well as the database.
| Code | Message | Location | Category | |
|---|---|---|---|---|
| ERROR | WordPress.DB.PreparedSQL.NotPrepared | Use placeholders and $wpdb->prepare(); found $sql | 343:32 | Security |
| ERROR | PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 234:\n $sql="select comment_ID,comment_author_url,comment_agent,comment_author,comment_author_email,comment_content\r\nfrom $ptab where \r\nINSTR(LCASE(comment_author_url), '<script') +\r\nINSTR(LCASE(comment_agent), '<script') +\r\nINSTR(LCASE(comment_author), '<script') +\r\nINSTR(LCASE(comment_author_email), '<script') +\r\nINSTR(LCASE(comment_author_url), 'eval(') +\r\nINSTR(LCASE(comment_agent), 'eval(') +\r\nINSTR(LCASE(comment_author), 'eval(') +\r\nINSTR(LCASE(comment_author_email), 'eval(') +\r\nINSTR(LCASE(comment_content), '<script') +\r\nINSTR(LCASE(comment_content), 'eval(') +\r\nINSTR(LCASE(comment_content), 'document.write(unescape(') +\r\nINSTR(LCASE(comment_content), 'try{window.onload') +\r\nINSTR(LCASE(comment_content), 'setAttribute(\\'src\\'') +\r\nINSTR(LCASE(comment_author_url), 'javascript:') >0\r\n"\n$ptab assigned unsafely at line 232:\n $ptab=$pre.'comments'\n$ptab assigned unsafely at line 181:\n $ptab=$pre.'posts' | 251:19 | Security |
| ERROR | WordPress.DB.PreparedSQL.NotPrepared | Use placeholders and $wpdb->prepare(); found $sql | 251:32 | Security |
| ERROR | WordPress.Security.EscapeOutput.OutputNotEscaped | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"found possible problems in comment ($reason) ID"'. | 275:18 | Security |
| ERROR | WordPress.Security.EscapeOutput.OutputNotEscaped | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$myrow'. | 275:69 | Security |
| ERROR | PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 284:\n $sql="select link_ID,link_url,link_image,link_description,link_notes\r\nfrom $ptab where \r\nINSTR(LCASE(link_url), '<script') +\r\nINSTR(LCASE(link_image), '<script') +\r\nINSTR(LCASE(link_description), '<script') +\r\nINSTR(LCASE(link_notes), '<script') +\r\nINSTR(LCASE(link_rss), '<script') +\r\nINSTR(LCASE(link_url), 'eval(') +\r\nINSTR(LCASE(link_image), 'eval(') +\r\nINSTR(LCASE(link_description), 'eval(') +\r\nINSTR(LCASE(link_notes), 'eval(') +\r\nINSTR(LCASE(link_rss), 'eval(') +\r\nINSTR(LCASE(link_url), 'javascript:') >0\r\n"\n$ptab assigned unsafely at line 282:\n $ptab=$pre.'links'\n$ptab assigned unsafely at line 232:\n $ptab=$pre.'comments'\n$ptab assigned unsafely at line 181:\n $ptab=$pre.'posts' | 299:19 | Security |
| ERROR | WordPress.DB.PreparedSQL.NotPrepared | Use placeholders and $wpdb->prepare(); found $sql | 299:32 | Security |
| ERROR | WordPress.Security.EscapeOutput.OutputNotEscaped | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"found possible problems in links ($reason) ID:"'. | 318:18 | Security |
| ERROR | WordPress.Security.EscapeOutput.OutputNotEscaped | All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$myrow'. | 318:68 | Security |
| ERROR | PluginCheck.Security.DirectDB.UnescapedDBParameter | Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 328:\n $sql="select ID,user_login,user_nicename,user_email,user_url,display_name \r\nfrom $ptab where \r\nINSTR(LCASE(user_login), '<script') +\r\nINSTR(LCASE(user_nicename), '<script') +\r\nINSTR(LCASE(user_email), '<script') +\r\nINSTR(LCASE(user_url), '<script') +\r\nINSTR(LCASE(display_name), '<script') +\r\nINSTR(user_login, 'eval(') +\r\nINSTR(user_nicename, 'eval(') +\r\nINSTR(user_email, 'eval(') +\r\nINSTR(user_url, 'eval(') +\r\nINSTR(display_name, 'eval(') +\r\nINSTR(LCASE(user_url), 'javascript:') +\r\nINSTR(LCASE(user_email), 'javascript:')>0\r\n"\n$ptab assigned unsafely at line 326:\n $ptab=$pre.'users'\n$ptab assigned unsafely at line 282:\n $ptab=$pre.'links'\n$ptab assigned unsafely at line 232:\n $ptab=$pre.'comments'\n$ptab assigned unsafely at line 181:\n $ptab=$pre.'posts' | 343:19 | Security |
| 16.11.2025, 06:21:40 | 11s | 85 | 28 | 17 |