Codebase Security Scan Report

Generated: 2026-03-07 09:08:27

Executive Summary

Metric	Value
Projects Scanned	64
Files Scanned	23360
Total Issues	4071
CRITICAL	3410
HIGH	116
MEDIUM	545
LOW	0

Critical Findings

3410 Critical Issues Require Immediate Attention

1. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:282 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "Event ID: " . $data['event_id'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:283 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "Nature: " . $data['nature'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:284 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "Location: " . $data['location'] . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

4. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:287 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  Received: " . $data['call_received_time'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

5. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:288 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  Dispatch: " . $data['first_dispatch_time'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

6. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:289 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  En-Route: " . $data['first_enroute_time'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

7. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:290 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  Arrive: " . $data['first_arrive_time'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

8. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  Clear: " . $data['last_clear_time'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

9. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:298 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  " . $unit['unit_id'] . ":\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

10. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:299 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ($unit['dispatched']) $output .= "    Dispatched: " . $unit['dispatched'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

11. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:300 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ($unit['enroute']) $output .= "    En-Route: " . $unit['enroute'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

12. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:301 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ($unit['arrived']) $output .= "    Arrived: " . $unit['arrived'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

13. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ($unit['at_hospital']) $output .= "    At Hospital: " . $unit['at_hospital'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

14. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ($unit['clear']) $output .= "    Clear: " . $unit['clear'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

15. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:310 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  " . $note['timestamp'] . " - " . $service . $note['note'] . " (" . $note['user'] . ")\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

16. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:282 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "Event ID: " . $data['event_id'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

17. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:283 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "Nature: " . $data['nature'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

18. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:284 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "Location: " . $data['location'] . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

19. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:287 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  Received: " . $data['call_received_time'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

20. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:288 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  Dispatch: " . $data['first_dispatch_time'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

21. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:289 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  En-Route: " . $data['first_enroute_time'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

22. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:290 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  Arrive: " . $data['first_arrive_time'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

23. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  Clear: " . $data['last_clear_time'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

24. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:298 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  " . $unit['unit_id'] . ":\n";

Recommendation: Use $wpdb->prepare() with placeholders

25. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:299 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ($unit['dispatched']) $output .= "    Dispatched: " . $unit['dispatched'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

26. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:300 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ($unit['enroute']) $output .= "    En-Route: " . $unit['enroute'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

27. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:301 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ($unit['arrived']) $output .= "    Arrived: " . $unit['arrived'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

28. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ($unit['at_hospital']) $output .= "    At Hospital: " . $unit['at_hospital'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

29. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ($unit['clear']) $output .= "    Clear: " . $unit['clear'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

30. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/class-cxq-email-relay-pdf-parser.php:310 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "  " . $note['timestamp'] . " - " . $service . $note['note'] . " (" . $note['user'] . ")\n";

Recommendation: Use $wpdb->prepare() with placeholders

31. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

32. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

33. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

34. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

35. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

36. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

37. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

38. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

39. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-email-relay/includes/admin/class-cxq-email-relay-admin.php:569 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$senders = $wpdb->get_results("SELECT * FROM {$table} ORDER BY sender_pattern ASC");

Recommendation: Use $wpdb->prepare() with placeholders

40. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-board-docs/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

41. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-board-docs/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

42. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-board-docs/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

43. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-board-docs/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

44. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-board-docs/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

45. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-board-docs/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

46. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-board-docs/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

47. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-board-docs/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

48. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-gateway-stripe/includes/class-wc-stripe-logger.php:61 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$log_entry .= '====Start Log ' . $formatted_start_time . '====' . "\n" . $message . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

49. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-gateway-stripe/includes/class-wc-stripe-logger.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$log_entry .= '====Start Log====' . "\n" . $message . "\n" . '====End Log====' . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

50. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-gateway-stripe/includes/class-wc-stripe-logger.php:61 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$log_entry .= '====Start Log ' . $formatted_start_time . '====' . "\n" . $message . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

51. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-gateway-stripe/includes/class-wc-stripe-logger.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$log_entry .= '====Start Log====' . "\n" . $message . "\n" . '====End Log====' . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

52. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-gateway-stripe/includes/class-wc-stripe-account.php:491 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

WC_Stripe_Logger::log( "Failed to check/reconfigure webhooks for {$mode} mode: " . $e->getMessage() );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

53. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-gateway-stripe/includes/class-wc-stripe-account.php:491 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

WC_Stripe_Logger::log( "Failed to check/reconfigure webhooks for {$mode} mode: " . $e->getMessage() );

Recommendation: Use $wpdb->prepare() with placeholders

54. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/cache.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

new dBug2("HTTP request failed. Error was: " . $error['message']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

55. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/cache.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

new dBug2("HTTP request failed. Error was: " . $error['message']);

Recommendation: Use $wpdb->prepare() with placeholders

56. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

57. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

58. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

59. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

60. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

61. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

62. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

63. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

64. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

65. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

66. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

67. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

68. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:313 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

69. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

70. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

71. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

72. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

73. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

74. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

75. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

76. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

77. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

78. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

79. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

80. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

81. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

82. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:313 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

83. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/dBug.class.php:387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

84. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/includes/google-api-php-client-main/src/Http/Batch.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$content ? "\n" . $content : ''

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

85. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/includes/google-api-php-client-main/src/Http/Batch.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$content ? "\n" . $content : ''

Recommendation: Use $wpdb->prepare() with placeholders

86. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/includes/google-api-php-client-main/src/Utils/UriTemplate.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$values[] = $pkey . "=" . $pvalue; // Explode triggers = combine.

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

87. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/includes/google-api-php-client-main/src/Utils/UriTemplate.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$values[] = $pkey . "=" . $pvalue; // Explode triggers = combine.

Recommendation: Use $wpdb->prepare() with placeholders

88. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/includes/google-api-php-client--PHP7.4/src/Http/Batch.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$content ? "\n".$content : ''

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

89. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/includes/google-api-php-client--PHP7.4/src/Http/Batch.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$content ? "\n".$content : ''

Recommendation: Use $wpdb->prepare() with placeholders

90. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/includes/google-api-php-client--PHP7.4/src/Utils/UriTemplate.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$values[] = $pkey . "=" . $pvalue; // Explode triggers = combine.

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

91. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-cashdrawer/includes/google-api-php-client--PHP7.4/src/Utils/UriTemplate.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$values[] = $pkey . "=" . $pvalue; // Explode triggers = combine.

Recommendation: Use $wpdb->prepare() with placeholders

92. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/uninstall.php:37 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP TABLE IF EXISTS " . $wpdb->prefix . "wcpv_commissions" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

93. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/uninstall.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP TABLE IF EXISTS " . $wpdb->prefix . "wcpv_per_product_shipping_rules" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

94. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/uninstall.php:37 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP TABLE IF EXISTS " . $wpdb->prefix . "wcpv_commissions" );

Recommendation: Use $wpdb->prepare() with placeholders

95. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/uninstall.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP TABLE IF EXISTS " . $wpdb->prefix . "wcpv_per_product_shipping_rules" );

Recommendation: Use $wpdb->prepare() with placeholders

96. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/class-wc-product-vendors-commission.php:177 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$commissions = $wpdb->get_results( "SELECT DISTINCT `id`, `order_id`, `order_item_id`, `vendor_id`, `total_commission_amount` FROM {$this->table_name} WHERE `id` IN ( $commission_ids ) AND `commission_status` = 'unpaid'" );

Recommendation: Use $wpdb->prepare() with placeholders

97. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/class-wc-product-vendors-commission.php:229 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$commissions = $wpdb->get_results( "SELECT DISTINCT `id`, `order_id` FROM {$this->table_name} WHERE `commission_status` = 'unpaid'" );

Recommendation: Use $wpdb->prepare() with placeholders

98. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/class-wc-product-vendors-commission.php:262 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$commissions = $wpdb->get_results( "SELECT * FROM {$this->table_name} WHERE `commission_status` = 'unpaid'" );

Recommendation: Use $wpdb->prepare() with placeholders

99. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/class-wc-product-vendors-logger.php:41 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$log_entry  = '====Start Log ' . $formatted_start_time . '====' . "\n" . $message . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

100. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/class-wc-product-vendors-logger.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$log_entry = '====Start Log====' . "\n" . $message . "\n" . '====End Log====' . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

101. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/class-wc-product-vendors-logger.php:41 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$log_entry  = '====Start Log ' . $formatted_start_time . '====' . "\n" . $message . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

102. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/class-wc-product-vendors-logger.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$log_entry = '====Start Log====' . "\n" . $message . "\n" . '====End Log====' . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

103. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/class-wc-product-vendors-install.php:295 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wcpv_commissions DROP PRIMARY KEY, ADD `id` bigint(20) NOT NULL PRIMARY KEY AUTO_INCREMENT;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

104. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/class-wc-product-vendors-install.php:304 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wcpv_per_product_shipping_rules DROP PRIMARY KEY, ADD `rule_id` bigint(20) NOT NULL PRIMARY KEY AUTO_INCREMENT;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

105. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/admin/class-wc-product-vendors-vendor-dashboard.php:270 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<?php printf( __( "%s top seller this month (sold %d)", 'woocommerce-product-vendors' ), "<strong>" . $top_seller_title . "</strong>", $top_seller_qty ); ?>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

106. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/admin/class-wc-product-vendors-vendor-dashboard.php:270 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<?php printf( __( "%s top seller this month (sold %d)", 'woocommerce-product-vendors' ), "<strong>" . $top_seller_title . "</strong>", $top_seller_qty ); ?>

Recommendation: Use $wpdb->prepare() with placeholders

107. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/sample/common.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "http://localhost" . $relativePath;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

108. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/sample/common.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "http://localhost" . $relativePath;

Recommendation: Use $wpdb->prepare() with placeholders

109. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/lib/PayPal/Core/PayPalHttpConfig.php:238 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new PayPalConfigurationException("Invalid proxy configuration " . $proxy);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

110. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->curlOptions[CURLOPT_PROXY] .= ":" . $urlParts["port"];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

111. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->curlOptions[CURLOPT_PROXYUSERPWD] = $urlParts["user"] . ":" . $urlParts["pass"];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

112. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

throw new PayPalConfigurationException("Invalid proxy configuration " . $proxy);

Recommendation: Use $wpdb->prepare() with placeholders

113. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->curlOptions[CURLOPT_PROXY] .= ":" . $urlParts["port"];

Recommendation: Use $wpdb->prepare() with placeholders

114. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->curlOptions[CURLOPT_PROXYUSERPWD] = $urlParts["user"] . ":" . $urlParts["pass"];

Recommendation: Use $wpdb->prepare() with placeholders

115. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->logger->debug(($data && $data != '' ? "Request Data\t\t: " . $data : "No Request Payload") . "\n" . str_repeat('-', 128) . "\n");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

116. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->logger->info("Response Status \t: " . $httpStatus);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

117. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->logger->error("Got Http response code $httpStatus when accessing {$this->httpConfig->getUrl()}. " . $result);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

118. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->logger->debug(($result && $result != '' ? "Response Data \t: " . $result : "No Response Body") . "\n\n" . str_repeat('=', 128) . "\n");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

119. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->logger->debug(($data && $data != '' ? "Request Data\t\t: " . $data : "No Request Payload") . "\n" . str_repeat('-', 128) . "\n");

Recommendation: Use $wpdb->prepare() with placeholders

120. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->logger->info("Response Status \t: " . $httpStatus);

Recommendation: Use $wpdb->prepare() with placeholders

121. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->logger->error("Got Http response code $httpStatus when accessing {$this->httpConfig->getUrl()}. " . $result);

Recommendation: Use $wpdb->prepare() with placeholders

122. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$this->logger->debug(($result && $result != '' ? "Response Data \t: " . $result : "No Response Body") . "\n\n" . str_repeat('=', 128) . "\n");

Recommendation: Use $wpdb->prepare() with placeholders

123. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/lib/PayPal/Common/ReflectionUtil.php:102 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new \RuntimeException("Property type of " . $class . "::{$propertyName} cannot be resolved");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

124. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/lib/PayPal/Common/ReflectionUtil.php:102 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new \RuntimeException("Property type of " . $class . "::{$propertyName} cannot be resolved");

Recommendation: Use $wpdb->prepare() with placeholders

125. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/lib/PayPal/Api/OpenIdTokeninfo.php:200 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

'Authorization' => 'Basic ' . base64_encode($clientId . ":" . $clientSecret)

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

126. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

'Authorization' => 'Basic ' . base64_encode($clientId . ":" . $clientSecret)

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

127. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

'Authorization' => 'Basic ' . base64_encode($clientId . ":" . $clientSecret)

Recommendation: Use $wpdb->prepare() with placeholders

128. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

'Authorization' => 'Basic ' . base64_encode($clientId . ":" . $clientSecret)

Recommendation: Use $wpdb->prepare() with placeholders

129. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/lib/PayPal/Api/OpenIdUserinfo.php:527 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

'Authorization' => "Bearer " . $params['access_token'],

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

130. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/lib/PayPal/Api/OpenIdUserinfo.php:527 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

'Authorization' => "Bearer " . $params['access_token'],

Recommendation: Use $wpdb->prepare() with placeholders

131. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/lib/PayPal/Handler/RestHandler.php:82 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$httpConfig->addHeader('Authorization', "Bearer " . $credential->getAccessToken($config), false);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

132. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$httpConfig->addHeader('Authorization', "Bearer " . $credential->getAccessToken($config), false);

Recommendation: Use $wpdb->prepare() with placeholders

133. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/lib/PayPal/Handler/OauthHandler.php:57 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Authorization" => "Basic " . base64_encode($options['clientId'] . ":" . $options['clientSecret']),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

134. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/lib/PayPal/Handler/OauthHandler.php:57 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Authorization" => "Basic " . base64_encode($options['clientId'] . ":" . $options['clientSecret']),

Recommendation: Use $wpdb->prepare() with placeholders

135. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/gateways/paypal-php-sdk/paypal/rest-api-sdk-php/lib/PayPal/Log/PayPalLogger.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("[" . date('d-m-Y h:i:s') . "] " . $this->loggerName . " : " . strtoupper($level) . ": $message\n", 3, $this->loggerFile);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

136. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

error_log("[" . date('d-m-Y h:i:s') . "] " . $this->loggerName . " : " . strtoupper($level) . ": $message\n", 3, $this->loggerFile);

Recommendation: Use $wpdb->prepare() with placeholders

137. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/admin/updates/wc-product-vendors-update-2.0.0.php:141 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->prefix}woocommerce_order_itemmeta WHERE `meta_key` = '_commission'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

138. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/includes/admin/reports/store/class-wc-product-vendors-store-report-sales-by-date.php:107 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql            .= " AND DATE( commission.order_date ) BETWEEN '" . $start_date . "' AND '" . $end_date . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

139. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$sql            .= " AND DATE( commission.order_date ) BETWEEN '" . $start_date . "' AND '" . $end_date . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

140. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$sql            .= " AND DATE( commission.order_date ) BETWEEN '" . $start_date . "' AND '" . $end_date . "'";

Recommendation: Use $wpdb->prepare() with placeholders

141. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$sql            .= " AND DATE( commission.order_date ) BETWEEN '" . $start_date . "' AND '" . $end_date . "'";

Recommendation: Use $wpdb->prepare() with placeholders

142. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/product-added-notice.php:13 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

143. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/product-added-notice.php:13 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

144. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/vendor-registration-email-to-admin.php:13 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

145. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/vendor-registration-email-to-admin.php:13 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

146. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/order-note-to-customer.php:13 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

147. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/order-note-to-customer.php:13 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

148. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/cancelled-order-email-to-vendor.php:15 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

149. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/cancelled-order-email-to-vendor.php:15 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

150. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/vendor-approval.php:20 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

151. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/vendor-approval.php:20 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

152. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/vendor-registration-email-to-vendor.php:13 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

153. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/vendor-registration-email-to-vendor.php:13 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

154. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/order-fulfill-status-to-admin.php:15 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

155. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/order-fulfill-status-to-admin.php:15 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

156. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/order-email-to-vendor.php:17 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

157. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-vendors/templates/emails/plain/order-email-to-vendor.php:17 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "= " . $email_heading . " =\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

158. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceURLHoover.php:162 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "INSERT INTO " . $this->table . " (owner, host, path, hostKey) VALUES ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

159. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceURLHoover.php:261 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->errorMsg = "Invalid data length received from Wordfence server: " . $dataLen;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

160. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceURLHoover.php:267 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->errorMsg = "Wordfence server responded with an error. HTTP code " . $resp['code'] . " and data: " . $resp['data'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

161. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceURLHoover.php:162 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "INSERT INTO " . $this->table . " (owner, host, path, hostKey) VALUES ";

Recommendation: Use $wpdb->prepare() with placeholders

162. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceURLHoover.php:261 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->errorMsg = "Invalid data length received from Wordfence server: " . $dataLen;

Recommendation: Use $wpdb->prepare() with placeholders

163. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceURLHoover.php:267 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->errorMsg = "Wordfence server responded with an error. HTTP code " . $resp['code'] . " and data: " . $resp['data'];

Recommendation: Use $wpdb->prepare() with placeholders

164. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:145 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wordfence::status(10, 'info', "SUM_PAIDONLY:" . $message);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

165. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:150 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wordfence::status(10, 'info', "SUM_DISABLED:" . $message);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

166. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:375 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $this->getDB()->querySelect("SELECT id from " . $this->issuesTable . " where status='ignoreP' or status='ignoreC'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

167. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:383 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("delete from " . $this->issuesTable . " where status='ignoreP' or status='ignoreC'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

168. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:411 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("update " . $this->issuesTable . " set status='ignoreC' where status='new'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

169. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:564 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("delete from " . $this->issuesTable . " where id=%d", $id);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

170. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:566 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("update " . $this->issuesTable . " set status='%s' where id=%d", $status, $id);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

171. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:577 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rec = $this->getDB()->querySingleRec("select * from " . $this->issuesTable . " where id=%d", $id);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

172. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:615 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q1 = $this->getDB()->querySelect("SELECT *, {$sortTagging} AS sortTag FROM " . $this->issuesTable . " WHERE status = 'new' ORDER BY severity DESC, sortTag ASC, type ASC, time DESC LIMIT %d,%d", $offset, $limit);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

173. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:616 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q2 = $this->getDB()->querySelect("SELECT *, {$sortTagging} AS sortTag FROM " . $this->issuesTable . " WHERE status = 'ignoreP' OR status = 'ignoreC' ORDER BY severity DESC, sortTag ASC, type ASC, time DESC LIMIT %d,%d", $ignoredOffset, $ignoredLimit);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

174. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:628 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Issue has bad status: " . $i['status']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

175. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:704 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (int) $this->getDB()->querySingle("select COUNT(*) from " . $this->issuesTable . " WHERE status = 'new'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

176. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:707 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (int) $this->getDB()->querySingle("select COUNT(*) from " . $this->pendingIssuesTable . " WHERE status = 'new'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

177. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:710 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (int) $this->getDB()->querySingle("select MAX(lastUpdated) from " . $this->issuesTable);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

178. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:145 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wordfence::status(10, 'info', "SUM_PAIDONLY:" . $message);

Recommendation: Use $wpdb->prepare() with placeholders

179. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:150 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wordfence::status(10, 'info', "SUM_DISABLED:" . $message);

Recommendation: Use $wpdb->prepare() with placeholders

180. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:375 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $this->getDB()->querySelect("SELECT id from " . $this->issuesTable . " where status='ignoreP' or status='ignoreC'");

Recommendation: Use $wpdb->prepare() with placeholders

181. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:383 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("delete from " . $this->issuesTable . " where status='ignoreP' or status='ignoreC'");

Recommendation: Use $wpdb->prepare() with placeholders

182. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:411 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("update " . $this->issuesTable . " set status='ignoreC' where status='new'");

Recommendation: Use $wpdb->prepare() with placeholders

183. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:564 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("delete from " . $this->issuesTable . " where id=%d", $id);

Recommendation: Use $wpdb->prepare() with placeholders

184. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:566 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("update " . $this->issuesTable . " set status='%s' where id=%d", $status, $id);

Recommendation: Use $wpdb->prepare() with placeholders

185. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:577 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rec = $this->getDB()->querySingleRec("select * from " . $this->issuesTable . " where id=%d", $id);

Recommendation: Use $wpdb->prepare() with placeholders

186. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:615 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q1 = $this->getDB()->querySelect("SELECT *, {$sortTagging} AS sortTag FROM " . $this->issuesTable . " WHERE status = 'new' ORDER BY severity DESC, sortTag ASC, type ASC, time DESC LIMIT %d,%d", $offset, $limit);

Recommendation: Use $wpdb->prepare() with placeholders

187. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:616 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q2 = $this->getDB()->querySelect("SELECT *, {$sortTagging} AS sortTag FROM " . $this->issuesTable . " WHERE status = 'ignoreP' OR status = 'ignoreC' ORDER BY severity DESC, sortTag ASC, type ASC, time DESC LIMIT %d,%d", $ignoredOffset, $ignoredLimit);

Recommendation: Use $wpdb->prepare() with placeholders

188. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:628 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Issue has bad status: " . $i['status']);

Recommendation: Use $wpdb->prepare() with placeholders

189. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:704 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (int) $this->getDB()->querySingle("select COUNT(*) from " . $this->issuesTable . " WHERE status = 'new'");

Recommendation: Use $wpdb->prepare() with placeholders

190. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:707 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (int) $this->getDB()->querySingle("select COUNT(*) from " . $this->pendingIssuesTable . " WHERE status = 'new'");

Recommendation: Use $wpdb->prepare() with placeholders

191. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfIssues.php:710 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (int) $this->getDB()->querySingle("select MAX(lastUpdated) from " . $this->issuesTable);

Recommendation: Use $wpdb->prepare() with placeholders

192. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfCache.php:98 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::$lastRecursiveDeleteError = "Could not delete file " . $dir . "/" . $file . " : " . wfUtils::getLastError();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

193. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfCache.php:98 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::$lastRecursiveDeleteError = "Could not delete file " . $dir . "/" . $file . " : " . wfUtils::getLastError();

Recommendation: Use $wpdb->prepare() with placeholders

194. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfSchema.php:276 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->db->queryWrite("CREATE TABLE IF NOT EXISTS " . wfDB::networkTable($table) . " " . $def);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

195. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfSchema.php:276 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->db->queryWrite("CREATE TABLE IF NOT EXISTS " . wfDB::networkTable($table) . " " . $def);

Recommendation: Use $wpdb->prepare() with placeholders

196. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:87 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$table} WHERE `expiration` < UNIX_TIMESTAMP()");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

197. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:191 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("insert into " . $this->loginsTable . " (hitID, ctime, fail, action, username, userID, IP, UA) values (%d, %f, %d, '%s', '%s', %s, {$ipHex}, '%s')",

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

198. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:707 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->currentRequest->actionDescription = "blocked: " . $reason;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

199. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:763 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("insert into " . $this->statusTable . " (ctime, level, type, msg) values (%s, %d, '%s', '%s')", sprintf('%.6f', microtime(true)), $level, $type, $msg);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

200. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:767 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lastCtime = $this->getDB()->querySingle("select ctime from " . $this->statusTable . " order by ctime desc limit 1000,1");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

201. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:772 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $this->getDB()->querySelect("select ctime, level, type, msg from " . $this->statusTable . " where ctime > %f order by ctime asc", $lastCtime);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

202. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:782 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $this->getDB()->querySelect("select ctime, level, type, msg from " . $this->statusTable . " where level = 10 order by ctime desc limit 100");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

203. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:191 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("insert into " . $this->loginsTable . " (hitID, ctime, fail, action, username, userID, IP, UA) values (%d, %f, %d, '%s', '%s', %s, {$ipHex}, '%s')",

Recommendation: Use $wpdb->prepare() with placeholders

204. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:707 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->currentRequest->actionDescription = "blocked: " . $reason;

Recommendation: Use $wpdb->prepare() with placeholders

205. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:763 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->getDB()->queryWrite("insert into " . $this->statusTable . " (ctime, level, type, msg) values (%s, %d, '%s', '%s')", sprintf('%.6f', microtime(true)), $level, $type, $msg);

Recommendation: Use $wpdb->prepare() with placeholders

206. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:767 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lastCtime = $this->getDB()->querySingle("select ctime from " . $this->statusTable . " order by ctime desc limit 1000,1");

Recommendation: Use $wpdb->prepare() with placeholders

207. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:772 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $this->getDB()->querySelect("select ctime, level, type, msg from " . $this->statusTable . " where ctime > %f order by ctime asc", $lastCtime);

Recommendation: Use $wpdb->prepare() with placeholders

208. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfLog.php:782 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $this->getDB()->querySelect("select ctime, level, type, msg from " . $this->statusTable . " where level = 10 order by ctime desc limit 100");

Recommendation: Use $wpdb->prepare() with placeholders

209. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:1208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q1 = $wfdb->querySelect("select ID from " . $blog['table'] . " where post_type IN ('page', 'post') and post_status = 'publish'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

210. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:1362 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q1 = $wfdb->querySelect("select comment_ID from " . $blog['table'] . " where comment_approved=1 and not comment_type = 'order_note'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

211. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:1421 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$comment = $wfdb->querySingleRec("select comment_ID, comment_date, comment_type, comment_author, comment_author_url, comment_content from " . $blog['table'] . " where comment_ID=%d", $commentID);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

212. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:1566 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = "select ID from " . $wpdb->users;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

213. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:2359 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q = $wfdb->querySelect("SELECT option_name, option_value FROM " . $blog['table'] . " WHERE option_name REGEXP '^td_[0-9]+$' OR option_name = '%s'", TD_THEME_OPTIONS_NAME);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

214. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:2361 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q = $wfdb->querySelect("SELECT option_name, option_value FROM " . $blog['table'] . " WHERE option_name REGEXP '^td_[0-9]+$'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

215. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:2737 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$pluginFullDir = "wp-content/plugins/" . $pluginDir;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

216. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:1208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q1 = $wfdb->querySelect("select ID from " . $blog['table'] . " where post_type IN ('page', 'post') and post_status = 'publish'");

Recommendation: Use $wpdb->prepare() with placeholders

217. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:1362 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q1 = $wfdb->querySelect("select comment_ID from " . $blog['table'] . " where comment_approved=1 and not comment_type = 'order_note'");

Recommendation: Use $wpdb->prepare() with placeholders

218. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:1421 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$comment = $wfdb->querySingleRec("select comment_ID, comment_date, comment_type, comment_author, comment_author_url, comment_content from " . $blog['table'] . " where comment_ID=%d", $commentID);

Recommendation: Use $wpdb->prepare() with placeholders

219. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:1566 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = "select ID from " . $wpdb->users;

Recommendation: Use $wpdb->prepare() with placeholders

220. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:2359 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q = $wfdb->querySelect("SELECT option_name, option_value FROM " . $blog['table'] . " WHERE option_name REGEXP '^td_[0-9]+$' OR option_name = '%s'", TD_THEME_OPTIONS_NAME);

Recommendation: Use $wpdb->prepare() with placeholders

221. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:2361 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$q = $wfdb->querySelect("SELECT option_name, option_value FROM " . $blog['table'] . " WHERE option_name REGEXP '^td_[0-9]+$'");

Recommendation: Use $wpdb->prepare() with placeholders

222. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfScanEngine.php:2737 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$pluginFullDir = "wp-content/plugins/" . $pluginDir;

Recommendation: Use $wpdb->prepare() with placeholders

223. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:1770 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("$mem at " . $caller['file'] . " line " . $caller['line']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

224. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:1776 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Caller for " . $caller['file'] . " line " . $caller['line'] . " is " . $c2['file'] . ' line ' . $c2['line']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

225. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2046 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row = $db->querySingleRec("select IP, ctime, failed, city, region, countryName, countryCode, lat, lon, unix_timestamp() - ctime as age from " . $locsTable . " where IP={$ipHex}");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

226. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2050 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db->queryWrite("delete from " . $locsTable . " where IP={$ipHex}");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

227. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2102 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db->queryWrite("insert IGNORE into " . $locsTable . " (IP, ctime, failed) values ({$ipHex}, unix_timestamp(), 1)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

228. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2109 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db->queryWrite("insert IGNORE into " . $locsTable . " (IP, ctime, failed, city, region, countryName, countryCode, lat, lon) values ({$ipHex}, unix_timestamp(), 0, '%s', '%s', '%s', '%s', %s, %s)",

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

229. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$host = $db->querySingle("select host from " . $reverseTable . " where IP={$ipHex} and unix_timestamp() - lastUpdate < %d", WORDFENCE_REVERSE_LOOKUP_CACHE_TIME);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

230. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db->queryWrite("insert into " . $reverseTable . " (IP, host, lastUpdate) values ({$ipHex}, '%s', unix_timestamp()) ON DUPLICATE KEY UPDATE host='%s', lastUpdate=unix_timestamp()", $host, $host);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

231. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2648 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

file_put_contents($htaccess, trim($code) . "\n" . $content, LOCK_EX);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

232. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:1770 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("$mem at " . $caller['file'] . " line " . $caller['line']);

Recommendation: Use $wpdb->prepare() with placeholders

233. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:1776 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Caller for " . $caller['file'] . " line " . $caller['line'] . " is " . $c2['file'] . ' line ' . $c2['line']);

Recommendation: Use $wpdb->prepare() with placeholders

234. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2046 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row = $db->querySingleRec("select IP, ctime, failed, city, region, countryName, countryCode, lat, lon, unix_timestamp() - ctime as age from " . $locsTable . " where IP={$ipHex}");

Recommendation: Use $wpdb->prepare() with placeholders

235. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2050 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db->queryWrite("delete from " . $locsTable . " where IP={$ipHex}");

Recommendation: Use $wpdb->prepare() with placeholders

236. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2102 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db->queryWrite("insert IGNORE into " . $locsTable . " (IP, ctime, failed) values ({$ipHex}, unix_timestamp(), 1)");

Recommendation: Use $wpdb->prepare() with placeholders

237. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2109 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db->queryWrite("insert IGNORE into " . $locsTable . " (IP, ctime, failed, city, region, countryName, countryCode, lat, lon) values ({$ipHex}, unix_timestamp(), 0, '%s', '%s', '%s', '%s', %s, %s)",

Recommendation: Use $wpdb->prepare() with placeholders

238. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$host = $db->querySingle("select host from " . $reverseTable . " where IP={$ipHex} and unix_timestamp() - lastUpdate < %d", WORDFENCE_REVERSE_LOOKUP_CACHE_TIME);

Recommendation: Use $wpdb->prepare() with placeholders

239. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db->queryWrite("insert into " . $reverseTable . " (IP, host, lastUpdate) values ({$ipHex}, '%s', unix_timestamp()) ON DUPLICATE KEY UPDATE host='%s', lastUpdate=unix_timestamp()", $host, $host);

Recommendation: Use $wpdb->prepare() with placeholders

240. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfUtils.php:2648 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

file_put_contents($htaccess, trim($code) . "\n" . $content, LOCK_EX);

Recommendation: Use $wpdb->prepare() with placeholders

241. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfDB.php:231 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$whereExpressions[] = "{$column} = " . $getBinding($value);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

242. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfDB.php:231 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$whereExpressions[] = "{$column} = " . $getBinding($value);

Recommendation: Use $wpdb->prepare() with placeholders

243. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:501 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$configTable} ADD COLUMN autoload ENUM('no', 'yes') NOT NULL DEFAULT 'yes'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

244. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:502 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("UPDATE {$configTable} SET autoload = 'no' WHERE name = 'wfsd_engine' OR name LIKE 'wordfence_chunked_%'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

245. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:691 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$snipCacheTable}` ADD `type` INT  UNSIGNED  NOT NULL  DEFAULT '0'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

246. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:692 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$snipCacheTable}` ADD INDEX (`type`)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

247. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:705 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$fileModsTable} ADD COLUMN stoppedOnSignature VARCHAR(255) NOT NULL DEFAULT ''");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

248. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:706 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$fileModsTable} ADD COLUMN stoppedOnPosition INT UNSIGNED NOT NULL DEFAULT '0'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

249. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:718 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$blockedIPLogTable} ADD blockType VARCHAR(50) NOT NULL DEFAULT 'generic'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

250. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:719 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$blockedIPLogTable} DROP PRIMARY KEY");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

251. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:720 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$blockedIPLogTable} ADD PRIMARY KEY (IP, unixday, blockType)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

252. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:741 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$fileModsTable} ADD COLUMN `SHAC` BINARY(32) NOT NULL DEFAULT '' AFTER `newMD5`");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

253. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:742 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$fileModsTable} ADD COLUMN `isSafeFile` VARCHAR(1) NOT NULL  DEFAULT '?' AFTER `stoppedOnPosition`");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

254. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:755 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$hooverTable} CHANGE `hostKey` `hostKey` VARBINARY(124) NULL DEFAULT NULL");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

255. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:890 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$issuesTable}` ADD `lastUpdated` INT UNSIGNED NOT NULL AFTER `time`");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

256. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:891 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$issuesTable}` ADD INDEX (`lastUpdated`)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

257. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:892 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$issuesTable}` ADD INDEX (`status`)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

258. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:893 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$issuesTable}` ADD INDEX (`ignoreP`)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

259. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:894 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$issuesTable}` ADD INDEX (`ignoreC`)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

260. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:895 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("UPDATE `{$issuesTable}` SET `lastUpdated` = `time` WHERE `lastUpdated` = 0");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

261. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:897 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$pendingIssuesTable}` ADD `lastUpdated` INT UNSIGNED NOT NULL AFTER `time`");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

262. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:898 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$pendingIssuesTable}` ADD INDEX (`lastUpdated`)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

263. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:899 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$pendingIssuesTable}` ADD INDEX (`status`)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

264. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:900 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$pendingIssuesTable}` ADD INDEX (`ignoreP`)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

265. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:901 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$pendingIssuesTable}` ADD INDEX (`ignoreC`)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

266. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:1103 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM `{$knownFilesTable}`");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

267. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:1104 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$knownFilesTable}` ADD COLUMN wordpress_path TEXT NOT NULL");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

268. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:1109 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM `{$fileModsTable}`");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

269. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:1110 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$fileModsTable}` ADD COLUMN real_path TEXT NOT NULL AFTER filename");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

270. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:1114 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$fileModsTable} ALTER COLUMN oldMD5 SET DEFAULT ''");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

271. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:2691 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<input type=\"hidden\" id=\"wordfence_twoFactorUser\" name=\"wordfence_twoFactorUser\" value=\"" . $userID . "\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

272. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:2692 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<input type=\"hidden\" id=\"wordfence_twoFactorNonce\" name=\"wordfence_twoFactorNonce\" value=\"" . $twoFactorNonce . "\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

273. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:3565 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$body = "<style>.screen-reader-text{ display: none !important; }</style>This email is the diagnostic from " . site_url() . ".\nThe IP address that requested this was: " . wfUtils::getIP() . "\nTicket Number/Forum Username: " . $_POST['ticket'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

274. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:5346 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if (@file_put_contents($htaccess, trim($content . "\n" . $change), LOCK_EX) === false) {

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

275. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:5658 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Tested up to " . $finalUsage . " megabytes.\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

276. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:5965 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$table} WHERE `timestamp` < DATE_SUB(NOW(), INTERVAL 1 DAY)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

277. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:6946 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

add_submenu_page("Wordfence", $message, "<strong id=\"wfMenuCallout\" style=\"color: #FCB214;\">" . $message . "</strong>", "activate_plugins", $slug, 'wordfence::_menu_noop');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

278. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:7764 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if (file_put_contents($htaccessPath, "# Added by Wordfence " . date('r') . "\nOptions -Indexes\n\n" . $fileContents, LOCK_EX)) {

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

279. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:8250 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$installError = "<p>" . $e->getMessage() . "</p>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

280. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:8432 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$installError = "<p>" . $e->getMessage() . "</p>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

281. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:8718 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "\n" . $date . $ip . $attackMessage;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

282. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:8751 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"LIMIT " . $limit,

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

283. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:8765 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"ORDER BY id LIMIT " . $limit,

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

284. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:9926 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$updatedHtaccessContent = $beforeWAFBlock . $beforeMod_php . $php5Matches[0][0] . "\n" . $php7Matches[0][0] . "\n" . sprintf("<IfModule mod_php.c>\n\tphp_value auto_prepend_file '%s'\n</IfModule>", $php5Matches[1][0] /* already escaped */) . $afterMod_php . $afterWAFBlock;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

285. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:10095 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$htaccessContent .= "\n\n" . $autoPrependDirective;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

286. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:10136 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$userIniContent .= "\n\n" . $autoPrependIni;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

287. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:829 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$advancedBlocks = $wpdb->get_results("SELECT * FROM {$advancedBlocksTable}", ARRAY_A);

Recommendation: Use $wpdb->prepare() with placeholders

288. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:845 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$throttles = $wpdb->get_results("SELECT * FROM {$throttleTable}", ARRAY_A);

Recommendation: Use $wpdb->prepare() with placeholders

289. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:858 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lockouts = $wpdb->get_results("SELECT * FROM {$lockoutTable}", ARRAY_A);

Recommendation: Use $wpdb->prepare() with placeholders

290. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:2691 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<input type=\"hidden\" id=\"wordfence_twoFactorUser\" name=\"wordfence_twoFactorUser\" value=\"" . $userID . "\">

Recommendation: Use $wpdb->prepare() with placeholders

291. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:2692 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<input type=\"hidden\" id=\"wordfence_twoFactorNonce\" name=\"wordfence_twoFactorNonce\" value=\"" . $twoFactorNonce . "\">

Recommendation: Use $wpdb->prepare() with placeholders

292. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:3565 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$body = "<style>.screen-reader-text{ display: none !important; }</style>This email is the diagnostic from " . site_url() . ".\nThe IP address that requested this was: " . wfUtils::getIP() . "\nTicket Number/Forum Username: " . $_POST['ticket'];

Recommendation: Use $wpdb->prepare() with placeholders

293. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:5346 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if (@file_put_contents($htaccess, trim($content . "\n" . $change), LOCK_EX) === false) {

Recommendation: Use $wpdb->prepare() with placeholders

294. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:5658 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Tested up to " . $finalUsage . " megabytes.\n";

Recommendation: Use $wpdb->prepare() with placeholders

295. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:6946 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

add_submenu_page("Wordfence", $message, "<strong id=\"wfMenuCallout\" style=\"color: #FCB214;\">" . $message . "</strong>", "activate_plugins", $slug, 'wordfence::_menu_noop');

Recommendation: Use $wpdb->prepare() with placeholders

296. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:7764 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if (file_put_contents($htaccessPath, "# Added by Wordfence " . date('r') . "\nOptions -Indexes\n\n" . $fileContents, LOCK_EX)) {

Recommendation: Use $wpdb->prepare() with placeholders

297. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:8250 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$installError = "<p>" . $e->getMessage() . "</p>";

Recommendation: Use $wpdb->prepare() with placeholders

298. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:8432 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$installError = "<p>" . $e->getMessage() . "</p>";

Recommendation: Use $wpdb->prepare() with placeholders

299. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:8718 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "\n" . $date . $ip . $attackMessage;

Recommendation: Use $wpdb->prepare() with placeholders

300. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:8751 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"LIMIT " . $limit,

Recommendation: Use $wpdb->prepare() with placeholders

301. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:8765 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"ORDER BY id LIMIT " . $limit,

Recommendation: Use $wpdb->prepare() with placeholders

302. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:9926 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$updatedHtaccessContent = $beforeWAFBlock . $beforeMod_php . $php5Matches[0][0] . "\n" . $php7Matches[0][0] . "\n" . sprintf("<IfModule mod_php.c>\n\tphp_value auto_prepend_file '%s'\n</IfModule>", $php5Matches[1][0] /* already escaped */) . $afterMod_php . $afterWAFBlock;

Recommendation: Use $wpdb->prepare() with placeholders

303. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:10095 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$htaccessContent .= "\n\n" . $autoPrependDirective;

Recommendation: Use $wpdb->prepare() with placeholders

304. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceClass.php:10136 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$userIniContent .= "\n\n" . $autoPrependIni;

Recommendation: Use $wpdb->prepare() with placeholders

305. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfDiagnostic.php:721 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message = __('wp_remote_post() test to noc1.wordfence.com failed! Response was: ', 'wordfence') . $result['response']['code'] . " " . $result['response']['message'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

306. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfDiagnostic.php:762 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$messageTextOnly = __('wp_remote_post() test back to this server failed! Response was: ', 'wordfence') . "\n" . $result['response']['code'] . ' ' . $result['response']['message'] . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

307. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfDiagnostic.php:721 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message = __('wp_remote_post() test to noc1.wordfence.com failed! Response was: ', 'wordfence') . $result['response']['code'] . " " . $result['response']['message'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

308. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfDiagnostic.php:762 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$messageTextOnly = __('wp_remote_post() test back to this server failed! Response was: ', 'wordfence') . "\n" . $result['response']['code'] . ' ' . $result['response']['message'] . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

309. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceScanner.php:353 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//wordfence::status(4, 'info', "Searching for malware scan resume point (". $stoppedOnSignature . ") at rule " . $rule[0]);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

310. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wordfenceScanner.php:353 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//wordfence::status(4, 'info', "Searching for malware scan resume point (". $stoppedOnSignature . ") at rule " . $rule[0]);

Recommendation: Use $wpdb->prepare() with placeholders

311. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfConfig.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if (!($rawOptions = $wpdb->get_results("SELECT name, val FROM {$table} WHERE autoload = 'yes'"))) {

Recommendation: Use $wpdb->prepare() with placeholders

312. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfConfig.php:304 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rawOptions = $wpdb->get_results("SELECT name, val FROM {$table}");

Recommendation: Use $wpdb->prepare() with placeholders

313. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/lib/wfConfig.php:628 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rows = $wpdb->get_results("SELECT name, val, autoload FROM {$table} WHERE name IN ({$keysINClause})", ARRAY_A);

Recommendation: Use $wpdb->prepare() with placeholders

314. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/modules/login-security/classes/utility/multisite.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $wpdb->get_results("SELECT * FROM {$wpdb->blogs} WHERE blog_id IN ({$blogIdsQuery}) AND archived = 0 AND spam = 0 AND deleted = 0");

Recommendation: Use $wpdb->prepare() with placeholders

315. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/modules/login-security/classes/utility/multisite.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $wpdb->get_results("SELECT * FROM {$wpdb->blogs} WHERE archived = 0 AND spam = 0 AND deleted = 0");

Recommendation: Use $wpdb->prepare() with placeholders

316. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/wordfence/modules/login-security/classes/model/2fainitializationdata.php:33 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

return "otpauth://totp/" . rawurlencode(preg_replace('~^https?://(?:www\.)?~i', '', home_url()) . ':' . $this->user->user_login) . '?secret=' . $this->get_base32_secret() . '&algorithm=SHA1&digits=6&period=30&issuer=' . rawurlencode(preg_replace('~^https?://(?:www\.)?~i', '', home_url()));

Recommendation: Move credentials to environment variables or secure configuration

317. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/modules/login-security/classes/model/settings/db.php:76 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$raw = $wpdb->get_results("SELECT `name`, `value` FROM `{$table}` WHERE `autoload` = 'yes'");

Recommendation: Use $wpdb->prepare() with placeholders

318. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/entry.php:121 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$key = ! $this->context ? $this->singular : $this->context . "\4" . $this->singular;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

319. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/entry.php:121 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$key = ! $this->context ? $this->singular : $this->context . "\4" . $this->singular;

Recommendation: Use $wpdb->prepare() with placeholders

320. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/mo.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$exported .= "\0" . $entry->plural;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

321. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/mo.php:211 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$exported = $entry->context . "\4" . $exported;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

322. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/mo.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$exported .= "\0" . $entry->plural;

Recommendation: Use $wpdb->prepare() with placeholders

323. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/mo.php:211 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$exported = $entry->context . "\4" . $exported;

Recommendation: Use $wpdb->prepare() with placeholders

324. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/po.php:311 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$translation = "\n" . $translation;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

325. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/po.php:531 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$entry->extracted_comments = trim( $entry->extracted_comments . "\n" . $comment );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

326. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/po.php:535 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$entry->translator_comments = trim( $entry->translator_comments . "\n" . $comment );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

327. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/po.php:311 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$translation = "\n" . $translation;

Recommendation: Use $wpdb->prepare() with placeholders

328. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/po.php:531 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$entry->extracted_comments = trim( $entry->extracted_comments . "\n" . $comment );

Recommendation: Use $wpdb->prepare() with placeholders

329. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/waf/pomo/po.php:535 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$entry->translator_comments = trim( $entry->translator_comments . "\n" . $comment );

Recommendation: Use $wpdb->prepare() with placeholders

330. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/models/block/wfBlock.php:560 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM `{$blocksTable}` WHERE `expiration` <= UNIX_TIMESTAMP() AND `expiration` != " . self::DURATION_FOREVER);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

331. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/models/block/wfBlock.php:1691 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = "DELETE FROM `{$blocksTable}` WHERE `id` IN (" . $inClause . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

332. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/models/block/wfBlock.php:574 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$removing = self::_recordsFromRows($wpdb->get_results("SELECT * FROM `{$blocksTable}` WHERE `expiration` = " . self::DURATION_FOREVER, ARRAY_A));

Recommendation: Use $wpdb->prepare() with placeholders

333. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/models/block/wfBlock.php:1117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rows = $wpdb->get_results("SELECT * FROM `{$blocksTable}` WHERE `type` IN (" . implode(', ', array(self::TYPE_IP_MANUAL, self::TYPE_IP_AUTOMATIC_TEMPORARY, self::TYPE_IP_AUTOMATIC_PERMANENT, self::TYPE_WFSN_TEMPORARY, self::TYPE_RATE_BLOCK, self::TYPE_RATE_THROTTLE, self::TYPE_LOCKOUT)) . ")", ARRAY_A);

Recommendation: Use $wpdb->prepare() with placeholders

334. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/models/block/wfBlock.php:1130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rows = $wpdb->get_results("SELECT * FROM `{$blocksTable}` WHERE `type` IN (" . implode(', ', array(self::TYPE_COUNTRY)) . ")", ARRAY_A);

Recommendation: Use $wpdb->prepare() with placeholders

335. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/models/block/wfBlock.php:1188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rows = $wpdb->get_results("SELECT * FROM `{$blocksTable}` WHERE `IP` = {$ipHex}", ARRAY_A);

Recommendation: Use $wpdb->prepare() with placeholders

336. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/models/block/wfBlock.php:1682 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$data = wfUtils::array_kmap(function($r) { return array($r['id'] => $r); }, $wpdb->get_results("SELECT * FROM `{$blocksTable}` WHERE `id` IN ({$populateInClause})", ARRAY_A));

Recommendation: Use $wpdb->prepare() with placeholders

337. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wordfence/models/block/wfBlock.php:1691 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = "DELETE FROM `{$blocksTable}` WHERE `id` IN (" . $inClause . ")";

Recommendation: Use $wpdb->prepare() with placeholders

338. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-submission-debug.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . get_class($callback['function'][0]) . "::" . $callback['function'][1] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

339. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-submission-debug.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . get_class($callback['function'][0]) . "::" . $callback['function'][1] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

340. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-phase2-integration.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Plugin version: " . $plugin->getVersion() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

341. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-phase2-integration.php:77 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Migration version: " . $status['current_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

342. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-phase2-integration.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Organization type: " . $status['organization_type'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

343. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-phase2-integration.php:100 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

344. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-phase2-integration.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Plugin version: " . $plugin->getVersion() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

345. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-phase2-integration.php:77 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Migration version: " . $status['current_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

346. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-phase2-integration.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Organization type: " . $status['organization_type'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

347. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-phase2-integration.php:100 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

348. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:75 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Using existing place (ID: $place_id) - " . $places[0]->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

349. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:88 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Claim code: " . $claim_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

350. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:98 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - ID: " . $orphan->ID . " | " . $orphan->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

351. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Email: " . $test_username . "@example.com\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

352. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:129 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

353. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Method: " . $claim->verification_method . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

354. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:131 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Code: " . $claim->verification_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

355. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $claim->claim_date . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

356. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:147 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  New status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

357. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:157 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - Claim #" . $pending->id . " | Place: " . $pending->place_name . " | User: " . $pending->display_name . " | Status: " . $pending->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

358. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Total claims: " . $stats['total'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

359. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Pending: " . $stats['pending'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

360. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Verified: " . $stats['verified'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

361. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:167 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Approved: " . $stats['approved'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

362. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejected: " . $stats['rejected'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

363. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Orphan places: " . $stats['orphan_places'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

364. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:189 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    - " . $manager->display_name . " (" . $manager->role . ")\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

365. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:194 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Final status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

366. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:195 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Reviewed by: User ID " . $claim->reviewed_by . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

367. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Notes: " . $claim->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

368. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:204 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Place URL: " . $place_url . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

369. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:219 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\nNext: Test frontend at: " . $place_url . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

370. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:75 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Using existing place (ID: $place_id) - " . $places[0]->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

371. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:88 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Claim code: " . $claim_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

372. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:98 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - ID: " . $orphan->ID . " | " . $orphan->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

373. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Email: " . $test_username . "@example.com\n";

Recommendation: Use $wpdb->prepare() with placeholders

374. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:129 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

375. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Method: " . $claim->verification_method . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

376. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:131 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Code: " . $claim->verification_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

377. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $claim->claim_date . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

378. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:147 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  New status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

379. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:157 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - Claim #" . $pending->id . " | Place: " . $pending->place_name . " | User: " . $pending->display_name . " | Status: " . $pending->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

380. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Total claims: " . $stats['total'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

381. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Pending: " . $stats['pending'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

382. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Verified: " . $stats['verified'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

383. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:167 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Approved: " . $stats['approved'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

384. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejected: " . $stats['rejected'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

385. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Orphan places: " . $stats['orphan_places'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

386. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:189 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    - " . $manager->display_name . " (" . $manager->role . ")\n";

Recommendation: Use $wpdb->prepare() with placeholders

387. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:194 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Final status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

388. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:195 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Reviewed by: User ID " . $claim->reviewed_by . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

389. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Notes: " . $claim->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

390. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:204 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Place URL: " . $place_url . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

391. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-workflow.php:219 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\nNext: Test frontend at: " . $place_url . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

392. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Database error: " . $wpdb->last_error . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

393. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ID: " . $manager->id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

394. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Role: " . $manager->role . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

395. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $manager->date_added . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

396. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . $mgr->display_name . " (" . $mgr->role . ")\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

397. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Database error: " . $wpdb->last_error . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

398. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ID: " . $manager->id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

399. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Role: " . $manager->role . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

400. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $manager->date_added . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

401. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . $mgr->display_name . " (" . $mgr->role . ")\n";

Recommendation: Use $wpdb->prepare() with placeholders

402. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/debug-frontend.php:52 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Found Places hook: $class::" . $callback['function'][1] . " at priority $priority\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

403. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/debug-frontend.php:52 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Found Places hook: $class::" . $callback['function'][1] . " at priority $priority\n";

Recommendation: Use $wpdb->prepare() with placeholders

404. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/check-admin-status.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - {$id}: " . $module->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

405. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/check-admin-status.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✓ Active Module: " . $active->getName() . " ({$active->getId()})\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

406. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/check-admin-status.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error loading modules: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

407. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/check-admin-status.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - {$id}: " . $module->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

408. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/check-admin-status.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✓ Active Module: " . $active->getName() . " ({$active->getId()})\n";

Recommendation: Use $wpdb->prepare() with placeholders

409. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/check-admin-status.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error loading modules: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

410. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/check-admin-status.php:89 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$all_org_options = $wpdb->get_results("SELECT option_name, option_value FROM {$wpdb->options} WHERE option_name LIKE 'cxq_mm_%' ORDER BY option_name");

Recommendation: Use $wpdb->prepare() with placeholders

411. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/temp_verify_fix.php:27 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

412. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/temp_verify_fix.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

413. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/temp_verify_fix.php:27 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

414. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/temp_verify_fix.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

415. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:76 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    ID: " . $instance->getId() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

416. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:77 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Name: " . $instance->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

417. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Description: " . $instance->getDescription() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

418. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Icon: " . $instance->getIcon() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

419. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

420. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✓ Active module: " . $active->getName() . " ({$active->getId()})\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

421. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

422. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:76 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    ID: " . $instance->getId() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

423. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:77 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Name: " . $instance->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

424. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Description: " . $instance->getDescription() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

425. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Icon: " . $instance->getIcon() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

426. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

427. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✓ Active module: " . $active->getName() . " ({$active->getId()})\n";

Recommendation: Use $wpdb->prepare() with placeholders

428. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-org-types.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

429. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-libraries.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "❌ <strong>{$service_name}</strong>: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

430. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-libraries.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "❌ <strong>{$service_name}</strong>: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

431. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:82 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Query failed: " . $e->getMessage() . " ✗\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

432. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:91 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Failed to create test user: " . $test_user_id->get_error_message() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

433. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Place ID: " . $claim->place_id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

434. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  User ID: " . $claim->user_id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

435. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

436. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Method: " . $claim->verification_method . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

437. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:121 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Code: " . $claim->verification_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

438. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:122 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $claim->claim_date . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

439. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:158 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  New status: " . $claim_obj->status . " (should be 'verified')\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

440. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  First claim ID: " . $pending[0]->id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

441. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:173 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Place name: " . $pending[0]->place_name . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

442. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  User: " . $pending[0]->display_name . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

443. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:185 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Total: " . $stats['total'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

444. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:186 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Pending: " . $stats['pending'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

445. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:187 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Verified: " . $stats['verified'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

446. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Approved: " . $stats['approved'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

447. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:189 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejected: " . $stats['rejected'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

448. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Orphan places: " . $stats['orphan_places'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

449. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:211 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Final status: " . $claim_obj->status . " (should be 'approved')\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

450. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:212 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Reviewed by: " . $claim_obj->reviewed_by . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

451. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:213 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Notes: " . $claim_obj->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

452. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:249 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim_obj_2->status . " (should be 'rejected')\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

453. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:250 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejection reason: " . $claim_obj_2->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

454. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:82 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Query failed: " . $e->getMessage() . " ✗\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

455. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:91 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Failed to create test user: " . $test_user_id->get_error_message() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

456. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Place ID: " . $claim->place_id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

457. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  User ID: " . $claim->user_id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

458. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

459. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Method: " . $claim->verification_method . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

460. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:121 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Code: " . $claim->verification_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

461. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:122 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $claim->claim_date . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

462. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:158 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  New status: " . $claim_obj->status . " (should be 'verified')\n";

Recommendation: Use $wpdb->prepare() with placeholders

463. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  First claim ID: " . $pending[0]->id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

464. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:173 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Place name: " . $pending[0]->place_name . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

465. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  User: " . $pending[0]->display_name . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

466. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:185 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Total: " . $stats['total'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

467. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:186 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Pending: " . $stats['pending'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

468. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:187 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Verified: " . $stats['verified'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

469. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Approved: " . $stats['approved'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

470. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:189 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejected: " . $stats['rejected'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

471. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Orphan places: " . $stats['orphan_places'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

472. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:211 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Final status: " . $claim_obj->status . " (should be 'approved')\n";

Recommendation: Use $wpdb->prepare() with placeholders

473. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:212 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Reviewed by: " . $claim_obj->reviewed_by . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

474. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:213 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Notes: " . $claim_obj->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

475. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:249 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim_obj_2->status . " (should be 'rejected')\n";

Recommendation: Use $wpdb->prepare() with placeholders

476. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-claims-service-only.php:250 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejection reason: " . $claim_obj_2->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

477. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

478. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Active Module: " . $active_module->getName() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

479. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

480. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard.php:81 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

481. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard.php:89 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

482. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

483. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Active Module: " . $active_module->getName() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

484. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

485. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard.php:81 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

486. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard.php:89 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

487. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-asset-manager.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error registering stylesheet: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

488. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-asset-manager.php:72 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error registering script: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

489. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-asset-manager.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error registering stylesheet: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

490. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-asset-manager.php:72 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error registering script: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

491. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:688 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

492. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2304 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_event($user->ID,'Registration',"Failed to change username from `{$user->user_login}` to `{$new_username}`: ".$wpdb->show_errors(false));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

493. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2527 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

494. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2586 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

495. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2653 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "<select name='" . esc_attr( $parsed_args['name'] ) . "'" . $class . " id='" . esc_attr( $parsed_args['id'] ) . "'>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

496. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2655 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

497. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2705 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "<select name='" . esc_attr( $parsed_args['name'] ) . "'" . $class . " id='" . esc_attr( $parsed_args['id'] ) . "'>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

498. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2707 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

499. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2714 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"" . esc_attr( $parsed_args['option_now_value'] ) . "\"{$selected}>" . $parsed_args['show_option_now'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

500. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2718 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"" . esc_attr( $parsed_args['option_custom_default_value'] ) . "\"{$selected}>" . $parsed_args['show_option_custom_default'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

501. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:688 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

502. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2304 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_event($user->ID,'Registration',"Failed to change username from `{$user->user_login}` to `{$new_username}`: ".$wpdb->show_errors(false));

Recommendation: Use $wpdb->prepare() with placeholders

503. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2527 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

504. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2586 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

505. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2653 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "<select name='" . esc_attr( $parsed_args['name'] ) . "'" . $class . " id='" . esc_attr( $parsed_args['id'] ) . "'>\n";

Recommendation: Use $wpdb->prepare() with placeholders

506. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2655 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

507. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2705 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "<select name='" . esc_attr( $parsed_args['name'] ) . "'" . $class . " id='" . esc_attr( $parsed_args['id'] ) . "'>\n";

Recommendation: Use $wpdb->prepare() with placeholders

508. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2707 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

509. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2714 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"" . esc_attr( $parsed_args['option_now_value'] ) . "\"{$selected}>" . $parsed_args['show_option_now'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

510. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/cxq-membership.php:2718 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"" . esc_attr( $parsed_args['option_custom_default_value'] ) . "\"{$selected}>" . $parsed_args['show_option_custom_default'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

511. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-features-comprehensive.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Name: " . $org_instance->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

512. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-features-comprehensive.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Description: " . $org_instance->getDescription() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

513. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-features-comprehensive.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Icon: " . $org_instance->getIcon() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

514. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-features-comprehensive.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Name: " . $org_instance->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

515. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-features-comprehensive.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Description: " . $org_instance->getDescription() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

516. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-features-comprehensive.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Icon: " . $org_instance->getIcon() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

517. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-features-integration.php:69 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✓ Active module loaded: " . $active_module->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

518. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-features-integration.php:69 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✓ Active module loaded: " . $active_module->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

519. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard-simulation.php:405 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . $result['name'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

520. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard-simulation.php:407 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    " . $result['details'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

521. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard-simulation.php:405 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . $result['name'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

522. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-setup-wizard-simulation.php:407 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    " . $result['details'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

523. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-php-validation.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   ✗ Error: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

524. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-php-validation.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   ✗ Error: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

525. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-php-validation.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   ✗ Error: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

526. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-php-validation.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   ✗ Error: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

527. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/simple-test.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ ServiceContainer instantiation failed: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

528. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/simple-test.php:73 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Service test failed: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

529. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/simple-test.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ ServiceContainer instantiation failed: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

530. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/simple-test.php:73 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Service test failed: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

531. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions-debug.php:17 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Post type: " . $place->post_type . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

532. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions-debug.php:18 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Post title: " . $place->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

533. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions-debug.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Wrong post type! Expected 'cxq_mm_member', got '" . $place->post_type . "'\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

534. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions-debug.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Username: " . $user->user_login . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

535. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions-debug.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Email: " . $user->user_email . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

536. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions-debug.php:17 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Post type: " . $place->post_type . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

537. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions-debug.php:18 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Post title: " . $place->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

538. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions-debug.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Wrong post type! Expected 'cxq_mm_member', got '" . $place->post_type . "'\n";

Recommendation: Use $wpdb->prepare() with placeholders

539. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions-debug.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Username: " . $user->user_login . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

540. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/test-permissions-debug.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Email: " . $user->user_email . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

541. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/migration-phase2.php:194 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->usermeta} WHERE meta_key = '_org_positions'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

542. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/migration-phase2.php:195 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->usermeta} WHERE meta_key = '_primary_position'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

543. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/migration-phase2.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->usermeta} WHERE meta_key = '_credentials'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

544. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/register-deregister-post-status.class.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

jQuery( 'select[name=\"post_status\"]' ).append( '<option value=\"{$status}\">{$label}</option>' );".$jq_status;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

545. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/register-deregister-post-status.class.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

jQuery( 'select[name=\"post_status\"]' ).append( '<option value=\"{$status}\">{$label}</option>' );".$jq_status;

Recommendation: Use $wpdb->prepare() with placeholders

546. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/tests/simple-integration-test.php:188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Migration Version: " . $status['current_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

547. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/tests/simple-integration-test.php:188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Migration Version: " . $status['current_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

548. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/build/build.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if (is_dir($dir . "/" . $object)) {

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

549. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/build/build.php:170 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

rrmdir($dir . "/" . $object);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

550. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/build/build.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

unlink($dir . "/" . $object);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

551. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/build/build.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if (is_dir($dir . "/" . $object)) {

Recommendation: Use $wpdb->prepare() with placeholders

552. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/build/build.php:170 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

rrmdir($dir . "/" . $object);

Recommendation: Use $wpdb->prepare() with placeholders

553. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/build/build.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

unlink($dir . "/" . $object);

Recommendation: Use $wpdb->prepare() with placeholders

554. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

555. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

556. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

557. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

558. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

559. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

560. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

561. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

562. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/core/cxq-membership-profiles.php:1372 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html.="<td class=\"{$column_name}\">".$this->return_column_value( $column_name, $user).'</td>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

563. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/core/cxq-membership-profiles.php:1372 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html.="<td class=\"{$column_name}\">".$this->return_column_value( $column_name, $user).'</td>';

Recommendation: Use $wpdb->prepare() with placeholders

564. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/custom/cxq-membership-cust-ems.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "SELECT meta_key,meta_value as member_id, count(meta_key) as count FROM `".$wpdb->usermeta."` WHERE meta_key = 'cxq_member_id_number' and meta_value<>'' group by meta_key,meta_value;";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

565. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/custom/cxq-membership-cust-ems.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "SELECT meta_key,meta_value as member_id, count(meta_key) as count FROM `".$wpdb->usermeta."` WHERE meta_key = 'cxq_member_id_number' and meta_value<>'' group by meta_key,meta_value;";

Recommendation: Use $wpdb->prepare() with placeholders

566. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/custom/cxq-membership-cust-nsp.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "SELECT meta_key,meta_value as member_id, count(meta_key) as count FROM `".$wpdb->usermeta."` WHERE meta_key = 'cxq_member_id_number' and meta_value<>'' group by meta_key,meta_value;";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

567. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/custom/cxq-membership-cust-nsp.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "SELECT meta_key,meta_value as member_id, count(meta_key) as count FROM `".$wpdb->usermeta."` WHERE meta_key = 'cxq_member_id_number' and meta_value<>'' group by meta_key,meta_value;";

Recommendation: Use $wpdb->prepare() with placeholders

568. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/core/optional/cxq-membership-attachments.php:818 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$exif[] = exif_read_data("data://{$mime_type};base64," . $file,$sections );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

569. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/includes/core/optional/cxq-membership-attachments.php:818 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$exif[] = exif_read_data("data://{$mime_type};base64," . $file,$sections );

Recommendation: Use $wpdb->prepare() with placeholders

570. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Admin/PlaceClaimsPage.php:478 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$claims = $wpdb->get_results("SELECT * FROM {$table} {$where} ORDER BY claim_date DESC");

Recommendation: Use $wpdb->prepare() with placeholders

571. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Core/ErrorHandler.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$context_str ? "\nContext: " . $context_str : ''

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

572. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Core/ErrorHandler.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$context_str ? "\nContext: " . $context_str : ''

Recommendation: Use $wpdb->prepare() with placeholders

573. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/UserProfileService.php:305 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Failed to change username from `{$user->user_login}` to `{$new_username}`: " . $wpdb->show_errors(false)

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

574. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/UserProfileService.php:305 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Failed to change username from `{$user->user_login}` to `{$new_username}`: " . $wpdb->show_errors(false)

Recommendation: Use $wpdb->prepare() with placeholders

575. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:613 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: submitClaim() FAILED - Invalid verification_method: " . $data['verification_method']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

576. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:639 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: Database insert FAILED: " . $this->wpdb->last_error);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

577. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:653 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: Sending verification via method: " . $data['verification_method']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

578. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:671 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: User email: " . $user_email);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

579. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:1171 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: wp_create_user FAILED - error: " . $new_user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

580. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:1212 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: Database update FAILED: " . $this->wpdb->last_error);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

581. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:2017 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ Place Claim: Failed to create user - " . $user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

582. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:613 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: submitClaim() FAILED - Invalid verification_method: " . $data['verification_method']);

Recommendation: Use $wpdb->prepare() with placeholders

583. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:639 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: Database insert FAILED: " . $this->wpdb->last_error);

Recommendation: Use $wpdb->prepare() with placeholders

584. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:653 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: Sending verification via method: " . $data['verification_method']);

Recommendation: Use $wpdb->prepare() with placeholders

585. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:671 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: User email: " . $user_email);

Recommendation: Use $wpdb->prepare() with placeholders

586. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:1171 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: wp_create_user FAILED - error: " . $new_user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

587. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:1212 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ CLAIM: Database update FAILED: " . $this->wpdb->last_error);

Recommendation: Use $wpdb->prepare() with placeholders

588. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/PlaceClaimService.php:2017 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CXQ Place Claim: Failed to create user - " . $user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

589. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/WorkflowExecutionService.php:201 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Failed to update user: " . $user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

590. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/WorkflowExecutionService.php:224 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Failed to create user: " . $user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

591. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/WorkflowExecutionService.php:201 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Failed to update user: " . $user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

592. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership/src/Services/WorkflowExecutionService.php:224 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Failed to create user: " . $user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

593. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

594. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

595. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

596. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

597. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

598. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

599. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

600. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

601. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

602. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

603. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

604. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

605. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

606. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

607. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

608. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

609. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

610. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

611. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

612. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

613. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

614. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

615. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

616. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

617. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

618. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

619. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

620. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-dev-tools/includes/dBug.class.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

621. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/uninstall.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->comments} DROP INDEX woo_idx_comment_type;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

622. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/uninstall.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->comments} DROP INDEX woo_idx_comment_date_type;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

623. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/uninstall.php:93 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->posts} WHERE post_type IN ( 'product', 'product_variation', 'shop_coupon', 'shop_order', 'shop_order_refund' );" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

624. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/uninstall.php:94 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE meta FROM {$wpdb->postmeta} meta LEFT JOIN {$wpdb->posts} posts ON posts.ID = meta.post_id WHERE posts.ID IS NULL;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

625. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/uninstall.php:96 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->comments} WHERE comment_type IN ( 'order_note' );" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

626. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/uninstall.php:97 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE meta FROM {$wpdb->commentmeta} meta LEFT JOIN {$wpdb->comments} comments ON comments.comment_ID = meta.comment_id WHERE comments.comment_ID IS NULL;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

627. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/uninstall.php:122 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE tr FROM {$wpdb->term_relationships} tr LEFT JOIN {$wpdb->posts} posts ON posts.ID = tr.object_id WHERE posts.ID IS NULL;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

628. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/uninstall.php:125 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE t FROM {$wpdb->terms} t LEFT JOIN {$wpdb->term_taxonomy} tt ON t.term_id = tt.term_id WHERE tt.term_id IS NULL;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

629. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/uninstall.php:129 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE tm FROM {$wpdb->termmeta} tm LEFT JOIN {$wpdb->term_taxonomy} tt ON tm.term_id = tt.term_id WHERE tt.term_id IS NULL;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

630. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-core-functions.php:1029 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wc_queued_js .= "\n" . $code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

631. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-core-functions.php:1029 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wc_queued_js .= "\n" . $code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

632. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-term-functions.php:288 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ( $wpdb->query( "INSERT INTO {$wpdb->termmeta} ( term_id, meta_key, meta_value ) SELECT woocommerce_term_id, meta_key, meta_value FROM {$wpdb->prefix}woocommerce_termmeta;" ) ) {

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

633. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-term-functions.php:289 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP TABLE IF EXISTS {$wpdb->prefix}woocommerce_termmeta" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

634. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1086 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ( $wpdb->query( "INSERT INTO {$wpdb->termmeta} ( term_id, meta_key, meta_value ) SELECT woocommerce_term_id, meta_key, meta_value FROM {$wpdb->prefix}woocommerce_termmeta;" ) ) {

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

635. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1087 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP TABLE IF EXISTS {$wpdb->prefix}woocommerce_termmeta" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

636. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1105 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}woocommerce_shipping_zones CHANGE `zone_type` `zone_type` VARCHAR(40) NOT NULL DEFAULT '';" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

637. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1106 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}woocommerce_shipping_zones CHANGE `zone_enabled` `zone_enabled` INT(1) NOT NULL DEFAULT 1;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

638. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1192 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "UPDATE {$wpdb->prefix}woocommerce_shipping_zone_locations SET location_code = REPLACE( location_code, '-', '...' );" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

639. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1263 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->comments} ADD INDEX woo_idx_comment_type (comment_type)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

640. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1395 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}woocommerce_downloadable_product_permissions ADD INDEX order_id (order_id)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

641. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1866 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_download_log DROP FOREIGN KEY `{$foreign_key_name}`" ); // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

642. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1930 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_download_log DROP FOREIGN KEY fk_wc_download_log_permission_id" ); // phpcs:ignore WordPress.WP.PreparedSQL.NotPrepared

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

643. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1973 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "UPDATE {$wpdb->termmeta} SET meta_key = 'order' WHERE meta_key LIKE 'order_pa_%';" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

644. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1987 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}woocommerce_downloadable_product_permissions ADD INDEX user_order_remaining_expires (user_id,order_id,downloads_remaining,access_expires)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

645. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:2112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_product_meta_lookup MODIFY COLUMN `min_price` decimal(19,4) NULL default NULL" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

646. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:2113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_product_meta_lookup MODIFY COLUMN `max_price` decimal(19,4) NULL default NULL" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

647. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:2464 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_download_log DROP FOREIGN KEY `{$foreign_key_name}`" ); // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

648. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:3125 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->comments} ADD INDEX woo_idx_comment_date_type (comment_date_gmt, comment_type, comment_approved, comment_post_ID)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

649. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$existing_file_paths = $wpdb->get_results( "SELECT meta_value, meta_id, post_id FROM {$wpdb->postmeta} WHERE meta_key = '_file_path' AND meta_value != '';" );

Recommendation: Use $wpdb->prepare() with placeholders

650. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:503 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$existing_file_paths = $wpdb->get_results( "SELECT meta_value, meta_id FROM {$wpdb->postmeta} WHERE meta_key = '_file_paths' AND meta_value != '';" );

Recommendation: Use $wpdb->prepare() with placeholders

651. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-update-functions.php:1123 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$old_methods = $wpdb->get_results( "SELECT zone_id, shipping_method_type, shipping_method_order, shipping_method_id FROM {$wpdb->prefix}woocommerce_shipping_zone_shipping_methods;" );

Recommendation: Use $wpdb->prepare() with placeholders

652. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/class-wc-ajax.php:2140 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$menu_orders = wp_list_pluck( $wpdb->get_results( "SELECT ID, menu_order FROM {$wpdb->posts} WHERE post_type = 'product' ORDER BY menu_order ASC, post_title ASC" ), 'menu_order', 'ID' );

Recommendation: Use $wpdb->prepare() with placeholders

653. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/class-wc-install.php:1671 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}woocommerce_downloadable_product_permissions DROP PRIMARY KEY, ADD `permission_id` bigint(20) unsigned NOT NULL PRIMARY KEY AUTO_INCREMENT;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

654. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/class-wc-install.php:1677 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_order_product_lookup DROP PRIMARY KEY, ADD PRIMARY KEY (order_item_id, order_id)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

655. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/class-wc-install.php:1704 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->comments} ADD INDEX woo_idx_comment_type (comment_type)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

656. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/class-wc-install.php:1711 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->comments} ADD INDEX woo_idx_comment_date_type (comment_date_gmt, comment_type, comment_approved, comment_post_ID)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

657. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/class-wc-install.php:2180 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP TABLE IF EXISTS {$table}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

658. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/class-wc-tax.php:945 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE locations FROM {$wpdb->prefix}woocommerce_tax_rate_locations locations LEFT JOIN {$wpdb->prefix}woocommerce_tax_rates rates ON rates.tax_rate_id = locations.tax_rate_id WHERE rates.tax_rate_id IS NULL;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

659. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/class-wc-tax.php:1215 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "INSERT INTO {$wpdb->prefix}woocommerce_tax_rate_locations ( location_code, tax_rate_id, location_type ) VALUES $sql;" ); // @codingStandardsIgnoreLine.

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

660. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/class-wc-tax.php:362 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$postcode_ranges = $wpdb->get_results( "SELECT tax_rate_id, location_code FROM {$wpdb->prefix}woocommerce_tax_rate_locations WHERE location_type = 'postcode' AND location_code LIKE '%...%';" );

Recommendation: Use $wpdb->prepare() with placeholders

661. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/class-wc-tax.php:1235 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$locations = $wpdb->get_results( "SELECT * FROM `{$wpdb->prefix}woocommerce_tax_rate_locations`" );

Recommendation: Use $wpdb->prepare() with placeholders

662. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/wc-attribute-functions.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$raw_attribute_taxonomies = $wpdb->get_results( "SELECT * FROM {$wpdb->prefix}woocommerce_attribute_taxonomies WHERE attribute_name != '' ORDER BY attribute_name ASC;" );

Recommendation: Use $wpdb->prepare() with placeholders

663. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/lib/packages/Symfony/Component/CssSelector/XPath/Translator.php:67 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'".$element."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

664. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/lib/packages/Symfony/Component/CssSelector/XPath/Translator.php:67 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'".$element."'";

Recommendation: Use $wpdb->prepare() with placeholders

665. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/lib/packages/Symfony/Component/CssSelector/Node/FunctionNode.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'".$token->getValue()."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

666. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/lib/packages/Symfony/Component/CssSelector/Node/FunctionNode.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'".$token->getValue()."'";

Recommendation: Use $wpdb->prepare() with placeholders

667. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/lib/packages/Pelago/Emogrifier/CssInliner.php:485 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "\n\n" . $styleNode->nodeValue;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

668. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/lib/packages/Pelago/Emogrifier/CssInliner.php:485 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "\n\n" . $styleNode->nodeValue;

Recommendation: Use $wpdb->prepare() with placeholders

669. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/lib/packages/Sabberworm/CSS/OutputFormatter.php:258 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return str_replace("\n", "\n" . $this->indent(), $sSpaceString);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

670. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/lib/packages/Sabberworm/CSS/OutputFormatter.php:258 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return str_replace("\n", "\n" . $this->indent(), $sSpaceString);

Recommendation: Use $wpdb->prepare() with placeholders

671. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/lib/packages/Sabberworm/CSS/Property/Import.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $oOutputFormat->comments($this) . "@import " . $this->oLocation->render($oOutputFormat)

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

672. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/lib/packages/Sabberworm/CSS/Property/Import.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $oOutputFormat->comments($this) . "@import " . $this->oLocation->render($oOutputFormat)

Recommendation: Use $wpdb->prepare() with placeholders

673. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/data-stores/class-wc-shipping-zone-data-store.php:321 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$postcode_locations = $wpdb->get_results( "SELECT zone_id, location_code FROM {$wpdb->prefix}woocommerce_shipping_zone_locations WHERE location_type = 'postcode';" );

Recommendation: Use $wpdb->prepare() with placeholders

674. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/data-stores/class-wc-shipping-zone-data-store.php:360 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $wpdb->get_results( "SELECT zone_id, zone_name, zone_order FROM {$wpdb->prefix}woocommerce_shipping_zones order by zone_order ASC, zone_id ASC;" );

Recommendation: Use $wpdb->prepare() with placeholders

675. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/react-admin/wc-admin-update-functions.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP INDEX `status` ON {$wpdb->prefix}wc_order_stats" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

676. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/react-admin/wc-admin-update-functions.php:49 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_order_stats DROP COLUMN `total_sales`" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

677. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/react-admin/wc-admin-update-functions.php:51 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_order_stats CHANGE COLUMN `gross_total` `total_sales` double DEFAULT 0 NOT NULL" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

678. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/react-admin/wc-admin-update-functions.php:75 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE actions FROM {$wpdb->prefix}wc_admin_note_actions actions INNER JOIN {$wpdb->prefix}wc_admin_notes notes USING (note_id) WHERE actions.name = 'tracking-dismiss' AND notes.name = 'wc-admin-usage-tracking-opt-in'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

679. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/react-admin/wc-admin-update-functions.php:277 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_admin_note_actions DROP COLUMN `is_primary`" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

680. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/react-admin/wc-admin-update-functions.php:295 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_order_stats ADD INDEX idx_date_paid_status_parent (date_paid, status, parent_id)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

681. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/log-handlers/class-wc-log-handler-db.php:105 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $wpdb->query( "TRUNCATE TABLE {$wpdb->prefix}woocommerce_log" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

682. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/widgets/class-wc-widget-price-filter.php:179 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['join'] . $meta_query_sql['join'] . "

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

683. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/widgets/class-wc-widget-price-filter.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['where'] . $meta_query_sql['where'] . $search_query_sql . '

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

684. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/widgets/class-wc-widget-price-filter.php:179 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['join'] . $meta_query_sql['join'] . "

Recommendation: Use $wpdb->prepare() with placeholders

685. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/widgets/class-wc-widget-price-filter.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['where'] . $meta_query_sql['where'] . $search_query_sql . '

Recommendation: Use $wpdb->prepare() with placeholders

686. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/widgets/class-wc-widget-brand-nav.php:519 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['join'] . $meta_query_sql['join'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

687. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/widgets/class-wc-widget-brand-nav.php:523 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['where'] . $meta_query_sql['where'] . '

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

688. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/widgets/class-wc-widget-brand-nav.php:519 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['join'] . $meta_query_sql['join'];

Recommendation: Use $wpdb->prepare() with placeholders

689. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/widgets/class-wc-widget-brand-nav.php:523 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['where'] . $meta_query_sql['where'] . '

Recommendation: Use $wpdb->prepare() with placeholders

690. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-settings.php:682 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<?php echo str_replace( ' id=', " data-placeholder='" . esc_attr__( 'Select a page&hellip;', 'woocommerce' ) . "' style='" . $value['css'] . "' class='" . $value['class'] . "' id=", wp_dropdown_pages( $args ) ); // WPCS: XSS ok. ?> <?php echo $description; // WPCS: XSS ok. ?>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

691. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/admin/class-wc-admin-settings.php:682 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<?php echo str_replace( ' id=', " data-placeholder='" . esc_attr__( 'Select a page&hellip;', 'woocommerce' ) . "' style='" . $value['css'] . "' class='" . $value['class'] . "' id=", wp_dropdown_pages( $args ) ); // WPCS: XSS ok. ?> <?php echo $description; // WPCS: XSS ok. ?>

Recommendation: Use $wpdb->prepare() with placeholders

692. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/export/abstract-wc-csv-exporter.php:384 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$data = "'" . $data;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

693. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/export/abstract-wc-csv-exporter.php:384 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$data = "'" . $data;

Recommendation: Use $wpdb->prepare() with placeholders

694. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/legacy/abstract-wc-legacy-order.php:339 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

update_post_meta( $this->get_id(), "_{$type}_" . $key, $value );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

695. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/legacy/abstract-wc-legacy-order.php:339 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

update_post_meta( $this->get_id(), "_{$type}_" . $key, $value );

Recommendation: Use $wpdb->prepare() with placeholders

696. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/rest-api/Controllers/Version2/class-wc-rest-system-status-tools-v2-controller.php:550 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "TRUNCATE {$wpdb->prefix}woocommerce_sessions" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

697. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/rest-api/Controllers/Version2/class-wc-rest-system-status-tools-v2-controller.php:552 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = absint( $wpdb->query( "DELETE FROM {$wpdb->usermeta} WHERE meta_key='_woocommerce_persistent_cart_" . get_current_blog_id() . "';" ) ); // WPCS: unprepared SQL ok.

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

698. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/rest-api/Controllers/Version2/class-wc-rest-system-status-tools-v2-controller.php:564 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->prefix}woocommerce_tax_rates;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

699. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/rest-api/Controllers/Version2/class-wc-rest-system-status-tools-v2-controller.php:565 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->prefix}woocommerce_tax_rate_locations;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

700. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/rest-api/Controllers/Version1/class-wc-rest-webhooks-v1-controller.php:522 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$data->post_password = 'webhook_' . wp_generate_password();

Recommendation: Move credentials to environment variables or secure configuration

701. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/admin/list-tables/class-wc-admin-list-table-orders.php:339 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html .= "<div><small class='refunded'>-" . $refund['quantity'] . '</small></div><br/>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

702. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/admin/list-tables/class-wc-admin-list-table-orders.php:339 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html .= "<div><small class='refunded'>-" . $refund['quantity'] . '</small></div><br/>';

Recommendation: Use $wpdb->prepare() with placeholders

703. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/admin/reports/class-wc-report-downloads.php:333 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->items     = $wpdb->get_results( "SELECT * {$query_from} {$query_order}" ); // WPCS: cache ok, db call ok, unprepared SQL ok.

Recommendation: Use $wpdb->prepare() with placeholders

704. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/includes/admin/meta-boxes/views/html-order-items.php:485 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rates = $wpdb->get_results( "SELECT * FROM {$wpdb->prefix}woocommerce_tax_rates ORDER BY tax_rate_name LIMIT 100" );

Recommendation: Use $wpdb->prepare() with placeholders

705. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/action-scheduler/classes/data-stores/ActionScheduler_DBStore.php:1169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row_updates      = $wpdb->query( "UPDATE {$wpdb->actionscheduler_actions} SET claim_id = 0 WHERE action_id IN ({$action_id_string})" ); // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

706. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/action-scheduler/classes/data-stores/ActionScheduler_wpCommentLogger.php:203 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$count    = $wpdb->get_results( "SELECT comment_approved, COUNT( * ) AS num_comments FROM {$wpdb->comments} WHERE comment_type NOT IN('order_note','action_log') GROUP BY comment_approved", ARRAY_A );

Recommendation: Use $wpdb->prepare() with placeholders

707. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/blueprint/src/ResourceStorages/LocalPluginResourceStorage.php:42 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$full_path = $path . "/{$this->suffix}/" . $slug . '.zip';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

708. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/blueprint/src/ResourceStorages/LocalPluginResourceStorage.php:42 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$full_path = $path . "/{$this->suffix}/" . $slug . '.zip';

Recommendation: Use $wpdb->prepare() with placeholders

709. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/vendor-prefixed/packages/Symfony/Component/CssSelector/XPath/Translator.php:67 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'".$element."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

710. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

return "'".$element."'";

Recommendation: Use $wpdb->prepare() with placeholders

711. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/vendor-prefixed/packages/Symfony/Component/CssSelector/Node/FunctionNode.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'".$token->getValue()."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

712. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

return "'".$token->getValue()."'";

Recommendation: Use $wpdb->prepare() with placeholders

713. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/vendor-prefixed/packages/Pelago/Emogrifier/CssInliner.php:485 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "\n\n" . $styleNode->nodeValue;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

714. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/vendor-prefixed/packages/Pelago/Emogrifier/CssInliner.php:485 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "\n\n" . $styleNode->nodeValue;

Recommendation: Use $wpdb->prepare() with placeholders

715. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/vendor-prefixed/packages/Sabberworm/CSS/OutputFormatter.php:258 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return str_replace("\n", "\n" . $this->indent(), $sSpaceString);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

716. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/vendor-prefixed/packages/Sabberworm/CSS/OutputFormatter.php:258 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return str_replace("\n", "\n" . $this->indent(), $sSpaceString);

Recommendation: Use $wpdb->prepare() with placeholders

717. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/vendor-prefixed/packages/Sabberworm/CSS/Property/Import.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $oOutputFormat->comments($this) . "@import " . $this->oLocation->render($oOutputFormat)

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

718. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/vendor-prefixed/packages/Sabberworm/CSS/Property/Import.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $oOutputFormat->comments($this) . "@import " . $this->oLocation->render($oOutputFormat)

Recommendation: Use $wpdb->prepare() with placeholders

719. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/src/Engine/Renderer/class-html2text.php:374 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $text;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

720. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/src/Engine/Renderer/class-html2text.php:614 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "\n" . $output;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

721. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/src/Engine/Renderer/class-html2text.php:625 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "\n" . $output . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

722. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/src/Engine/Renderer/class-html2text.php:374 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $text;

Recommendation: Use $wpdb->prepare() with placeholders

723. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/src/Engine/Renderer/class-html2text.php:614 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "\n" . $output;

Recommendation: Use $wpdb->prepare() with placeholders

724. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/packages/email-editor/src/Engine/Renderer/class-html2text.php:625 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "\n" . $output . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

725. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CostOfGoodsSold/CostOfGoodsSoldController.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_product_meta_lookup ADD COLUMN cogs_total_value DECIMAL(19,4)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

726. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CostOfGoodsSold/CostOfGoodsSoldController.php:131 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wc_product_meta_lookup DROP COLUMN cogs_total_value" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

727. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/ProductAttributesLookup/DataRegenerator.php:145 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "TRUNCATE TABLE {$this->lookup_table_name}" ); // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

728. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/ProductAttributesLookup/Filterer.php:337 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['join'] . $meta_query_sql['join'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

729. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/ProductAttributesLookup/Filterer.php:337 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['join'] . $meta_query_sql['join'];

Recommendation: Use $wpdb->prepare() with placeholders

730. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/ProductAttributesLookup/LookupDataStore.php:341 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Lookup data creation (not optimized) failed for product $product_id: " . $e->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

731. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/ProductAttributesLookup/LookupDataStore.php:830 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->error( "Lookup data creation (optimized) failed for product $product_id: " . $e->getMessage(), $data );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

732. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/ProductAttributesLookup/LookupDataStore.php:341 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Lookup data creation (not optimized) failed for product $product_id: " . $e->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders

733. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/ProductAttributesLookup/LookupDataStore.php:830 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->error( "Lookup data creation (optimized) failed for product $product_id: " . $e->getMessage(), $data );

Recommendation: Use $wpdb->prepare() with placeholders

734. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Admin/CategoryLookup.php:95 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "INSERT IGNORE INTO $wpdb->wc_category_lookup (category_tree_id,category_id) VALUES ({$insert_string})" ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

735. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Admin/CategoryLookup.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "INSERT IGNORE INTO $wpdb->wc_category_lookup (category_id, category_tree_id) VALUES {$insert_string}" ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

736. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Fulfillments/FulfillmentsController.php:74 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP TABLE IF EXISTS {$wpdb->prefix}wc_order_fulfillments" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

737. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Fulfillments/FulfillmentsController.php:75 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP TABLE IF EXISTS {$wpdb->prefix}wc_order_fulfillment_meta" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

738. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Utilities/DatabaseUtil.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $wpdb->query( "DROP TABLE IF EXISTS `{$table_name}`" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

739. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Utilities/DatabaseUtil.php:304 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$conditions[] = "`$column` = " . $where_format[ $index ];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

740. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Utilities/DatabaseUtil.php:304 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$conditions[] = "`$column` = " . $where_format[ $index ];

Recommendation: Use $wpdb->prepare() with placeholders

741. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Abilities/REST/RestAbilityFactory.php:85 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Failed to register ability {$ability_config['id']}: " . $e->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

742. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Abilities/REST/RestAbilityFactory.php:85 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Failed to register ability {$ability_config['id']}: " . $e->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders

743. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Admin/Orders/ListTable.php:518 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->order_query_args['date_created'] = "$year-$month-01..." . $last_day_of_month;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

744. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Admin/Orders/ListTable.php:518 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->order_query_args['date_created'] = "$year-$month-01..." . $last_day_of_month;

Recommendation: Use $wpdb->prepare() with placeholders

745. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Admin/Logging/LogHandlerFileV2.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$source = "$type-" . $info['filename'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

746. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Admin/Logging/LogHandlerFileV2.php:144 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$source = "$type-" . $info['dirname'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

747. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Admin/Logging/LogHandlerFileV2.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$source = "$type-" . $info['filename'];

Recommendation: Use $wpdb->prepare() with placeholders

748. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/Admin/Logging/LogHandlerFileV2.php:144 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$source = "$type-" . $info['dirname'];

Recommendation: Use $wpdb->prepare() with placeholders

749. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableMetaQuery.php:561 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$meta_compare_string = $meta_compare_string_start . "AND $subquery_alias.meta_key = %s " . $meta_compare_string_end;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

750. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableMetaQuery.php:565 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$meta_compare_string = $meta_compare_string_start . "AND $subquery_alias.meta_key LIKE %s " . $meta_compare_string_end;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

751. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableMetaQuery.php:572 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$meta_compare_string = $meta_compare_string_start . "AND $subquery_alias.meta_key IN " . $array_subclause . $meta_compare_string_end;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

752. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableMetaQuery.php:583 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$meta_compare_string = $meta_compare_string_start . "AND $subquery_alias.meta_key REGEXP $cast %s " . $meta_compare_string_end;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

753. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableMetaQuery.php:561 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$meta_compare_string = $meta_compare_string_start . "AND $subquery_alias.meta_key = %s " . $meta_compare_string_end;

Recommendation: Use $wpdb->prepare() with placeholders

754. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableMetaQuery.php:565 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$meta_compare_string = $meta_compare_string_start . "AND $subquery_alias.meta_key LIKE %s " . $meta_compare_string_end;

Recommendation: Use $wpdb->prepare() with placeholders

755. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableMetaQuery.php:572 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$meta_compare_string = $meta_compare_string_start . "AND $subquery_alias.meta_key IN " . $array_subclause . $meta_compare_string_end;

Recommendation: Use $wpdb->prepare() with placeholders

756. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/DataStores/Orders/OrdersTableMetaQuery.php:583 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$meta_compare_string = $meta_compare_string_start . "AND $subquery_alias.meta_key REGEXP $cast %s " . $meta_compare_string_end;

Recommendation: Use $wpdb->prepare() with placeholders

757. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/DataStores/Orders/DataSynchronizer.php:879 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->prefix}wc_orders_meta WHERE id IN {$order_id_rows_as_sql_list}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

758. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:135 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wc_get_logger()->error( "Validation failed for product: {$product_name} - " . $validation_result['message'], array( 'source' => 'wc-migrator' ) );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

759. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Exception importing product: {$product_name} after {$duration}s - " . $e->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

760. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:640 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wc_get_logger()->warning( "Failed to create attribute '{$attr_name}': " . $attribute_id->get_error_message(), array( 'source' => 'wc-migrator' ) );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

761. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:686 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wc_get_logger()->warning( "Failed to insert term '{$value}' (slug: {$term_slug}) into {$taxonomy_name}: " . $term_result->get_error_message(), array( 'source' => 'wc-migrator' ) );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

762. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:965 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wc_get_logger()->warning( "Failed to insert term '{$term_name}' (slug: {$term_slug}) into {$taxonomy}: " . $term_result->get_error_message(), array( 'source' => 'wc-migrator' ) );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

763. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:1024 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wc_get_logger()->error( "Error uploading {$image_url}: " . $attachment_id->get_error_message() . " (Duration: {$duration}s)", array( 'source' => 'wc-migrator' ) );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

764. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:135 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wc_get_logger()->error( "Validation failed for product: {$product_name} - " . $validation_result['message'], array( 'source' => 'wc-migrator' ) );

Recommendation: Use $wpdb->prepare() with placeholders

765. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Exception importing product: {$product_name} after {$duration}s - " . $e->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders

766. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:640 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wc_get_logger()->warning( "Failed to create attribute '{$attr_name}': " . $attribute_id->get_error_message(), array( 'source' => 'wc-migrator' ) );

Recommendation: Use $wpdb->prepare() with placeholders

767. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:686 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wc_get_logger()->warning( "Failed to insert term '{$value}' (slug: {$term_slug}) into {$taxonomy_name}: " . $term_result->get_error_message(), array( 'source' => 'wc-migrator' ) );

Recommendation: Use $wpdb->prepare() with placeholders

768. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:965 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wc_get_logger()->warning( "Failed to insert term '{$term_name}' (slug: {$term_slug}) into {$taxonomy}: " . $term_result->get_error_message(), array( 'source' => 'wc-migrator' ) );

Recommendation: Use $wpdb->prepare() with placeholders

769. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/WooCommerceProductImporter.php:1024 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

wc_get_logger()->error( "Error uploading {$image_url}: " . $attachment_id->get_error_message() . " (Duration: {$duration}s)", array( 'source' => 'wc-migrator' ) );

Recommendation: Use $wpdb->prepare() with placeholders

770. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/ProductsController.php:786 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"DRY RUN: Could not update import stats for '{$stat_key}': " . $e->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

771. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Core/ProductsController.php:786 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"DRY RUN: Could not update import stats for '{$stat_key}': " . $e->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders

772. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Platforms/Shopify/ShopifyClient.php:168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"REST request to {$path} failed with status code {$response_code}: " . $error_message

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

773. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Platforms/Shopify/ShopifyClient.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"GraphQL request failed with status code {$response_code}: " . $error_message

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

774. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Platforms/Shopify/ShopifyClient.php:168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"REST request to {$path} failed with status code {$response_code}: " . $error_message

Recommendation: Use $wpdb->prepare() with placeholders

775. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/CLI/Migrator/Platforms/Shopify/ShopifyClient.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"GraphQL request failed with status code {$response_code}: " . $error_message

Recommendation: Use $wpdb->prepare() with placeholders

776. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/ProductDownloads/ApprovedDirectories/Register.php:448 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ( ! $wpdb->query( "DELETE FROM {$this->get_table()}" ) ) { // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

777. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/ProductDownloads/ApprovedDirectories/Register.php:501 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ( ! $wpdb->query( "UPDATE {$this->get_table()} SET enabled = 1" ) ) { // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

778. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Internal/ProductDownloads/ApprovedDirectories/Register.php:518 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if ( ! $wpdb->query( "UPDATE {$this->get_table()} SET enabled = 0" ) ) {

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

779. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Blocks/BlockTypes/CustomerAccount.php:157 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<a " . $aria_label . " href='" . esc_attr( $account_link ) . "'>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

780. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Blocks/BlockTypes/CustomerAccount.php:157 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<a " . $aria_label . " href='" . esc_attr( $account_link ) . "'>

Recommendation: Use $wpdb->prepare() with placeholders

781. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Blocks/BlockTypes/CheckoutOrderSummaryBlock.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$order_summary_totals_content .= "\n" . $inner_block_content;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

782. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Blocks/BlockTypes/CheckoutOrderSummaryBlock.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$order_summary_totals_content .= "\n" . $inner_block_content;

Recommendation: Use $wpdb->prepare() with placeholders

783. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Blocks/BlockTypes/CartOrderSummaryBlock.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$order_summary_totals_content .= "\n" . $inner_block_content;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

784. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Blocks/BlockTypes/CartOrderSummaryBlock.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$order_summary_totals_content .= "\n" . $inner_block_content;

Recommendation: Use $wpdb->prepare() with placeholders

785. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Blocks/BlockTypes/AbstractProductGrid.php:416 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$product_variations      = $wpdb->get_results( "SELECT ID as variation_id, post_parent as product_id from {$wpdb->posts} WHERE post_parent IN ( " . implode( ',', $prime_product_ids ) . ' )', ARRAY_A );

Recommendation: Use $wpdb->prepare() with placeholders

786. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Admin/Features/Blueprint/Exporters/ExportWCSettingsShipping.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->get_results( "SELECT * FROM {$wpdb->prefix}woocommerce_shipping_zones", ARRAY_A )

Recommendation: Use $wpdb->prepare() with placeholders

787. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Admin/Features/Blueprint/Exporters/ExportWCSettingsShipping.php:146 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->get_results( "SELECT * FROM {$wpdb->prefix}woocommerce_shipping_zone_locations", ARRAY_A )

Recommendation: Use $wpdb->prepare() with placeholders

788. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Admin/Features/Blueprint/Exporters/ExportWCSettingsShipping.php:158 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$methods        = $wpdb->get_results( "SELECT * FROM {$wpdb->prefix}woocommerce_shipping_zone_methods", ARRAY_A );

Recommendation: Use $wpdb->prepare() with placeholders

789. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Admin/API/Reports/Orders/Stats/DataStore.php:253 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$where_filters[] = "{$orders_stats_table}.order_id IN (" . $attribute_subquery->get_query_statement() . ')';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

790. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/src/Admin/API/Reports/Orders/Stats/DataStore.php:253 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$where_filters[] = "{$orders_stats_table}.order_id IN (" . $attribute_subquery->get_query_statement() . ')';

Recommendation: Use $wpdb->prepare() with placeholders

791. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/templates/emails/plain/email-order-details.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo wp_kses_post( $total['label'] . "\t " . $total['value'] ) . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

792. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce/templates/emails/plain/email-order-details.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo wp_kses_post( $total['label'] . "\t " . $total['value'] ) . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

793. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/temp_integration_test_page.php:130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->fail("$class: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

794. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/temp_integration_test_page.php:372 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<li style='color: red;'>" . $result['message'] . "</li>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

795. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/temp_integration_test_page.php:130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->fail("$class: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

796. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/temp_integration_test_page.php:372 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<li style='color: red;'>" . $result['message'] . "</li>";

Recommendation: Use $wpdb->prepare() with placeholders

797. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/temp_integration_test.php:122 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->fail("$class: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

798. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/temp_integration_test.php:122 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->fail("$class: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

799. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

800. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

801. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

802. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

803. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

804. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

805. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

806. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

807. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

808. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

809. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

810. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

811. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

812. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

813. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

814. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

815. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

816. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

817. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

818. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

819. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

820. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

821. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

822. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

823. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

824. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

825. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

826. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/dev/dBug.class.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

827. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/core/PluginInstaller.class.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('error',"Installation of $type `{$slug}` failed (".$installed->get_error_message().')');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

828. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/core/PluginInstaller.class.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('error',"Installation of $type `{$slug}` failed (".$installed->get_error_message().')');

Recommendation: Use $wpdb->prepare() with placeholders

829. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/core/WordpressPages.class.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('info', "Page already exists:" . $title_of_the_page);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

830. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/core/WordpressPages.class.php:109 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('success', "Created page_id=". $page_id." for page '".$title_of_the_page);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

831. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/core/WordpressPages.class.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('info', "Page already exists:" . $title_of_the_page);

Recommendation: Use $wpdb->prepare() with placeholders

832. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/.old-4.3.08/includes/core/WordpressPages.class.php:109 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('success', "Created page_id=". $page_id." for page '".$title_of_the_page);

Recommendation: Use $wpdb->prepare() with placeholders

833. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

834. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

835. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

836. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

837. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

838. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

839. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

840. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

841. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

842. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

843. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

844. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

845. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

846. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

847. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

848. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

849. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

850. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

851. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

852. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

853. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

854. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

855. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

856. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

857. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

858. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

859. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

860. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/dev/dBug.class.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

861. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/core/PluginInstaller.class.php:236 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('error',"Installation of $type `{$slug}` failed (".$installed->get_error_message().')');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

862. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/core/PluginInstaller.class.php:236 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('error',"Installation of $type `{$slug}` failed (".$installed->get_error_message().')');

Recommendation: Use $wpdb->prepare() with placeholders

863. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/core/WordpressPages.class.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('info', "Page already exists:" . $title_of_the_page);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

864. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/core/WordpressPages.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('success', "Created page_id=". $page_id." for page '".$title_of_the_page);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

865. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/core/WordpressPages.class.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('info', "Page already exists:" . $title_of_the_page);

Recommendation: Use $wpdb->prepare() with placeholders

866. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-client/includes/core/WordpressPages.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('success', "Created page_id=". $page_id." for page '".$title_of_the_page);

Recommendation: Use $wpdb->prepare() with placeholders

867. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Admin/Admin.php:415 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$htmlCount  = $htmlCount ? "<div class=\"{$classes}\">" . $htmlCount . '</div>' : '';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

868. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Admin/Admin.php:415 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$htmlCount  = $htmlCount ? "<div class=\"{$classes}\">" . $htmlCount . '</div>' : '';

Recommendation: Use $wpdb->prepare() with placeholders

869. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Utils/Database.php:418 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $this->db->get_results( "SHOW TABLES LIKE '" . $table . "'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

870. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Utils/Database.php:418 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $this->db->get_results( "SHOW TABLES LIKE '" . $table . "'" );

Recommendation: Use $wpdb->prepare() with placeholders

871. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Core/Core.php:147 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->posts} WHERE post_type = 'aioseo-location'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

872. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Core/Core.php:148 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->term_taxonomy} WHERE taxonomy = 'aioseo-location-category'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

873. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Core/Core.php:151 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE 'aioseo\_%'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

874. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Core/Core.php:154 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '\_aioseo\_%'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

875. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Core/Core.php:155 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE 'aioseo\_%'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

876. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Core/Core.php:158 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->prefix}actionscheduler_actions WHERE hook LIKE 'aioseo\_%'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

877. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Core/Core.php:159 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->prefix}actionscheduler_groups WHERE slug = 'aioseo'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

878. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Meta/Links.php:152 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$url = trailingslashit( get_permalink() ) . user_trailingslashit( "$wp_rewrite->pagination_base/" . $number, 'single_paged' );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

879. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/app/Common/Meta/Links.php:152 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$url = trailingslashit( get_permalink() ) . user_trailingslashit( "$wp_rewrite->pagination_base/" . $number, 'single_paged' );

Recommendation: Use $wpdb->prepare() with placeholders

880. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Formatter/LineFormatter.php:123 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str .= "\n[stacktrace]\n" . $e->getTraceAsString() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

881. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Formatter/LineFormatter.php:123 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str .= "\n[stacktrace]\n" . $e->getTraceAsString() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

882. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Formatter/HtmlFormatter.php:49 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<tr style=\"padding: 4px;text-align: left;\">\n<th style=\"vertical-align: top;background: #ccc;color: #000\" width=\"100\">{$th}:</th>\n<td style=\"padding: 4px;text-align: left;vertical-align: top;background: #eee;color: #000\">" . $td . "</td>\n</tr>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

883. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Formatter/HtmlFormatter.php:49 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<tr style=\"padding: 4px;text-align: left;\">\n<th style=\"vertical-align: top;background: #ccc;color: #000\" width=\"100\">{$th}:</th>\n<td style=\"padding: 4px;text-align: left;vertical-align: top;background: #eee;color: #000\">" . $td . "</td>\n</tr>";

Recommendation: Use $wpdb->prepare() with placeholders

884. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Handler/IFTTTHandler.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

\curl_setopt($ch, \CURLOPT_URL, "https://maker.ifttt.com/trigger/" . $this->eventName . "/with/key/" . $this->secretKey);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

885. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Handler/IFTTTHandler.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

\curl_setopt($ch, \CURLOPT_URL, "https://maker.ifttt.com/trigger/" . $this->eventName . "/with/key/" . $this->secretKey);

Recommendation: Use $wpdb->prepare() with placeholders

886. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Handler/SyslogUdpHandler.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<{$priority}>" . $date . " " . $hostname . " " . $this->ident . "[" . $pid . "]: ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

887. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Handler/SyslogUdpHandler.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<{$priority}>1 " . $date . " " . $hostname . " " . $this->ident . " " . $pid . " - - ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

888. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Handler/SyslogUdpHandler.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<{$priority}>" . $date . " " . $hostname . " " . $this->ident . "[" . $pid . "]: ";

Recommendation: Use $wpdb->prepare() with placeholders

889. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Handler/SyslogUdpHandler.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<{$priority}>1 " . $date . " " . $hostname . " " . $this->ident . " " . $pid . " - - ";

Recommendation: Use $wpdb->prepare() with placeholders

890. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Handler/FlowdockHandler.php:107 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = "POST /v1/messages/team_inbox/" . $this->apiToken . " HTTP/1.1\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

891. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-seo-pack-pro/vendor_prefixed/monolog/monolog/src/Monolog/Handler/FlowdockHandler.php:107 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = "POST /v1/messages/team_inbox/" . $this->apiToken . " HTTP/1.1\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

892. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:742 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->comments} WHERE comment_id IN ( " . $format_string . ' )', $comment_ids ) );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

893. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:743 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->commentmeta} WHERE comment_id IN ( " . $format_string . ' )', $comment_ids ) );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

894. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:755 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "OPTIMIZE TABLE {$wpdb->comments}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

895. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:788 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "OPTIMIZE TABLE {$wpdb->commentmeta}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

896. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:828 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "OPTIMIZE TABLE {$wpdb->commentmeta}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

897. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:862 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->comments} WHERE user_id = %d AND comment_approved = 1" . $comment_type_where, $user_id ) );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

898. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:866 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->comments} WHERE comment_author_email = %s AND comment_author = %s AND comment_author_url = %s AND comment_approved = 1" . $comment_type_where, $comment_author_email, $comment_author, $comment_author_url ) );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

899. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:742 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->comments} WHERE comment_id IN ( " . $format_string . ' )', $comment_ids ) );

Recommendation: Use $wpdb->prepare() with placeholders

900. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:743 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->commentmeta} WHERE comment_id IN ( " . $format_string . ' )', $comment_ids ) );

Recommendation: Use $wpdb->prepare() with placeholders

901. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:862 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->comments} WHERE user_id = %d AND comment_approved = 1" . $comment_type_where, $user_id ) );

Recommendation: Use $wpdb->prepare() with placeholders

902. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/akismet/class.akismet.php:866 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM {$wpdb->comments} WHERE comment_author_email = %s AND comment_author = %s AND comment_author_url = %s AND comment_approved = 1" . $comment_type_where, $comment_author_email, $comment_author, $comment_author_url ) );

Recommendation: Use $wpdb->prepare() with placeholders

903. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/cxq-updater-host.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DROP TABLE IF EXISTS {$wpdb->prefix}quigs_plugin_library");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

904. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:214 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Request URL: " . $url);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

905. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:230 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API WP Error: " . $response->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

906. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:237 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Response Code: " . $response_code);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

907. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Error Message: " . $error_message);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

908. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Error Code: HTTP " . $response_code);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

909. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:247 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Error Body: " . $response_body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

910. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:252 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Success: " . $url);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

911. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:214 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Request URL: " . $url);

Recommendation: Use $wpdb->prepare() with placeholders

912. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:230 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API WP Error: " . $response->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

913. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:237 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Response Code: " . $response_code);

Recommendation: Use $wpdb->prepare() with placeholders

914. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Error Message: " . $error_message);

Recommendation: Use $wpdb->prepare() with placeholders

915. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Error Code: HTTP " . $response_code);

Recommendation: Use $wpdb->prepare() with placeholders

916. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:247 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Error Body: " . $response_body);

Recommendation: Use $wpdb->prepare() with placeholders

917. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-updater-host/includes/class-quigs-host-github.php:252 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("System.out.println: GitHub API Success: " . $url);

Recommendation: Use $wpdb->prepare() with placeholders

918. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-google-hours/cxq-google-hours.php:131 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '_transient_cxq_google_hours_%'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

919. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-google-hours/cxq-google-hours.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '_transient_timeout_cxq_google_hours_%'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

920. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-google-hours/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

921. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-google-hours/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

922. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-google-hours/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

923. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-google-hours/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

924. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-google-hours/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

925. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-google-hours/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

926. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-google-hours/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

927. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-google-hours/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

928. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-ajax-layered-nav/widgets/class-sod-widget-ajax-layered-nav.php:844 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['join'] . $meta_query_sql['join'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

929. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-ajax-layered-nav/widgets/class-sod-widget-ajax-layered-nav.php:849 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['where'] . $meta_query_sql['where'] . "

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

930. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-ajax-layered-nav/widgets/class-sod-widget-ajax-layered-nav.php:844 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['join'] . $meta_query_sql['join'];

Recommendation: Use $wpdb->prepare() with placeholders

931. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-ajax-layered-nav/widgets/class-sod-widget-ajax-layered-nav.php:849 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $tax_query_sql['where'] . $meta_query_sql['where'] . "

Recommendation: Use $wpdb->prepare() with placeholders

932. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Events/Custom_Tables/V1/Schema_Builder/Schema_Builder.php:247 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->get_results( "SELECT 1 FROM {$wpdb->posts} LIMIT 1" );

Recommendation: Use $wpdb->prepare() with placeholders

933. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Events/Custom_Tables/V1/Schema_Builder/Abstract_Custom_Table.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $wpdb->query( "TRUNCATE {$this_table}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

934. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Events/Custom_Tables/V1/Schema_Builder/Abstract_Custom_Table.php:236 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $wpdb->query( "DROP TABLE `{$this_table}`" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

935. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Events/Custom_Tables/V1/Tables/Events.php:93 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$updated = $wpdb->query( "ALTER TABLE `{$table_name}`ADD UNIQUE( `post_id` )" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

936. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Events/Custom_Tables/V1/Tables/Occurrences.php:123 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$updated = $wpdb->query( "ALTER TABLE {$this_table} DROP FOREIGN KEY {$foreign_key_name}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

937. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Events/Custom_Tables/V1/Tables/Occurrences.php:134 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$updated = $wpdb->query( "ALTER TABLE `{$this_table}`ADD UNIQUE( `hash` )" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

938. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/Errors.php:324 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$count = $wpdb->get_results( "SELECT comment_approved, COUNT( * ) AS num_comments FROM {$wpdb->comments} {$where} GROUP BY comment_approved", ARRAY_A );

Recommendation: Use $wpdb->prepare() with placeholders

939. File upload without malware scanning detected

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Tribe/Importer/File_Uploader.php:34 CWE: CWE-434 Confidence: HIGH

Description: File upload without malware scanning detected

Code:

$moved = move_uploaded_file( $this->tmp_name, self::get_file_path() );

Recommendation: Scan uploaded files with ClamAV or similar before moving to permanent location

940. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Tribe/Google/Maps_API_Key.php:23 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

public static $default_api_key = 'AIzaSyDNsicAsP6-VuGtAb1O9riI3oc_NOb7IOU';

Recommendation: Move credentials to environment variables or secure configuration

941. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/CLI/Command.php:582 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

WP_CLI::error( "Could not create child record for record {$record_id}: " . $record->get_error_message() );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

942. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/CLI/Command.php:582 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

WP_CLI::error( "Could not create child record for record {$record_id}: " . $record->get_error_message() );

Recommendation: Use $wpdb->prepare() with placeholders

943. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/common/src/Tribe/Promise.php:156 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "\n\t" . $error_message;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

944. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/common/src/Tribe/Promise.php:253 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "\n\t" . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

945. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/common/src/Tribe/Promise.php:156 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "\n\t" . $error_message;

Recommendation: Use $wpdb->prepare() with placeholders

946. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/common/src/Tribe/Promise.php:253 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "\n\t" . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

947. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/common/src/Tribe/Utils/Color.php:371 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "{$prefix}background-color: #".$this->_hex.";{$suffix}";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

948. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/common/src/Tribe/Utils/Color.php:374 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "{$prefix}filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#".$g['light']."', endColorstr='#".$g['dark']."');{$suffix}";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

949. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/common/src/Tribe/Utils/Color.php:371 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "{$prefix}background-color: #".$this->_hex.";{$suffix}";

Recommendation: Use $wpdb->prepare() with placeholders

950. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/common/src/Tribe/Utils/Color.php:374 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "{$prefix}filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#".$g['light']."', endColorstr='#".$g['dark']."');{$suffix}";

Recommendation: Use $wpdb->prepare() with placeholders

951. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/common/src/Tribe/Editor/Blocks/Abstract.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

'Block Attributes: ' . "\n" . $json_string .

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

952. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/the-events-calendar/common/src/Tribe/Editor/Blocks/Abstract.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

'Block Attributes: ' . "\n" . $json_string .

Recommendation: Use $wpdb->prepare() with placeholders

953. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/upgrader.php:594 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE `option_name` = 'mphb_ical_sync_rooms_queue_processed_data'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

954. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/upgrader.php:896 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wp_mphb_sync_logs} DROP COLUMN log_context" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

955. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/upgrader.php:897 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wp_mphb_sync_logs} MODIFY COLUMN log_message VARCHAR(150)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

956. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/i-cal/queue.php:315 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $item . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

957. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/i-cal/queue.php:315 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $item . "'";

Recommendation: Use $wpdb->prepare() with placeholders

958. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/emogrifier/emogrifier.php:427 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "\n\n" . $styleNode->nodeValue;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

959. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/emogrifier/emogrifier.php:427 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "\n\n" . $styleNode->nodeValue;

Recommendation: Use $wpdb->prepare() with placeholders

960. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/wp-meta-query/wp-meta-query.php:490 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql['where'] = '( ' . "\n  " . $indent . implode( ' ' . "\n  " . $indent . $relation . ' ' . "\n  " . $indent, $sql_chunks['where'] ) . "\n" . $indent . ')';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

961. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/wp-meta-query/wp-meta-query.php:490 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql['where'] = '( ' . "\n  " . $indent . implode( ' ' . "\n  " . $indent . $relation . ' ' . "\n  " . $indent, $sql_chunks['where'] ) . "\n" . $indent . ')';

Recommendation: Use $wpdb->prepare() with placeholders

962. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/timezone.php:115 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$datanode = new ZCiCalDataNode("TZOFFSETFROM:".$offset);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

963. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/timezone.php:129 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$datanode = new ZCiCalDataNode("TZOFFSETTO:".$offset);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

964. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/timezone.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$datanode = new ZCiCalDataNode("TZNAME:".$transition["abbr"]);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

965. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/timezone.php:115 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$datanode = new ZCiCalDataNode("TZOFFSETFROM:".$offset);

Recommendation: Use $wpdb->prepare() with placeholders

966. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/timezone.php:129 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$datanode = new ZCiCalDataNode("TZOFFSETTO:".$offset);

Recommendation: Use $wpdb->prepare() with placeholders

967. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/timezone.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$datanode = new ZCiCalDataNode("TZNAME:".$transition["abbr"]);

Recommendation: Use $wpdb->prepare() with placeholders

968. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "$i: " . $tline[$i] . ", ord() = " . ord($tline[$i]) . "<br>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

969. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "value: " . $tvalue . "<br>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

970. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:194 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "creating " . $this->getName();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

971. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo " child of " . $_parent->getName() . "/" . count($this->parentnode->child);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

972. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:258 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "moving from " . $this->getName() . " to " . $this->child[0]->getName() . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

973. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:312 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$txtstr .= "BEGIN:" . $node->getName() . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

974. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:319 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$p .= ";" . strtoupper($key) . "=" . $value;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

975. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:326 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$line = $d->getName() . $p . ":" . $values;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

976. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:346 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$txtstr .= "END:" . $node->getName() . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

977. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:398 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

// echo ($linecount + 1) . ": " . $line . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

978. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:417 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "new node: " . $this->curnode->name . "<br/>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

979. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:420 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "parent of " . $this->curnode->getName() . " is " . $this->curnode->getParent()->getName() . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

980. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:422 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "parent of " . $this->curnode->getName() . " is null<br/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

981. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:434 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//die("Can't read iCal file structure, expecting " . $this->curnode->getName() . " but reading $name instead");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

982. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:435 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Can't read iCal file structure, expecting " . $this->curnode->getName() . " but reading $name instead");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

983. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:438 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "moving up from " . $this->curnode->getName() ;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

984. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:440 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo " to " . $this->curnode->getName() . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

985. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:450 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//die("Can't read iCal file structure, expecting " . $this->curnode->getName() . " but reading $name instead");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

986. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:451 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Can't read iCal file structure, expecting " . $this->curnode->getName() . " but reading $name instead");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

987. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:454 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "moving up from " . $this->curnode->getName() ;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

988. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:456 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo " to " . $this->curnode->getName() . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

989. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:659 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "moving from " . $thisnode->getName() . " to " . $thisnode->child[0]->getName() . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

990. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:818 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "rule: " . $tzvalues["rrule"] . "<br/>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

991. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "$i: " . $tline[$i] . ", ord() = " . ord($tline[$i]) . "<br>\n";

Recommendation: Use $wpdb->prepare() with placeholders

992. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "value: " . $tvalue . "<br>\n";

Recommendation: Use $wpdb->prepare() with placeholders

993. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:194 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "creating " . $this->getName();

Recommendation: Use $wpdb->prepare() with placeholders

994. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo " child of " . $_parent->getName() . "/" . count($this->parentnode->child);

Recommendation: Use $wpdb->prepare() with placeholders

995. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:258 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "moving from " . $this->getName() . " to " . $this->child[0]->getName() . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders

996. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:312 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$txtstr .= "BEGIN:" . $node->getName() . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

997. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:319 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$p .= ";" . strtoupper($key) . "=" . $value;

Recommendation: Use $wpdb->prepare() with placeholders

998. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:326 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$line = $d->getName() . $p . ":" . $values;

Recommendation: Use $wpdb->prepare() with placeholders

999. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:346 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$txtstr .= "END:" . $node->getName() . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1000. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:398 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

// echo ($linecount + 1) . ": " . $line . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders

1001. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:417 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "new node: " . $this->curnode->name . "<br/>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1002. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:420 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "parent of " . $this->curnode->getName() . " is " . $this->curnode->getParent()->getName() . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders

1003. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:422 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "parent of " . $this->curnode->getName() . " is null<br/>";

Recommendation: Use $wpdb->prepare() with placeholders

1004. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:434 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//die("Can't read iCal file structure, expecting " . $this->curnode->getName() . " but reading $name instead");

Recommendation: Use $wpdb->prepare() with placeholders

1005. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:435 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Can't read iCal file structure, expecting " . $this->curnode->getName() . " but reading $name instead");

Recommendation: Use $wpdb->prepare() with placeholders

1006. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:438 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "moving up from " . $this->curnode->getName() ;

Recommendation: Use $wpdb->prepare() with placeholders

1007. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:440 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo " to " . $this->curnode->getName() . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders

1008. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:450 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//die("Can't read iCal file structure, expecting " . $this->curnode->getName() . " but reading $name instead");

Recommendation: Use $wpdb->prepare() with placeholders

1009. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:451 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Can't read iCal file structure, expecting " . $this->curnode->getName() . " but reading $name instead");

Recommendation: Use $wpdb->prepare() with placeholders

1010. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:454 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "moving up from " . $this->curnode->getName() ;

Recommendation: Use $wpdb->prepare() with placeholders

1011. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:456 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo " to " . $this->curnode->getName() . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders

1012. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:659 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "moving from " . $thisnode->getName() . " to " . $thisnode->child[0]->getName() . "<br/>";

Recommendation: Use $wpdb->prepare() with placeholders

1013. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/ical.php:818 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "rule: " . $tzvalues["rrule"] . "<br/>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1014. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo $item[0] . "=" . $item[1] . "<br/>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1015. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:218 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "ZCRecurringDate() error:" . $this->error . "<br />\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1016. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:250 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byYear() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1017. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:273 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byMonth() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1018. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:287 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(2,"mktime(" . $t['hours'] . ", " . $t['minutes']

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1019. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:288 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

. ", " . $t['mon'] . ", " . $day . ", " . $t['year'] . ") returned $wdate");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1020. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byMonthDay() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1021. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:383 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byDay() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1022. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:407 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byHour() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1023. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:430 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byMinute() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1024. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:448 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"bySecond() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1025. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:469 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(2,"freq: " . $this->freq . ", interval: " . $this->interval);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1026. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:590 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(2,ZDateHelper::toSQLDateTime($rdate) . " " . $d["wday"] );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1027. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo $item[0] . "=" . $item[1] . "<br/>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1028. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:218 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "ZCRecurringDate() error:" . $this->error . "<br />\n";

Recommendation: Use $wpdb->prepare() with placeholders

1029. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:250 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byYear() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders

1030. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:273 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byMonth() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders

1031. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:287 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(2,"mktime(" . $t['hours'] . ", " . $t['minutes']

Recommendation: Use $wpdb->prepare() with placeholders

1032. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:288 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

. ", " . $t['mon'] . ", " . $day . ", " . $t['year'] . ") returned $wdate");

Recommendation: Use $wpdb->prepare() with placeholders

1033. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byMonthDay() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders

1034. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:383 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byDay() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders

1035. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:407 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byHour() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders

1036. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:430 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"byMinute() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders

1037. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:448 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(1,"bySecond() returned " . $count );

Recommendation: Use $wpdb->prepare() with placeholders

1038. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:469 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(2,"freq: " . $this->freq . ", interval: " . $this->interval);

Recommendation: Use $wpdb->prepare() with placeholders

1039. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/recurringdate.php:590 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug(2,ZDateHelper::toSQLDateTime($rdate) . " " . $d["wday"] );

Recommendation: Use $wpdb->prepare() with placeholders

1040. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/date.php:451 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$daydatetime = new DateTime("@" . $udate);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1041. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/date.php:479 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$date->sub(new DateInterval("PT".$offset."S"));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1042. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/date.php:451 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$daydatetime = new DateTime("@" . $udate);

Recommendation: Use $wpdb->prepare() with placeholders

1043. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/libraries/ZContent-icalendar/includes/date.php:479 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$date->sub(new DateInterval("PT".$offset."S"));

Recommendation: Use $wpdb->prepare() with placeholders

1044. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/includes/post-types/booking-cpt/logs.php:124 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$count = $wpdb->get_results( "SELECT comment_approved, COUNT( * ) AS total FROM {$wpdb->comments} {$where} GROUP BY comment_approved", ARRAY_A );

Recommendation: Use $wpdb->prepare() with placeholders

1045. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/vendors/braintree-sdk/lib/Braintree/Util.php:115 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception\Unexpected("Unexpected exception:" . $message);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1046. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/vendors/braintree-sdk/lib/Braintree/Util.php:115 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception\Unexpected("Unexpected exception:" . $message);

Recommendation: Use $wpdb->prepare() with placeholders

1047. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/vendors/braintree-sdk/lib/Braintree/WebhookTestingGateway.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$signature = $publicKey . "|" . $sha;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1048. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/vendors/braintree-sdk/lib/Braintree/WebhookTestingGateway.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$signature = $publicKey . "|" . $sha;

Recommendation: Use $wpdb->prepare() with placeholders

1049. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/vendors/braintree-sdk/lib/Braintree/SignatureService.php:17 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $this->hash($payload) . "|" . $payload;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1050. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/vendors/braintree-sdk/lib/Braintree/SignatureService.php:17 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $this->hash($payload) . "|" . $payload;

Recommendation: Use $wpdb->prepare() with placeholders

1051. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/vendors/braintree-sdk/lib/Braintree/Error/ValidationErrorCollection.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $this->forKey("index" . $index);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1052. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/vendors/braintree-sdk/lib/Braintree/Error/ValidationErrorCollection.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $this->forKey("index" . $index);

Recommendation: Use $wpdb->prepare() with placeholders

1053. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/vendors/braintree-sdk/lib/Braintree/Test/VenmoSdk.php:16 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "stub-" . $number;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1054. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/motopress-hotel-booking/vendors/braintree-sdk/lib/Braintree/Test/VenmoSdk.php:16 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "stub-" . $number;

Recommendation: Use $wpdb->prepare() with placeholders

1055. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:97 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE 'wp\_mail\_smtp%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1056. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:100 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->usermeta} WHERE meta_key LIKE 'wp\_mail\_smtp\_%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1057. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:103 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '\_transient\_wp\_mail\_smtp\_%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1058. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:104 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '\_site\_transient\_wp\_mail\_smtp\_%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1059. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:105 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '\_transient\_timeout\_wp\_mail\_smtp\_%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1060. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:106 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '\_site\_transient\_timeout\_wp\_mail\_smtp\_%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1061. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE 'wp\_mail\_smtp%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1062. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:193 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->usermeta} WHERE meta_key LIKE 'wp\_mail\_smtp\_%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1063. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '\_transient\_wp\_mail\_smtp\_%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1064. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:197 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '\_site\_transient\_wp\_mail\_smtp\_%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1065. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '\_transient\_timeout\_wp\_mail\_smtp\_%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1066. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/uninstall.php:199 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$wpdb->options} WHERE option_name LIKE '\_site\_transient\_timeout\_wp\_mail\_smtp\_%'" ); // phpcs:ignore WordPress.DB

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1067. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/src/MailCatcherTrait.php:240 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error_message = 'Mailer: ' . esc_html( wp_mail_smtp()->get_providers()->get_options( $mailer_slug )->get_title() ) . "\r\n" . $this->ErrorInfo;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1068. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/src/MailCatcherTrait.php:240 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error_message = 'Mailer: ' . esc_html( wp_mail_smtp()->get_providers()->get_options( $mailer_slug )->get_title() ) . "\r\n" . $this->ErrorInfo;

Recommendation: Use $wpdb->prepare() with placeholders

1069. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/google/apiclient/src/AccessToken/Verify.php:146 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new GoogleException("Failed to retrieve verification certificates: '" . $url . "'.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1070. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/google/apiclient/src/AccessToken/Verify.php:146 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new GoogleException("Failed to retrieve verification certificates: '" . $url . "'.");

Recommendation: Use $wpdb->prepare() with placeholders

1071. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/google/apiclient/src/Http/Batch.php:85 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$body .= \sprintf($batchHttpTemplate, $this->boundary, $key, $firstLine, $headers, $content ? "\n" . $content : '');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1072. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/google/apiclient/src/Http/Batch.php:85 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$body .= \sprintf($batchHttpTemplate, $this->boundary, $key, $firstLine, $headers, $content ? "\n" . $content : '');

Recommendation: Use $wpdb->prepare() with placeholders

1073. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/google/apiclient/src/Utils/UriTemplate.php:192 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$values[] = $pkey . "=" . $pvalue;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1074. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/google/apiclient/src/Utils/UriTemplate.php:192 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$values[] = $pkey . "=" . $pvalue;

Recommendation: Use $wpdb->prepare() with placeholders

1075. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/guzzle/src/MessageFormatter.php:84 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = \trim($request->getMethod() . ' ' . $request->getRequestTarget()) . ' HTTP/' . $request->getProtocolVersion() . "\r\n" . $this->headers($request);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1076. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/guzzle/src/MessageFormatter.php:87 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $response ? \sprintf('HTTP/%s %d %s', $response->getProtocolVersion(), $response->getStatusCode(), $response->getReasonPhrase()) . "\r\n" . $this->headers($response) : 'NULL';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1077. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/guzzle/src/MessageFormatter.php:84 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = \trim($request->getMethod() . ' ' . $request->getRequestTarget()) . ' HTTP/' . $request->getProtocolVersion() . "\r\n" . $this->headers($request);

Recommendation: Use $wpdb->prepare() with placeholders

1078. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/guzzle/src/MessageFormatter.php:87 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $response ? \sprintf('HTTP/%s %d %s', $response->getProtocolVersion(), $response->getStatusCode(), $response->getReasonPhrase()) . "\r\n" . $this->headers($response) : 'NULL';

Recommendation: Use $wpdb->prepare() with placeholders

1079. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/psr7/src/Message.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$msg .= "\r\nHost: " . $message->getUri()->getHost();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1080. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/psr7/src/Message.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$msg .= "\r\n{$name}: " . $value;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1081. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/psr7/src/Message.php:37 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "{$msg}\r\n\r\n" . $message->getBody();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1082. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/psr7/src/Message.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$msg .= "\r\nHost: " . $message->getUri()->getHost();

Recommendation: Use $wpdb->prepare() with placeholders

1083. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/psr7/src/Message.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$msg .= "\r\n{$name}: " . $value;

Recommendation: Use $wpdb->prepare() with placeholders

1084. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/psr7/src/Message.php:37 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "{$msg}\r\n\r\n" . $message->getBody();

Recommendation: Use $wpdb->prepare() with placeholders

1085. File upload without malware scanning detected

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/guzzlehttp/psr7/src/UploadedFile.php:127 CWE: CWE-434 Confidence: HIGH

Description: File upload without malware scanning detected

Code:

$this->moved = \PHP_SAPI === 'cli' ? \rename($this->file, $targetPath) : \move_uploaded_file($this->file, $targetPath);

Recommendation: Scan uploaded files with ClamAV or similar before moving to permanent location

1086. File upload without malware scanning detected

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/psr/http-message/src/UploadedFileInterface.php:35 CWE: CWE-434 Confidence: HIGH

Description: File upload without malware scanning detected

Code:

* Use this method as an alternative to move_uploaded_file(). This method is

Recommendation: Scan uploaded files with ClamAV or similar before moving to permanent location

1087. File upload without malware scanning detected

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/psr/http-message/src/UploadedFileInterface.php:38 CWE: CWE-434 Confidence: HIGH

Description: File upload without malware scanning detected

Code:

* appropriate method (move_uploaded_file(), rename(), or a stream

Recommendation: Scan uploaded files with ClamAV or similar before moving to permanent location

1088. File upload without malware scanning detected

File: /var/www/html/wordpress/wp-content/plugins/wp-mail-smtp/vendor_prefixed/psr/http-message/src/UploadedFileInterface.php:51 CWE: CWE-434 Confidence: HIGH

Description: File upload without malware scanning detected

Code:

* files via moveTo(), is_uploaded_file() and move_uploaded_file() SHOULD be

Recommendation: Scan uploaded files with ClamAV or similar before moving to permanent location

1089. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityformsuserregistration/class-gf-user-registration.php:4282 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

AND EXISTS ( SELECT 1 FROM {$wpdb->usermeta} as meta2 WHERE meta1.user_id = meta2.user_id and meta2.meta_key = '" . $wpdb->get_blog_prefix() . "capabilities' )",

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1090. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityformsuserregistration/class-gf-user-registration.php:4282 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

AND EXISTS ( SELECT 1 FROM {$wpdb->usermeta} as meta2 WHERE meta1.user_id = meta2.user_id and meta2.meta_key = '" . $wpdb->get_blog_prefix() . "capabilities' )",

Recommendation: Use $wpdb->prepare() with placeholders

1091. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityformsuserregistration/includes/signups.php:15 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$column_exists = $wpdb->query( "SHOW COLUMNS FROM {$wpdb->signups} LIKE 'signup_id'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1092. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib-3rd-party/XLSXWriter.php:92 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$zip->addFile($sheet->filename, "xl/worksheets/" . $sheet->xmlname );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1093. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib-3rd-party/XLSXWriter.php:92 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$zip->addFile($sheet->filename, "xl/worksheets/" . $sheet->xmlname );

Recommendation: Use $wpdb->prepare() with placeholders

1094. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Form/BlockStylesRenderer.php:55 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rules[] = "font-size:" . $styles['font_size'] . (is_numeric($styles['font_size']) ? "px;" : ";");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1095. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Form/BlockStylesRenderer.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rules[] = "font-size:" . $formSettings['fontSize'] . (is_numeric($formSettings['fontSize']) ? "px;" : ";");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1096. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Form/BlockStylesRenderer.php:55 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rules[] = "font-size:" . $styles['font_size'] . (is_numeric($styles['font_size']) ? "px;" : ";");

Recommendation: Use $wpdb->prepare() with placeholders

1097. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Form/BlockStylesRenderer.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rules[] = "font-size:" . $formSettings['fontSize'] . (is_numeric($formSettings['fontSize']) ? "px;" : ";");

Recommendation: Use $wpdb->prepare() with placeholders

1098. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Form/BlockWrapperRenderer.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$classes = isset($block['params']['class_name']) ? " " . $block['params']['class_name'] : '';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1099. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Form/BlockWrapperRenderer.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$classes = isset($block['params']['class_name']) ? " " . $block['params']['class_name'] : '';

Recommendation: Use $wpdb->prepare() with placeholders

1100. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Newsletter/AutomatedLatestContent.php:40 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

. $newsletterPostsTableName . ".newsletter_id='" . $this->newsletterId . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1101. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Newsletter/AutomatedLatestContent.php:40 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

. $newsletterPostsTableName . ".newsletter_id='" . $this->newsletterId . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1102. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Newsletter/DynamicProducts.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

. $newsletterPostsTableName . ".newsletter_id='" . $this->newsletterId . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1103. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Newsletter/DynamicProducts.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

. $newsletterPostsTableName . ".newsletter_id='" . $this->newsletterId . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1104. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Features/FeatureFlagsRepository.php:44 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new \RuntimeException("Error when saving feature " . $data['name']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1105. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Features/FeatureFlagsRepository.php:44 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new \RuntimeException("Error when saving feature " . $data['name']);

Recommendation: Use $wpdb->prepare() with placeholders

1106. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/SubscribersFinder.php:144 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "INSERT IGNORE INTO $scheduledTaskSubscriberTable (task_id, subscriber_id, processed) " . $selectQueryBuilder->getSQL();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1107. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/SubscribersFinder.php:144 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "INSERT IGNORE INTO $scheduledTaskSubscriberTable (task_id, subscriber_id, processed) " . $selectQueryBuilder->getSQL();

Recommendation: Use $wpdb->prepare() with placeholders

1108. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Config/TranslationUpdater.php:98 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->logError("MailPoet: Failed to fetch translations from WordPress.com API with error: " . $rawResponse->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1109. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Config/TranslationUpdater.php:109 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->logError("MailPoet: Failed retrying to fetch translations from WordPress.com API with error: " . $rawResponse->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1110. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Config/TranslationUpdater.php:116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->logError("MailPoet: Failed to fetch translations from WordPress.com API with $responseCode and response message: " . $this->wpFunctions->wpRemoteRetrieveResponseMessage($rawResponse));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1111. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Config/TranslationUpdater.php:98 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->logError("MailPoet: Failed to fetch translations from WordPress.com API with error: " . $rawResponse->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

1112. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Config/TranslationUpdater.php:109 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->logError("MailPoet: Failed retrying to fetch translations from WordPress.com API with error: " . $rawResponse->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

1113. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Config/TranslationUpdater.php:116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->logError("MailPoet: Failed to fetch translations from WordPress.com API with $responseCode and response message: " . $this->wpFunctions->wpRemoteRetrieveResponseMessage($rawResponse));

Recommendation: Use $wpdb->prepare() with placeholders

1114. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Tags/TagRepository.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new \RuntimeException("Error when saving tag " . $data['name']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1115. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Tags/TagRepository.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new \RuntimeException("Error when saving tag " . $data['name']);

Recommendation: Use $wpdb->prepare() with placeholders

1116. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Doctrine/WPDB/Connection.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $wpdb->_escape($value) . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1117. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Doctrine/WPDB/Connection.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $wpdb->_escape($value) . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1118. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Form/Block/Html.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$classes = isset($block['params']['class_name']) ? " " . $block['params']['class_name'] : '';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1119. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Form/Block/Html.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$classes = isset($block['params']['class_name']) ? " " . $block['params']['class_name'] : '';

Recommendation: Use $wpdb->prepare() with placeholders

1120. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Newsletter/Sending/ScheduledTaskSubscribersRepository.php:114 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

INSERT IGNORE INTO " . $scheduledTaskSubscribersTable . "

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1121. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Newsletter/Sending/ScheduledTaskSubscribersRepository.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

FROM " . $subscribersTable . " s

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1122. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Newsletter/Sending/ScheduledTaskSubscribersRepository.php:114 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

INSERT IGNORE INTO " . $scheduledTaskSubscribersTable . "

Recommendation: Use $wpdb->prepare() with placeholders

1123. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Newsletter/Sending/ScheduledTaskSubscribersRepository.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

FROM " . $subscribersTable . " s

Recommendation: Use $wpdb->prepare() with placeholders

1124. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Util/Notices/SenderDomainAuthenticationNotices.php:108 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"@" . $this->getDefaultFromDomain(),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1125. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Util/Notices/SenderDomainAuthenticationNotices.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"@" . $this->getDefaultFromDomain(),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1126. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Util/Notices/SenderDomainAuthenticationNotices.php:108 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"@" . $this->getDefaultFromDomain(),

Recommendation: Use $wpdb->prepare() with placeholders

1127. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Util/Notices/SenderDomainAuthenticationNotices.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"@" . $this->getDefaultFromDomain(),

Recommendation: Use $wpdb->prepare() with placeholders

1128. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Util/Notices/BlackFridayNotice.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$link = "<p><a href='" . $this->getSaleUrl() . "' class='mailpoet-button button-primary' target='_blank'>"

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1129. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Util/Notices/BlackFridayNotice.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$link = "<p><a href='" . $this->getSaleUrl() . "' class='mailpoet-button button-primary' target='_blank'>"

Recommendation: Use $wpdb->prepare() with placeholders

1130. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Cron/Workers/WooCommercePastOrders.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $where . " AND {$wpdb->prefix}posts.ID > " . $lastId;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1131. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Cron/Workers/WooCommercePastOrders.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $where . " AND {$wpdb->prefix}posts.ID > " . $lastId;

Recommendation: Use $wpdb->prepare() with placeholders

1132. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Migrations/Db/Migration_20230824_054259_Db.php:32 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"ALTER TABLE `" . $revenueTable . "`

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1133. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Migrations/Db/Migration_20230824_054259_Db.php:32 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"ALTER TABLE `" . $revenueTable . "`

Recommendation: Use $wpdb->prepare() with placeholders

1134. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Migrations/Db/Migration_20221028_105818.php:652 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql[] = "CREATE TABLE " . $table . " (";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1135. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Migrations/Db/Migration_20221028_105818.php:654 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql[] = ") " . $this->charsetCollate . ";";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1136. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Migrations/Db/Migration_20221028_105818.php:1058 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

UPDATE " . $newsletterTemplatesTable . "

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1137. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Migrations/Db/Migration_20221028_105818.php:652 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql[] = "CREATE TABLE " . $table . " (";

Recommendation: Use $wpdb->prepare() with placeholders

1138. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Migrations/Db/Migration_20221028_105818.php:654 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql[] = ") " . $this->charsetCollate . ";";

Recommendation: Use $wpdb->prepare() with placeholders

1139. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Migrations/Db/Migration_20221028_105818.php:1058 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

UPDATE " . $newsletterTemplatesTable . "

Recommendation: Use $wpdb->prepare() with placeholders

1140. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/FilterDataMapper.php:533 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidFilterException("Unknown action " . $data['action'], InvalidFilterException::MISSING_ACTION);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1141. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/FilterDataMapper.php:560 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidFilterException("Unknown action " . $data['action'], InvalidFilterException::MISSING_ACTION);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1142. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/FilterDataMapper.php:587 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidFilterException("Unknown action " . $data['action'], InvalidFilterException::MISSING_ACTION);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1143. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/FilterDataMapper.php:533 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidFilterException("Unknown action " . $data['action'], InvalidFilterException::MISSING_ACTION);

Recommendation: Use $wpdb->prepare() with placeholders

1144. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/FilterDataMapper.php:560 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidFilterException("Unknown action " . $data['action'], InvalidFilterException::MISSING_ACTION);

Recommendation: Use $wpdb->prepare() with placeholders

1145. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/FilterDataMapper.php:587 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidFilterException("Unknown action " . $data['action'], InvalidFilterException::MISSING_ACTION);

Recommendation: Use $wpdb->prepare() with placeholders

1146. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceProduct.php:61 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->having("COUNT($orderStatsAlias.order_id) = :count" . $parameterSuffix)

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1147. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceProduct.php:61 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->having("COUNT($orderStatsAlias.order_id) = :count" . $parameterSuffix)

Recommendation: Use $wpdb->prepare() with placeholders

1148. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceMembership.php:41 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("posts.post_parent IN (:plans" . $parameterSuffix . ")")

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1149. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceMembership.php:57 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("posts.post_parent IN (:plans" . $parameterSuffix . ")");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1150. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceMembership.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("posts.post_parent IN (:plans" . $parameterSuffix . ")")

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1151. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceMembership.php:41 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("posts.post_parent IN (:plans" . $parameterSuffix . ")")

Recommendation: Use $wpdb->prepare() with placeholders

1152. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceMembership.php:57 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("posts.post_parent IN (:plans" . $parameterSuffix . ")");

Recommendation: Use $wpdb->prepare() with placeholders

1153. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceMembership.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("posts.post_parent IN (:plans" . $parameterSuffix . ")")

Recommendation: Use $wpdb->prepare() with placeholders

1154. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales = :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1155. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales != :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1156. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:52 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales > :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1157. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales >= :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1158. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales < :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1159. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales <= :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1160. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales = :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1161. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales != :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1162. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:52 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales > :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1163. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales >= :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1164. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales < :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1165. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSingleOrderValue.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->andWhere("$orderStatsAlias.total_sales <= :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1166. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:103 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"$subscribersTable.id = statssent.subscriber_id AND statssent.newsletter_id = :newsletter" . $parameterSuffix

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1167. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"stats.subscriber_id = $subscribersTable.id AND stats.newsletter_id = :newsletter" . $parameterSuffix

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1168. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"$subscribersTable.id = statssent.subscriber_id AND statssent.newsletter_id IN (:newsletters" . $parameterSuffix . ')'

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1169. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"statssent.subscriber_id = stats.subscriber_id AND stats.newsletter_id IN (:newsletters" . $parameterSuffix . ')'

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1170. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:177 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"stats.subscriber_id = $subscribersTable.id AND stats.newsletter_id IN (:newsletters" . $parameterSuffix . ')'

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1171. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$clause = "statssent.subscriber_id = stats.subscriber_id AND stats.newsletter_id = :newsletter" . $parameterSuffix;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1172. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:216 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"$subscribersTable.id = statisticsNewsletter.subscriber_id AND statisticsNewsletter.newsletter_id IN (:newsletters" . $parameterSuffix . ')'

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1173. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:225 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"statisticsNewsletter.subscriber_id = $subscribersTable.id AND statisticsNewsletter.newsletter_id IN (:newsletters" . $parameterSuffix . ')'

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1174. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:103 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"$subscribersTable.id = statssent.subscriber_id AND statssent.newsletter_id = :newsletter" . $parameterSuffix

Recommendation: Use $wpdb->prepare() with placeholders

1175. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"stats.subscriber_id = $subscribersTable.id AND stats.newsletter_id = :newsletter" . $parameterSuffix

Recommendation: Use $wpdb->prepare() with placeholders

1176. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"$subscribersTable.id = statssent.subscriber_id AND statssent.newsletter_id IN (:newsletters" . $parameterSuffix . ')'

Recommendation: Use $wpdb->prepare() with placeholders

1177. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"statssent.subscriber_id = stats.subscriber_id AND stats.newsletter_id IN (:newsletters" . $parameterSuffix . ')'

Recommendation: Use $wpdb->prepare() with placeholders

1178. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:177 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"stats.subscriber_id = $subscribersTable.id AND stats.newsletter_id IN (:newsletters" . $parameterSuffix . ')'

Recommendation: Use $wpdb->prepare() with placeholders

1179. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$clause = "statssent.subscriber_id = stats.subscriber_id AND stats.newsletter_id = :newsletter" . $parameterSuffix;

Recommendation: Use $wpdb->prepare() with placeholders

1180. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:216 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"$subscribersTable.id = statisticsNewsletter.subscriber_id AND statisticsNewsletter.newsletter_id IN (:newsletters" . $parameterSuffix . ')'

Recommendation: Use $wpdb->prepare() with placeholders

1181. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailAction.php:225 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"statisticsNewsletter.subscriber_id = $subscribersTable.id AND statisticsNewsletter.newsletter_id IN (:newsletters" . $parameterSuffix . ')'

Recommendation: Use $wpdb->prepare() with placeholders

1182. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/UserRole.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("wpusermeta.meta_key = '{$wpdb->prefix}capabilities' AND (" . $condition . ')');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1183. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/UserRole.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("wpusermeta.meta_key = '{$wpdb->prefix}capabilities' AND (" . $condition . ')');

Recommendation: Use $wpdb->prepare() with placeholders

1184. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceTotalSpent.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("SUM($orderStatsAlias.total_sales) = :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1185. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceTotalSpent.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("SUM($orderStatsAlias.total_sales) != :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1186. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceTotalSpent.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("SUM($orderStatsAlias.total_sales) > :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1187. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceTotalSpent.php:52 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("SUM($orderStatsAlias.total_sales) < :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1188. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceTotalSpent.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("SUM($orderStatsAlias.total_sales) = :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1189. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceTotalSpent.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("SUM($orderStatsAlias.total_sales) != :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1190. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceTotalSpent.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("SUM($orderStatsAlias.total_sales) > :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1191. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceTotalSpent.php:52 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("SUM($orderStatsAlias.total_sales) < :amount" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1192. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailOpensAbsoluteCountAction.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("count(opens.id) = :opens" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1193. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailOpensAbsoluteCountAction.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("count(opens.id) != :opens" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1194. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailOpensAbsoluteCountAction.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("count(opens.id) < :opens" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1195. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailOpensAbsoluteCountAction.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("count(opens.id) > :opens" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1196. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailOpensAbsoluteCountAction.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("count(opens.id) = :opens" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1197. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailOpensAbsoluteCountAction.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("count(opens.id) != :opens" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1198. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailOpensAbsoluteCountAction.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("count(opens.id) < :opens" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1199. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/EmailOpensAbsoluteCountAction.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$queryBuilder->having("count(opens.id) > :opens" . $parameterSuffix);

Recommendation: Use $wpdb->prepare() with placeholders

1200. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSubscription.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("itemmeta.meta_value IN (:products" . $parameterSuffix . ")")

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1201. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSubscription.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("itemmeta.meta_value IN (:products" . $parameterSuffix . ")");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1202. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSubscription.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("itemmeta.meta_value IN (:products" . $parameterSuffix . ")")

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1203. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSubscription.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("itemmeta.meta_value IN (:products" . $parameterSuffix . ")")

Recommendation: Use $wpdb->prepare() with placeholders

1204. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSubscription.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("itemmeta.meta_value IN (:products" . $parameterSuffix . ")");

Recommendation: Use $wpdb->prepare() with placeholders

1205. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Segments/DynamicSegments/Filters/WooCommerceSubscription.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

->andWhere("itemmeta.meta_value IN (:products" . $parameterSuffix . ")")

Recommendation: Use $wpdb->prepare() with placeholders

1206. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/API/JSON/Response.php:32 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

header("Location: " . $this->location, true, $this->status);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1207. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/API/JSON/Response.php:32 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

header("Location: " . $this->location, true, $this->status);

Recommendation: Use $wpdb->prepare() with placeholders

1208. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/API/MP/v1/Segments.php:184 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"'" . $segment->getType() . "'",

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1209. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/API/MP/v1/Segments.php:184 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"'" . $segment->getType() . "'",

Recommendation: Use $wpdb->prepare() with placeholders

1210. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Automation/Integrations/WooCommerce/Fields/CustomerOrderFieldsFactory.php:324 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

ORDER BY p.post_date_gmt " . $sorting /* phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- The argument is safe. */ . "

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1211. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Automation/Integrations/WooCommerce/Fields/CustomerOrderFieldsFactory.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

JOIN %i AS oi ON oi.order_id IN (" . $orderIdsSubquery . /* phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- The subquery uses placeholders. */ ") AND oi.order_item_type = 'line_item'

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1212. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Automation/Integrations/WooCommerce/Fields/CustomerOrderFieldsFactory.php:324 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

ORDER BY p.post_date_gmt " . $sorting /* phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- The argument is safe. */ . "

Recommendation: Use $wpdb->prepare() with placeholders

1213. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Automation/Integrations/WooCommerce/Fields/CustomerOrderFieldsFactory.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

JOIN %i AS oi ON oi.order_id IN (" . $orderIdsSubquery . /* phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- The subquery uses placeholders. */ ") AND oi.order_item_type = 'line_item'

Recommendation: Use $wpdb->prepare() with placeholders

1214. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Automation/Integrations/WooCommerce/Fields/CustomerReviewFieldsFactory.php:75 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $inTheLastFilter . /* phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- The condition uses placeholders. */ "

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1215. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib/Automation/Integrations/WooCommerce/Fields/CustomerReviewFieldsFactory.php:75 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $inTheLastFilter . /* phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- The condition uses placeholders. */ "

Recommendation: Use $wpdb->prepare() with placeholders

1216. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib-3rd-party/pquery/gan_formatter.php:224 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text = "<!--\n".$text."\n//-->";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1217. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib-3rd-party/pquery/gan_formatter.php:227 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text = indent_text("\n".$text, $c->indent(), $indent_string);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1218. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib-3rd-party/pquery/gan_formatter.php:224 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text = "<!--\n".$text."\n//-->";

Recommendation: Use $wpdb->prepare() with placeholders

1219. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/lib-3rd-party/pquery/gan_formatter.php:227 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text = indent_text("\n".$text, $c->indent(), $indent_string);

Recommendation: Use $wpdb->prepare() with placeholders

1220. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/ORMInvalidArgumentException.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given entity of type '" . $className . "' (" . self::objToStr($entity) . ') has no identity/no ' . 'id values set. It cannot be added to the identity map.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1221. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/ORMInvalidArgumentException.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self('A detached entity of type ' . $assoc['targetEntity'] . ' (' . self::objToStr($entry) . ') ' . " was found through the relationship '" . $assoc['sourceEntity'] . '#' . $assoc['fieldName'] . "' " . 'during cascading a persist operation.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1222. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/ORMInvalidArgumentException.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given entity of type '" . $className . "' (" . self::objToStr($entity) . ') has no identity/no ' . 'id values set. It cannot be added to the identity map.');

Recommendation: Use $wpdb->prepare() with placeholders

1223. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/ORMInvalidArgumentException.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self('A detached entity of type ' . $assoc['targetEntity'] . ' (' . self::objToStr($entry) . ') ' . " was found through the relationship '" . $assoc['sourceEntity'] . '#' . $assoc['fieldName'] . "' " . 'during cascading a persist operation.');

Recommendation: Use $wpdb->prepare() with placeholders

1224. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/ResultSetMappingBuilder.php:221 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Entity '" . $classMetadata->name . "' has no field '" . $fieldName . "'. ");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1225. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/ResultSetMappingBuilder.php:221 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Entity '" . $classMetadata->name . "' has no field '" . $fieldName . "'. ");

Recommendation: Use $wpdb->prepare() with placeholders

1226. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/QueryException.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Invalid PathExpression '" . $pathExpr->identificationVariable . '.' . $pathExpr->field . "'.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1227. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/QueryException.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Invalid literal '" . $literal . "'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1228. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/QueryException.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Cannot check if a child of '" . $rootClass . "' is instanceof '" . $className . "', " . 'inheritance hierarchy does not exists between these two classes.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1229. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/QueryException.php:103 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Invalid query component given for DQL alias '" . $dqlAlias . "', " . "requires 'metadata', 'parent', 'relation', 'map', 'nestingLevel' and 'token' keys.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1230. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/QueryException.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Invalid PathExpression '" . $pathExpr->identificationVariable . '.' . $pathExpr->field . "'.");

Recommendation: Use $wpdb->prepare() with placeholders

1231. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/QueryException.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Invalid literal '" . $literal . "'");

Recommendation: Use $wpdb->prepare() with placeholders

1232. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/QueryException.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Cannot check if a child of '" . $rootClass . "' is instanceof '" . $className . "', " . 'inheritance hierarchy does not exists between these two classes.');

Recommendation: Use $wpdb->prepare() with placeholders

1233. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/QueryException.php:103 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Invalid query component given for DQL alias '" . $dqlAlias . "', " . "requires 'metadata', 'parent', 'relation', 'map', 'nestingLevel' and 'token' keys.");

Recommendation: Use $wpdb->prepare() with placeholders

1234. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/FilterCollection.php:37 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Filter '" . $name . "' does not exist.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1235. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/FilterCollection.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Filter '" . $name . "' is not suspended.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1236. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/FilterCollection.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Filter '" . $name . "' is not enabled.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1237. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/FilterCollection.php:37 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Filter '" . $name . "' does not exist.");

Recommendation: Use $wpdb->prepare() with placeholders

1238. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/FilterCollection.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Filter '" . $name . "' is not suspended.");

Recommendation: Use $wpdb->prepare() with placeholders

1239. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/FilterCollection.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Filter '" . $name . "' is not enabled.");

Recommendation: Use $wpdb->prepare() with placeholders

1240. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/Parser.php:238 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message = 'line 0, col ' . $tokenPos . " near '" . $tokenStr . "': Error: " . $message;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1241. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/Parser.php:238 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message = 'line 0, col ' . $tokenPos . " near '" . $tokenStr . "': Error: " . $message;

Recommendation: Use $wpdb->prepare() with placeholders

1242. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Exception/EntityMissingAssignedId.php:10 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self('Entity of type ' . get_debug_type($entity) . " is missing an assigned ID for field '" . $field . "'. " . 'The identifier generation strategy for this entity requires the ID field to be populated before ' . 'EntityManager#persist() is called. If you want automatically generated identifiers instead ' . 'you need to adjust the metadata mapping accordingly.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1243. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Exception/EntityMissingAssignedId.php:10 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self('Entity of type ' . get_debug_type($entity) . " is missing an assigned ID for field '" . $field . "'. " . 'The identifier generation strategy for this entity requires the ID field to be populated before ' . 'EntityManager#persist() is called. If you want automatically generated identifiers instead ' . 'you need to adjust the metadata mapping accordingly.');

Recommendation: Use $wpdb->prepare() with placeholders

1244. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Exception/InvalidEntityRepository.php:10 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Invalid repository class '" . $className . "'. It must be a " . EntityRepository::class . '.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1245. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Exception/InvalidEntityRepository.php:10 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Invalid repository class '" . $className . "'. It must be a " . EntityRepository::class . '.');

Recommendation: Use $wpdb->prepare() with placeholders

1246. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/ClassMetadataInfo.php:1431 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Association name expected, '" . $assocName . "' is not an association.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1247. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/ClassMetadataInfo.php:1431 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Association name expected, '" . $assocName . "' is not an association.");

Recommendation: Use $wpdb->prepare() with placeholders

1248. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:114 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message = "The mapping of field '" . $field . "' is invalid: The option '" . $expectedOption . "' is required.";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1249. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:185 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self('The entries ' . implode(', ', $entries) . " in discriminator map of class '" . $className . "' is duplicated. " . 'If the discriminator map is automatically generated you have to convert it to an explicit discriminator map now. ' . 'The entries of the current map are: @DiscriminatorMap({' . implode(', ', array_map(static function ($a, $b) {

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1250. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:215 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Duplicate definition of column '" . $columnName . "' on entity '" . $className . "' in a field or discriminator column mapping.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1251. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:219 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("It is illegal to put an inverse side one-to-many or many-to-many association on mapped superclass '" . $className . '#' . $field . "'.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1252. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:223 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("It is not possible to map entity '" . $className . "' with a composite primary key " . "as part of the primary key of another entity '" . $targetEntity . '#' . $targetField . "'.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1253. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:251 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("It is not supported to define inheritance information on a mapped superclass '" . $className . "'.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1254. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:255 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Entity '" . $className . "' has to be part of the discriminator map of '" . $rootClassName . "' " . "to be properly mapped in the inheritance hierarchy. Alternatively you can make '" . $className . "' an abstract class " . 'to avoid this exception from occurring.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1255. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:259 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Entity '" . $className . "' has no method '" . $methodName . "' to be registered as lifecycle callback.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1256. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:275 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Entity '" . $className . "' has a mapping with invalid fetch mode '" . $fetchMode . "'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1257. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:279 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Invalid generated mode '" . $generatedMode . "'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1258. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:283 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Entity '" . $className . "' has a composite identifier but uses an ID generator other than manually assigning (Identity, Sequence). This is not supported.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1259. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:287 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self('The target-entity ' . $targetEntity . " cannot be found in '" . $sourceEntity . '#' . $associationName . "'.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1260. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $e . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1261. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:114 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message = "The mapping of field '" . $field . "' is invalid: The option '" . $expectedOption . "' is required.";

Recommendation: Use $wpdb->prepare() with placeholders

1262. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:185 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self('The entries ' . implode(', ', $entries) . " in discriminator map of class '" . $className . "' is duplicated. " . 'If the discriminator map is automatically generated you have to convert it to an explicit discriminator map now. ' . 'The entries of the current map are: @DiscriminatorMap({' . implode(', ', array_map(static function ($a, $b) {

Recommendation: Use $wpdb->prepare() with placeholders

1263. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:215 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Duplicate definition of column '" . $columnName . "' on entity '" . $className . "' in a field or discriminator column mapping.");

Recommendation: Use $wpdb->prepare() with placeholders

1264. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:219 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("It is illegal to put an inverse side one-to-many or many-to-many association on mapped superclass '" . $className . '#' . $field . "'.");

Recommendation: Use $wpdb->prepare() with placeholders

1265. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:223 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("It is not possible to map entity '" . $className . "' with a composite primary key " . "as part of the primary key of another entity '" . $targetEntity . '#' . $targetField . "'.");

Recommendation: Use $wpdb->prepare() with placeholders

1266. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:251 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("It is not supported to define inheritance information on a mapped superclass '" . $className . "'.");

Recommendation: Use $wpdb->prepare() with placeholders

1267. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:255 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Entity '" . $className . "' has to be part of the discriminator map of '" . $rootClassName . "' " . "to be properly mapped in the inheritance hierarchy. Alternatively you can make '" . $className . "' an abstract class " . 'to avoid this exception from occurring.');

Recommendation: Use $wpdb->prepare() with placeholders

1268. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:259 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Entity '" . $className . "' has no method '" . $methodName . "' to be registered as lifecycle callback.");

Recommendation: Use $wpdb->prepare() with placeholders

1269. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:275 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Entity '" . $className . "' has a mapping with invalid fetch mode '" . $fetchMode . "'");

Recommendation: Use $wpdb->prepare() with placeholders

1270. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:279 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Invalid generated mode '" . $generatedMode . "'");

Recommendation: Use $wpdb->prepare() with placeholders

1271. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:283 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Entity '" . $className . "' has a composite identifier but uses an ID generator other than manually assigning (Identity, Sequence). This is not supported.");

Recommendation: Use $wpdb->prepare() with placeholders

1272. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:287 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self('The target-entity ' . $targetEntity . " cannot be found in '" . $sourceEntity . '#' . $associationName . "'.");

Recommendation: Use $wpdb->prepare() with placeholders

1273. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/MappingException.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $e . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1274. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Proxy/ProxyFactory.php:255 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$prefix = $property->isPrivate() ? "\x00" . $property->class . "\x00" : ($property->isProtected() ? "\x00*\x00" : '');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1275. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Proxy/ProxyFactory.php:255 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$prefix = $property->isPrivate() ? "\x00" . $property->class . "\x00" : ($property->isProtected() ? "\x00*\x00" : '');

Recommendation: Use $wpdb->prepare() with placeholders

1276. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/Filter/SQLFilter.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Parameter '" . $name . "' does not exist.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1277. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/Filter/SQLFilter.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Parameter '" . $name . "' does not exist.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1278. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/Filter/SQLFilter.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Parameter '" . $name . "' does not exist.");

Recommendation: Use $wpdb->prepare() with placeholders

1279. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Query/Filter/SQLFilter.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidArgumentException("Parameter '" . $name . "' does not exist.");

Recommendation: Use $wpdb->prepare() with placeholders

1280. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Internal/Hydration/HydrationException.php:20 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The DQL alias '" . $dqlAlias . "' contains an entity " . 'of an inheritance hierarchy with an empty discriminator value. This means ' . 'that the database contains inconsistent data with an empty ' . 'discriminator value in a table row.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1281. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Internal/Hydration/HydrationException.php:20 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The DQL alias '" . $dqlAlias . "' contains an entity " . 'of an inheritance hierarchy with an empty discriminator value. This means ' . 'that the database contains inconsistent data with an empty ' . 'discriminator value in a table row.');

Recommendation: Use $wpdb->prepare() with placeholders

1282. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/Reflection/ReflectionPropertiesGetter.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\x00*\x00" . $propertyName;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1283. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/Reflection/ReflectionPropertiesGetter.php:68 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\x00" . $property->class . "\x00" . $propertyName;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1284. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/Reflection/ReflectionPropertiesGetter.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\x00*\x00" . $propertyName;

Recommendation: Use $wpdb->prepare() with placeholders

1285. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Mapping/Reflection/ReflectionPropertiesGetter.php:68 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\x00" . $property->class . "\x00" . $propertyName;

Recommendation: Use $wpdb->prepare() with placeholders

1286. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Repository/Exception/InvalidMagicMethodCall.php:11 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Entity '" . $entityName . "' has no field '" . $fieldName . "'. " . "You can therefore not call '" . $method . "' on the entities' repository.");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1287. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Repository/Exception/InvalidMagicMethodCall.php:15 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("You need to pass a parameter to '" . $methodName . "'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1288. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Repository/Exception/InvalidMagicMethodCall.php:11 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("Entity '" . $entityName . "' has no field '" . $fieldName . "'. " . "You can therefore not call '" . $method . "' on the entities' repository.");

Recommendation: Use $wpdb->prepare() with placeholders

1289. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Repository/Exception/InvalidMagicMethodCall.php:15 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("You need to pass a parameter to '" . $methodName . "'");

Recommendation: Use $wpdb->prepare() with placeholders

1290. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Repository/Exception/InvalidFindByCall.php:11 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("You cannot search for the association field '" . $entityName . '#' . $associationFieldName . "', " . 'because it is the inverse side of an association. Find methods only work on owning side associations.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1291. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/orm/src/Repository/Exception/InvalidFindByCall.php:11 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("You cannot search for the association field '" . $entityName . '#' . $associationFieldName . "', " . 'because it is the inverse side of an association. Find methods only work on owning side associations.');

Recommendation: Use $wpdb->prepare() with placeholders

1292. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/common/src/Proxy/ProxyGenerator.php:449 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$allProperties[] = $prop->isPrivate() ? "\x00" . $prop->getDeclaringClass()->getName() . "\x00" . $prop->getName() : $prop->getName();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1293. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/common/src/Proxy/ProxyGenerator.php:449 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$allProperties[] = $prop->isPrivate() ? "\x00" . $prop->getDeclaringClass()->getName() . "\x00" . $prop->getName() : $prop->getName();

Recommendation: Use $wpdb->prepare() with placeholders

1294. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Exception.php:39 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given 'driver' " . $unknownDriverName . ' is unknown, ' . 'Doctrine currently supports only the following drivers: ' . implode(', ', $knownDrivers));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1295. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Exception.php:43 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given 'wrapperClass' " . $wrapperClass . ' has to be a ' . 'subtype of \\Doctrine\\DBAL\\Connection.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1296. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Exception.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given 'driverClass' " . $driverClass . ' has to implement the ' . Driver::class . ' interface.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1297. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Exception.php:39 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given 'driver' " . $unknownDriverName . ' is unknown, ' . 'Doctrine currently supports only the following drivers: ' . implode(', ', $knownDrivers));

Recommendation: Use $wpdb->prepare() with placeholders

1298. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Exception.php:43 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given 'wrapperClass' " . $wrapperClass . ' has to be a ' . 'subtype of \\Doctrine\\DBAL\\Connection.');

Recommendation: Use $wpdb->prepare() with placeholders

1299. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Exception.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given 'driverClass' " . $driverClass . ' has to implement the ' . Driver::class . ' interface.');

Recommendation: Use $wpdb->prepare() with placeholders

1300. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Query/QueryException.php:10 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given alias '" . $alias . "' is not part of " . 'any FROM or JOIN clause table. The currently registered ' . 'aliases are: ' . implode(', ', $registeredAliases) . '.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1301. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Query/QueryException.php:14 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given alias '" . $alias . "' is not unique " . 'in FROM and JOIN clause table. The currently registered ' . 'aliases are: ' . implode(', ', $registeredAliases) . '.');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1302. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Query/QueryException.php:10 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given alias '" . $alias . "' is not part of " . 'any FROM or JOIN clause table. The currently registered ' . 'aliases are: ' . implode(', ', $registeredAliases) . '.');

Recommendation: Use $wpdb->prepare() with placeholders

1303. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Query/QueryException.php:14 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return new self("The given alias '" . $alias . "' is not unique " . 'in FROM and JOIN clause table. The currently registered ' . 'aliases are: ' . implode(', ', $registeredAliases) . '.');

Recommendation: Use $wpdb->prepare() with placeholders

1304. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Platforms/AbstractPlatform.php:1174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return " DEFAULT '" . $default . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1305. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/dbal/src/Platforms/AbstractPlatform.php:1174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return " DEFAULT '" . $default . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1306. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/persistence/src/Persistence/Reflection/RuntimeReflectionProperty.php:17 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->key = $this->isPrivate() ? "\x00" . ltrim($class, '\\') . "\x00" . $name : ($this->isProtected() ? "\x00*\x00" . $name : $name);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1307. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/doctrine/persistence/src/Persistence/Reflection/RuntimeReflectionProperty.php:17 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->key = $this->isPrivate() ? "\x00" . ltrim($class, '\\') . "\x00" . $name : ($this->isProtected() ? "\x00*\x00" . $name : $name);

Recommendation: Use $wpdb->prepare() with placeholders

1308. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/nesbot/carbon/src/Carbon/Traits/Creator.php:103 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidFormatException("Could not parse '{$time}': " . $exception->getMessage(), 0, $exception);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1309. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/nesbot/carbon/src/Carbon/Traits/Creator.php:103 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new InvalidFormatException("Could not parse '{$time}': " . $exception->getMessage(), 0, $exception);

Recommendation: Use $wpdb->prepare() with placeholders

1310. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/monolog/monolog/src/Monolog/Utils.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\nThe exception occurred while attempting to log: " . $record['message'] . $context . $extra;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1311. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/monolog/monolog/src/Monolog/Utils.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\nThe exception occurred while attempting to log: " . $record['message'] . $context . $extra;

Recommendation: Use $wpdb->prepare() with placeholders

1312. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/monolog/monolog/src/Monolog/Formatter/LineFormatter.php:101 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str .= "\n[previous exception] Over " . $this->maxNormalizeDepth . ' levels deep, aborting normalization';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1313. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/monolog/monolog/src/Monolog/Formatter/LineFormatter.php:104 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str .= "\n[previous exception] " . $this->formatException($previous);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1314. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/monolog/monolog/src/Monolog/Formatter/LineFormatter.php:163 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n[stacktrace]\n" . $trace . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1315. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/monolog/monolog/src/Monolog/Formatter/LineFormatter.php:101 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str .= "\n[previous exception] Over " . $this->maxNormalizeDepth . ' levels deep, aborting normalization';

Recommendation: Use $wpdb->prepare() with placeholders

1316. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/monolog/monolog/src/Monolog/Formatter/LineFormatter.php:104 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str .= "\n[previous exception] " . $this->formatException($previous);

Recommendation: Use $wpdb->prepare() with placeholders

1317. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/monolog/monolog/src/Monolog/Formatter/LineFormatter.php:163 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n[stacktrace]\n" . $trace . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1318. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/symfony/validator/ConstraintViolation.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $class . $propertyPath . ":\n " . $this->getMessage() . $code;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1319. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/symfony/validator/ConstraintViolation.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $class . $propertyPath . ":\n " . $this->getMessage() . $code;

Recommendation: Use $wpdb->prepare() with placeholders

1320. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/symfony/polyfill-intl-grapheme/Grapheme.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$s = \preg_split('/(' . SYMFONY_GRAPHEME_CLUSTER_RX . ')/u', "\r\n" . $s, $size + 1, \PREG_SPLIT_NO_EMPTY | \PREG_SPLIT_DELIM_CAPTURE);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1321. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/symfony/polyfill-intl-grapheme/Grapheme.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$s = \preg_split('/(' . SYMFONY_GRAPHEME_CLUSTER_RX . ')/u', "\r\n" . $s, $size + 1, \PREG_SPLIT_NO_EMPTY | \PREG_SPLIT_DELIM_CAPTURE);

Recommendation: Use $wpdb->prepare() with placeholders

1322. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/symfony/css-selector/XPath/Translator.php:28 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $element . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1323. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/symfony/css-selector/XPath/Translator.php:28 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $element . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1324. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/symfony/css-selector/Node/FunctionNode.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $token->getValue() . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1325. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/symfony/css-selector/Node/FunctionNode.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $token->getValue() . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1326. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/pelago/emogrifier/src/CssInliner.php:199 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "\n\n" . $styleNode->nodeValue;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1327. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/pelago/emogrifier/src/CssInliner.php:199 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$css .= "\n\n" . $styleNode->nodeValue;

Recommendation: Use $wpdb->prepare() with placeholders

1328. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/sabberworm/php-css-parser/src/OutputFormatter.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return \str_replace("\n", "\n" . $this->indent(), $sSpaceString);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1329. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/sabberworm/php-css-parser/src/OutputFormatter.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return \str_replace("\n", "\n" . $this->indent(), $sSpaceString);

Recommendation: Use $wpdb->prepare() with placeholders

1330. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/sabberworm/php-css-parser/src/Property/Import.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $oOutputFormat->comments($this) . "@import " . $this->oLocation->render($oOutputFormat) . ($this->sMediaQuery === null ? '' : ' ' . $this->sMediaQuery) . ';';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1331. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/sabberworm/php-css-parser/src/Property/Import.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $oOutputFormat->comments($this) . "@import " . $this->oLocation->render($oOutputFormat) . ($this->sMediaQuery === null ? '' : ' ' . $this->sMediaQuery) . ';';

Recommendation: Use $wpdb->prepare() with placeholders

1332. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/cerdic/css-tidy/class.csstidy_print.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out = \str_replace("\n", "\n" . $template[10], $out);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1333. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mailpoet/vendor-prefixed/cerdic/css-tidy/class.csstidy_print.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out = \str_replace("\n", "\n" . $template[10], $out);

Recommendation: Use $wpdb->prepare() with placeholders

1334. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/uninstall.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM `{$wpdb->options}` WHERE `option_name` LIKE 'ai1wmue\_%'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1335. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-cloudflare-manager/cxq-cloudflare-manager.php:24 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

//protected $zone_api_token = '-xHZ2Ut7wyszICtT_MMJT9out0uHSltENvyi85Ic';

Recommendation: Move credentials to environment variables or secure configuration

1336. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-cloudflare-manager/cxq-cloudflare-manager.php:25 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

protected $api_key = '3b55771ba3f2a783a2baaa0c11f512b29c7d2'; //

Recommendation: Move credentials to environment variables or secure configuration

1337. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/includes/providers/class-constant-contact.php:56 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

public $api_key = 'c58xq3r27udz59h9rrq7qnvf';

Recommendation: Move credentials to environment variables or secure configuration

1338. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/src/Tasks/Actions/FormsLocatorScanTask.php:415 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "$wpdb->posts." . $field;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1339. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/src/Tasks/Actions/FormsLocatorScanTask.php:415 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "$wpdb->posts." . $field;

Recommendation: Use $wpdb->prepare() with placeholders

1340. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/src/Tasks/Actions/Migration175Task.php:153 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$this->entry_meta_handler->table_name} MODIFY type VARCHAR(255)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1341. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/tijsverkoyen/css-to-inline-styles/src/CssToInlineStyles.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $doctype . "\n" . $html;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1342. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/tijsverkoyen/css-to-inline-styles/src/CssToInlineStyles.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $doctype . "\n" . $html;

Recommendation: Use $wpdb->prepare() with placeholders

1343. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/symfony/css-selector/XPath/Translator.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $element . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1344. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/symfony/css-selector/XPath/Translator.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $element . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1345. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/symfony/css-selector/Node/FunctionNode.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $token->getValue() . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1346. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/symfony/css-selector/Node/FunctionNode.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $token->getValue() . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1347. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/square/square/example-autoload.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Error loading: " . $file . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1348. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/square/square/example-autoload.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Error loading: " . $file . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1349. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Printer.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $this->start('tr') . "\n" . $this->element('th', $name) . "\n" . $this->element('td', $value) . "\n" . $this->end('tr');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1350. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Printer.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $this->start('tr') . "\n" . $this->element('th', $name) . "\n" . $this->element('td', $value) . "\n" . $this->end('tr');

Recommendation: Use $wpdb->prepare() with placeholders

1351. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Config.php:474 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new HTMLPurifier_Exception("Cannot retrieve raw definition after it has already been setup" . $extra);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1352. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Config.php:478 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new HTMLPurifier_Exception("Optimization status of definition is unknown" . $extra);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1353. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Config.php:483 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new HTMLPurifier_Exception("Inconsistent use of optimized and unoptimized raw definition retrievals" . $extra);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1354. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Config.php:474 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new HTMLPurifier_Exception("Cannot retrieve raw definition after it has already been setup" . $extra);

Recommendation: Use $wpdb->prepare() with placeholders

1355. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Config.php:478 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new HTMLPurifier_Exception("Optimization status of definition is unknown" . $extra);

Recommendation: Use $wpdb->prepare() with placeholders

1356. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Config.php:483 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new HTMLPurifier_Exception("Inconsistent use of optimized and unoptimized raw definition retrievals" . $extra);

Recommendation: Use $wpdb->prepare() with placeholders

1357. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Encoder.php:453 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result .= "&#" . $working . ";";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1358. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Encoder.php:453 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result .= "&#" . $working . ";";

Recommendation: Use $wpdb->prepare() with placeholders

1359. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Printer/HTMLDefinition.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$list[] = "{$name}&nbsp;=&nbsp;<i>" . $this->getClass($obj, 'AttrDef_') . '</i>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1360. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/ezyang/htmlpurifier/library/HTMLPurifier/Printer/HTMLDefinition.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$list[] = "{$name}&nbsp;=&nbsp;<i>" . $this->getClass($obj, 'AttrDef_') . '</i>';

Recommendation: Use $wpdb->prepare() with placeholders

1361. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/apimatic/jsonmapper/src/JsonMapper.php:1334 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\\" . $class->getName();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1362. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/apimatic/jsonmapper/src/JsonMapper.php:1341 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$typeName = "\\" . $this->reflectionTypeToString($type);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1363. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/apimatic/jsonmapper/src/JsonMapper.php:1334 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\\" . $class->getName();

Recommendation: Use $wpdb->prepare() with placeholders

1364. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms-lite/vendor_prefixed/apimatic/jsonmapper/src/JsonMapper.php:1341 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$typeName = "\\" . $this->reflectionTypeToString($type);

Recommendation: Use $wpdb->prepare() with placeholders

1365. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/query-monitor/dispatchers/Html.php:1011 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $value . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1366. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/query-monitor/dispatchers/Html.php:1011 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $value . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1367. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/query-monitor/collectors/logger.php:283 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message = $prefix . "\n" . $message;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1368. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/query-monitor/collectors/logger.php:283 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message = $prefix . "\n" . $message;

Recommendation: Use $wpdb->prepare() with placeholders

1369. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/wpforms/includes/providers/class-constant-contact.php:48 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

public $api_key = 'c58xq3r27udz59h9rrq7qnvf';

Recommendation: Move credentials to environment variables or secure configuration

1370. File upload without malware scanning detected

File: /var/www/html/wordpress/wp-content/plugins/wpforms/pro/includes/fields/class-file-upload.php:2118 CWE: CWE-434 Confidence: HIGH

Description: File upload without malware scanning detected

Code:

if ( false === move_uploaded_file( $path_from, $path_to ) ) {

Recommendation: Scan uploaded files with ClamAV or similar before moving to permanent location

1371. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Tasks/Actions/FormsLocatorScanTask.php:415 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "$wpdb->posts." . $field;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1372. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Tasks/Actions/FormsLocatorScanTask.php:415 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "$wpdb->posts." . $field;

Recommendation: Use $wpdb->prepare() with placeholders

1373. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Tasks/Actions/Migration175Task.php:153 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$this->entry_meta_handler->table_name} MODIFY type VARCHAR(255)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1374. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Pro/Migrations/Upgrade133.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wpforms_entries ADD user_uuid VARCHAR(36)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1375. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Pro/Migrations/Upgrade143.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$upgraded = count( $wpdb->get_results( "SELECT DISTINCT entry_id FROM {$fields_table}" ) );

Recommendation: Use $wpdb->prepare() with placeholders

1376. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Pro/Migrations/Upgrade189.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$wpdb->prefix}wpforms_entry_fields MODIFY COLUMN field_id VARCHAR(16);" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1377. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Pro/Helpers/CSV.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value = "'" . $value;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1378. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Pro/Helpers/CSV.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value = "'" . $value;

Recommendation: Use $wpdb->prepare() with placeholders

1379. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Pro/Integrations/LiteConnect/Integration.php:512 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "\r\n\r\n" . $entries_url;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1380. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Pro/Integrations/LiteConnect/Integration.php:512 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "\r\n\r\n" . $entries_url;

Recommendation: Use $wpdb->prepare() with placeholders

1381. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Pro/Admin/Entries/Export/File.php:324 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<pre>" . $error . '</pre>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1382. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Pro/Admin/Entries/Export/File.php:324 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<pre>" . $error . '</pre>';

Recommendation: Use $wpdb->prepare() with placeholders

1383. File upload without malware scanning detected

File: /var/www/html/wordpress/wp-content/plugins/wpforms/src/Pro/Forms/Fields/FileUpload/Chunk.php:386 CWE: CWE-434 Confidence: HIGH

Description: File upload without malware scanning detected

Code:

return @move_uploaded_file( $path_from, $path_to );

Recommendation: Scan uploaded files with ClamAV or similar before moving to permanent location

1384. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/mk-j/php_xlsxwriter/xlsxwriter.class.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$zip->addFile($sheet->filename, "xl/worksheets/" . $sheet->xmlname);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1385. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/mk-j/php_xlsxwriter/xlsxwriter.class.php:205 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lookup_string = $number_format_idx . ";" . $cell_style_string;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1386. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/mk-j/php_xlsxwriter/xlsxwriter.class.php:337 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sheet->merge_cells[] = $startCell . ":" . $endCell;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1387. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/mk-j/php_xlsxwriter/xlsxwriter.class.php:867 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$escaped .= "\\" . $c;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1388. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/mk-j/php_xlsxwriter/xlsxwriter.class.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$zip->addFile($sheet->filename, "xl/worksheets/" . $sheet->xmlname);

Recommendation: Use $wpdb->prepare() with placeholders

1389. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/mk-j/php_xlsxwriter/xlsxwriter.class.php:205 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lookup_string = $number_format_idx . ";" . $cell_style_string;

Recommendation: Use $wpdb->prepare() with placeholders

1390. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/mk-j/php_xlsxwriter/xlsxwriter.class.php:337 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sheet->merge_cells[] = $startCell . ":" . $endCell;

Recommendation: Use $wpdb->prepare() with placeholders

1391. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/mk-j/php_xlsxwriter/xlsxwriter.class.php:867 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$escaped .= "\\" . $c;

Recommendation: Use $wpdb->prepare() with placeholders

1392. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/tijsverkoyen/css-to-inline-styles/src/CssToInlineStyles.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $doctype . "\n" . $html;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1393. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/tijsverkoyen/css-to-inline-styles/src/CssToInlineStyles.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $doctype . "\n" . $html;

Recommendation: Use $wpdb->prepare() with placeholders

1394. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/symfony/css-selector/XPath/Translator.php:76 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $element . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1395. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/symfony/css-selector/XPath/Translator.php:76 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $element . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1396. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/symfony/css-selector/Node/FunctionNode.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $token->getValue() . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1397. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/wpforms/vendor_prefixed/symfony/css-selector/Node/FunctionNode.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'" . $token->getValue() . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1398. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/helpers.php:1402 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n<script type=\"text/javascript\">\n" . $script . "\n</script>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1399. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/helpers.php:1402 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n<script type=\"text/javascript\">\n" . $script . "\n</script>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1400. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/class-db-base.php:384 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $wpdb->query( "TRUNCATE TABLE {$table_name}" ) !== false;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1401. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/class-db-base.php:398 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $wpdb->query( "DROP TABLE IF EXISTS {$table_name}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1402. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/class-migration.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_error( "Failed to add column {$column} to {$table_name}: " . $wpdb->last_error );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1403. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/class-migration.php:221 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_error( "Failed to modify column {$column} in {$table_name}: " . $wpdb->last_error );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1404. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/class-migration.php:264 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_error( "Failed to add index {$index_name} to {$table_name}: " . $wpdb->last_error );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1405. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/class-migration.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_error( "Failed to drop index {$index_name} from {$table_name}: " . $wpdb->last_error );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1406. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/class-migration.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_error( "Failed to add column {$column} to {$table_name}: " . $wpdb->last_error );

Recommendation: Use $wpdb->prepare() with placeholders

1407. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/class-migration.php:221 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_error( "Failed to modify column {$column} in {$table_name}: " . $wpdb->last_error );

Recommendation: Use $wpdb->prepare() with placeholders

1408. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/class-migration.php:264 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_error( "Failed to add index {$index_name} to {$table_name}: " . $wpdb->last_error );

Recommendation: Use $wpdb->prepare() with placeholders

1409. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/class-migration.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_error( "Failed to drop index {$index_name} from {$table_name}: " . $wpdb->last_error );

Recommendation: Use $wpdb->prepare() with placeholders

1410. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/database/tables/class-cache-table.php:228 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "OPTIMIZE TABLE {$table_name}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1411. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/admin/licensing/autoupdate.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

add_filter( "monsterinsights_is_autoupdate_setting_html_filtered_" . $plugin_file, '__return_true' );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1412. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/admin/licensing/autoupdate.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

add_filter( "monsterinsights_is_autoupdate_setting_html_filtered_" . $plugin_file, '__return_true' );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1413. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/admin/licensing/autoupdate.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

add_filter( "monsterinsights_is_autoupdate_setting_html_filtered_" . $plugin_file, '__return_true' );

Recommendation: Use $wpdb->prepare() with placeholders

1414. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/google-analytics-for-wordpress/includes/admin/licensing/autoupdate.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

add_filter( "monsterinsights_is_autoupdate_setting_html_filtered_" . $plugin_file, '__return_true' );

Recommendation: Use $wpdb->prepare() with placeholders

1415. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/class.jetpack-cli.php:808 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

WP_CLI::success( "\t" . $option );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1416. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/class.jetpack-cli.php:808 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

WP_CLI::success( "\t" . $option );

Recommendation: Use $wpdb->prepare() with placeholders

1417. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/likes.php:183 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html = "<tbody id='likes' class='jetpack-targetable'>" . $html;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1418. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/likes.php:183 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html = "<tbody id='likes' class='jetpack-targetable'>" . $html;

Recommendation: Use $wpdb->prepare() with placeholders

1419. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/json-endpoints/class.wpcom-json-api-update-post-endpoint.php:533 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$input['content']       = "[gallery size=full columns=1]\n\n" . $input['content'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1420. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/json-endpoints/class.wpcom-json-api-update-post-endpoint.php:538 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$input['content']       = "[gallery]\n\n" . $input['content'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1421. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/json-endpoints/class.wpcom-json-api-update-post-endpoint.php:533 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$input['content']       = "[gallery size=full columns=1]\n\n" . $input['content'];

Recommendation: Use $wpdb->prepare() with placeholders

1422. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/json-endpoints/class.wpcom-json-api-update-post-endpoint.php:538 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$input['content']       = "[gallery]\n\n" . $input['content'];

Recommendation: Use $wpdb->prepare() with placeholders

1423. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/shortcodes/slideshare.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$player .= " scrolling='" . $sc . "'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1424. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/shortcodes/slideshare.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$player .= " scrolling='" . $sc . "'";

Recommendation: Use $wpdb->prepare() with placeholders

1425. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/subscriptions/views.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\n" . $after_widget; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1426. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/subscriptions/views.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\n" . $after_widget; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

Recommendation: Use $wpdb->prepare() with placeholders

1427. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/widgets/gallery.php:161 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\n" . $after_widget; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1428. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/widgets/gallery.php:161 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\n" . $after_widget; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

Recommendation: Use $wpdb->prepare() with placeholders

1429. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/widgets/rsslinks-widget.php:82 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\n" . $after_widget; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1430. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/widgets/rsslinks-widget.php:82 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\n" . $after_widget; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

Recommendation: Use $wpdb->prepare() with placeholders

1431. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/widgets/image-widget.php:137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\n" . $args['after_widget']; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1432. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/widgets/image-widget.php:137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\n" . $args['after_widget']; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

Recommendation: Use $wpdb->prepare() with placeholders

1433. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/widget-visibility/widget-conditions.php:437 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$pages = $wpdb->get_results( "SELECT {$wpdb->posts}.ID, {$wpdb->posts}.post_parent, {$wpdb->posts}.post_title, {$wpdb->posts}.post_status FROM {$wpdb->posts} WHERE {$wpdb->posts}.post_type = 'page' AND {$wpdb->posts}.post_status = 'publish' ORDER BY {$wpdb->posts}.post_title ASC" );

Recommendation: Use $wpdb->prepare() with placeholders

1434. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/related-posts/jetpack-related-posts.php:239 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$content .= "\n" . $this->get_server_rendered_html();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1435. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/related-posts/jetpack-related-posts.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$content .= "\n" . $this->get_client_rendered_html();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1436. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/related-posts/jetpack-related-posts.php:239 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$content .= "\n" . $this->get_server_rendered_html();

Recommendation: Use $wpdb->prepare() with placeholders

1437. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/modules/related-posts/jetpack-related-posts.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$content .= "\n" . $this->get_client_rendered_html();

Recommendation: Use $wpdb->prepare() with placeholders

1438. Deprecated mysql_query() with user input

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/class.jetpack-search-performance-logger.php:75 CWE: CWE-89 Confidence: HIGH

Description: Deprecated mysql_query() with user input

Code:

public function log_mysql_query( $found_posts, $query ) {

Recommendation: Use PDO or mysqli with prepared statements

1439. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/class.media-extractor.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$content  = $post->post_title . "\n\n" . $post->post_content;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1440. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/class.media-extractor.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$content  = $post->post_title . "\n\n" . $post->post_content;

Recommendation: Use $wpdb->prepare() with placeholders

1441. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/gfm.php:422 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$codeblock = sprintf( $this->shortcode_start, $classname ) . "\n{$codeblock}" . $this->shortcode_end;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1442. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/gfm.php:423 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n\n" . $this->hashBlock( $codeblock ). "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1443. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/gfm.php:422 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$codeblock = sprintf( $this->shortcode_start, $classname ) . "\n{$codeblock}" . $this->shortcode_end;

Recommendation: Use $wpdb->prepare() with placeholders

1444. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/gfm.php:423 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n\n" . $this->hashBlock( $codeblock ). "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1445. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:503 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"\n".$this->hashBlock("<hr$this->empty_element_suffix")."\n",

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1446. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:817 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$block = "<h$level>".$this->runSpanGamut($matches[1])."</h$level>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1447. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:818 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $this->hashBlock($block) . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1448. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:822 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$block = "<h$level>".$this->runSpanGamut($matches[2])."</h$level>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1449. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:823 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $this->hashBlock($block) . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1450. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:907 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $this->hashBlock("<$list_type>\n" . $result . "</$list_type>");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1451. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:908 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n". $result ."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1452. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:980 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<li>" . $item . "</li>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1453. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:1012 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n\n".$this->hashBlock($codeblock)."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1454. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:1214 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n". $this->hashBlock("<blockquote>\n$bq\n</blockquote>")."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1455. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:1283 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//                  $graf = $div_open . "\n" . $div_content . "\n" . $div_close;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1456. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:1387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$addr = "mailto:" . $addr;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1457. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2534 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$block = "<h$level$attr>".$this->runSpanGamut($matches[1])."</h$level>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1458. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2535 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $this->hashBlock($block) . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1459. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2540 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$block = "<h$level$attr>".$this->runSpanGamut($matches[2])."</h$level>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1460. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2541 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $this->hashBlock($block) . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1461. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2648 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text .= "  <th$attr[$n]>".$this->runSpanGamut(trim($header))."</th>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1462. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2667 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text .= "  <td$attr[$n]>".$this->runSpanGamut(trim($cell))."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1463. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2726 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = "<dl>\n" . $result . "\n</dl>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1464. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2779 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text .= "\n<dt>" . $term . "</dt>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1465. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2792 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$def = "\n". $def ."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1466. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2799 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n<dd>" . $def . "</dd>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1467. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2861 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n\n".$this->hashBlock($codeblock)."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1468. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2984 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text .= "<hr". $this->empty_element_suffix ."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1469. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:3077 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "[^".$matches[1]."]";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1470. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:503 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"\n".$this->hashBlock("<hr$this->empty_element_suffix")."\n",

Recommendation: Use $wpdb->prepare() with placeholders

1471. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:817 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$block = "<h$level>".$this->runSpanGamut($matches[1])."</h$level>";

Recommendation: Use $wpdb->prepare() with placeholders

1472. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:818 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $this->hashBlock($block) . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1473. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:822 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$block = "<h$level>".$this->runSpanGamut($matches[2])."</h$level>";

Recommendation: Use $wpdb->prepare() with placeholders

1474. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:823 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $this->hashBlock($block) . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1475. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:907 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $this->hashBlock("<$list_type>\n" . $result . "</$list_type>");

Recommendation: Use $wpdb->prepare() with placeholders

1476. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:908 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n". $result ."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1477. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:980 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<li>" . $item . "</li>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1478. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:1012 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n\n".$this->hashBlock($codeblock)."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1479. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:1214 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n". $this->hashBlock("<blockquote>\n$bq\n</blockquote>")."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1480. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:1283 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//                  $graf = $div_open . "\n" . $div_content . "\n" . $div_close;

Recommendation: Use $wpdb->prepare() with placeholders

1481. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:1387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$addr = "mailto:" . $addr;

Recommendation: Use $wpdb->prepare() with placeholders

1482. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2534 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$block = "<h$level$attr>".$this->runSpanGamut($matches[1])."</h$level>";

Recommendation: Use $wpdb->prepare() with placeholders

1483. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2535 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $this->hashBlock($block) . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1484. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2540 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$block = "<h$level$attr>".$this->runSpanGamut($matches[2])."</h$level>";

Recommendation: Use $wpdb->prepare() with placeholders

1485. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2541 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $this->hashBlock($block) . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1486. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2648 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text .= "  <th$attr[$n]>".$this->runSpanGamut(trim($header))."</th>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1487. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2667 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text .= "  <td$attr[$n]>".$this->runSpanGamut(trim($cell))."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1488. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2726 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = "<dl>\n" . $result . "\n</dl>";

Recommendation: Use $wpdb->prepare() with placeholders

1489. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2779 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text .= "\n<dt>" . $term . "</dt>";

Recommendation: Use $wpdb->prepare() with placeholders

1490. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2792 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$def = "\n". $def ."\n";

Recommendation: Use $wpdb->prepare() with placeholders

1491. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2799 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n<dd>" . $def . "</dd>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1492. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2861 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n\n".$this->hashBlock($codeblock)."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1493. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:2984 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$text .= "<hr". $this->empty_element_suffix ."\n";

Recommendation: Use $wpdb->prepare() with placeholders

1494. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/_inc/lib/markdown/extra.php:3077 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "[^".$matches[1]."]";

Recommendation: Use $wpdb->prepare() with placeholders

1495. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form.php:1160 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

id='" . $element_id . "'

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1496. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form.php:1160 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

id='" . $element_id . "'

Recommendation: Use $wpdb->prepare() with placeholders

1497. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:922 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $class . $placeholder . '

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1498. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:925 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" />\n " . $this->get_error_div( $id, $type ) . " \n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1499. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1212 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

style='" . $this->field_styles . "'

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1500. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1230 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

. "</textarea>\n " . $this->get_error_div( $id, 'textarea' ) . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1501. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1395 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field .= "<input id='" . esc_attr( $id ) . "' type='checkbox' data-wp-on--change='actions.onFieldChange' name='" . esc_attr( $id ) . "' value='" . esc_attr__( 'Yes', 'jetpack-forms' ) . "' " . $class . checked( (bool) $value, true, false ) . ' ' . ( $required ? "required aria-required='true'" : '' ) . "/> \n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1502. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1422 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field .= "\t\t<input type='checkbox' name='" . esc_attr( $id ) . "' value='" . esc_attr__( 'Yes', 'jetpack-forms' ) . "' " . $class . "/> \n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1503. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1725 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field = "<fieldset {$fieldset_id} class='grunion-checkbox-multiple-options " . $options_classes . "' style='" . $options_styles . "' " . ( $required ? 'data-required' : '' ) . ' data-wp-bind--aria-invalid="state.fieldHasErrors">';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1504. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1733 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field .= "<div class='grunion-checkbox-multiple-options " . $options_classes . "' style='" . $options_styles . "' " . '>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1505. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1836 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field .= "\t\t<option value=''>" . $this->get_attribute( 'togglelabel' ) . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1506. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:2191 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

id='" . $input_id . "'

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1507. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:2509 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_class = "class='" . $trimmed_type . ' ' . esc_attr( $class ) . "' ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1508. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:2519 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$shell_field_class = "class='" . $field_wrapper_classes . 'grunion-field-' . $trimmed_type . '-wrap ' . esc_attr( $wrap_classes ) . "' ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1509. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:922 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" . $class . $placeholder . '

Recommendation: Use $wpdb->prepare() with placeholders

1510. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:925 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

" />\n " . $this->get_error_div( $id, $type ) . " \n";

Recommendation: Use $wpdb->prepare() with placeholders

1511. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1212 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

style='" . $this->field_styles . "'

Recommendation: Use $wpdb->prepare() with placeholders

1512. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1230 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

. "</textarea>\n " . $this->get_error_div( $id, 'textarea' ) . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1513. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1395 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field .= "<input id='" . esc_attr( $id ) . "' type='checkbox' data-wp-on--change='actions.onFieldChange' name='" . esc_attr( $id ) . "' value='" . esc_attr__( 'Yes', 'jetpack-forms' ) . "' " . $class . checked( (bool) $value, true, false ) . ' ' . ( $required ? "required aria-required='true'" : '' ) . "/> \n";

Recommendation: Use $wpdb->prepare() with placeholders

1514. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1422 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field .= "\t\t<input type='checkbox' name='" . esc_attr( $id ) . "' value='" . esc_attr__( 'Yes', 'jetpack-forms' ) . "' " . $class . "/> \n";

Recommendation: Use $wpdb->prepare() with placeholders

1515. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1725 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field = "<fieldset {$fieldset_id} class='grunion-checkbox-multiple-options " . $options_classes . "' style='" . $options_styles . "' " . ( $required ? 'data-required' : '' ) . ' data-wp-bind--aria-invalid="state.fieldHasErrors">';

Recommendation: Use $wpdb->prepare() with placeholders

1516. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1733 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field .= "<div class='grunion-checkbox-multiple-options " . $options_classes . "' style='" . $options_styles . "' " . '>';

Recommendation: Use $wpdb->prepare() with placeholders

1517. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:1836 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field .= "\t\t<option value=''>" . $this->get_attribute( 'togglelabel' ) . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1518. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:2191 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

id='" . $input_id . "'

Recommendation: Use $wpdb->prepare() with placeholders

1519. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:2509 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_class = "class='" . $trimmed_type . ' ' . esc_attr( $class ) . "' ";

Recommendation: Use $wpdb->prepare() with placeholders

1520. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-field.php:2519 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$shell_field_class = "class='" . $field_wrapper_classes . 'grunion-field-' . $trimmed_type . '-wrap ' . esc_attr( $wrap_classes ) . "' ";

Recommendation: Use $wpdb->prepare() with placeholders

1521. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-plugin.php:3207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field = "'" . $field;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1522. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/class-contact-form-plugin.php:3207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field = "'" . $field;

Recommendation: Use $wpdb->prepare() with placeholders

1523. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-search/src/instant-search/class-instant-search.php:639 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return preg_replace( $column_end_pattern, "\n" . $search_block . "\n$1", $block_content, 1 );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1524. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-search/src/instant-search/class-instant-search.php:645 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return preg_replace( $group_start_pattern, "$1\n" . $search_block . "\n", $block_content, 1 );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1525. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-search/src/instant-search/class-instant-search.php:639 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return preg_replace( $column_end_pattern, "\n" . $search_block . "\n$1", $block_content, 1 );

Recommendation: Use $wpdb->prepare() with placeholders

1526. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-search/src/instant-search/class-instant-search.php:645 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return preg_replace( $group_start_pattern, "$1\n" . $search_block . "\n", $block_content, 1 );

Recommendation: Use $wpdb->prepare() with placeholders

1527. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-backup-helper-script-manager/src/class-helper-script-manager-impl.php:259 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$failure_paths_and_reasons[] = "directory '$directory': " . $url->get_error_message();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1528. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$failure_paths_and_reasons[] = "directory '$directory' (URL '$url'): " . $exception->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1529. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

"Unable to delete helper script at '$path': " . $exception->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1530. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$failure_paths_and_reasons[] = "directory '$directory': " . $url->get_error_message();

Recommendation: Use $wpdb->prepare() with placeholders

1531. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

$failure_paths_and_reasons[] = "directory '$directory' (URL '$url'): " . $exception->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

1532. Possible SQL injection via string concatenation

Description: Possible SQL injection via string concatenation

Code:

"Unable to delete helper script at '$path': " . $exception->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders

1533. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-connection/src/class-tokens.php:335 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

* All tokens look like "{$token_key}.{$private}". $token_key is a public ID for the

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1534. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-connection/src/class-tokens.php:335 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

* All tokens look like "{$token_key}.{$private}". $token_key is a public ID for the

Recommendation: Use $wpdb->prepare() with placeholders

1535. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-waf/src/class-brute-force-protection.php:603 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

public function check_preauth( $user = 'Not Used By Protect', $username = 'Not Used By Protect', $password = 'Not Used By Protect' ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable

Recommendation: Move credentials to environment variables or secure configuration

1536. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/modules/class-woocommerce.php:367 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = "SELECT count(*) FROM $this->order_item_table_name WHERE " . $this->get_where_sql( $config );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1537. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/modules/class-woocommerce.php:367 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = "SELECT count(*) FROM $this->order_item_table_name WHERE " . $this->get_where_sql( $config );

Recommendation: Use $wpdb->prepare() with placeholders

1538. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/modules/class-posts.php:272 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = "SELECT count(*) FROM $wpdb->posts WHERE " . $this->get_where_sql( $config );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1539. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/modules/class-posts.php:272 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = "SELECT count(*) FROM $wpdb->posts WHERE " . $this->get_where_sql( $config );

Recommendation: Use $wpdb->prepare() with placeholders

1540. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/modules/class-full-sync.php:351 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $wpdb->get_results( "SELECT MAX({$id}) as max, MIN({$id}) as min, COUNT({$id}) as count FROM {$table} WHERE {$where_sql}" );

Recommendation: Use $wpdb->prepare() with placeholders

1541. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/modules/class-woocommerce-products.php:231 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = "SELECT count(*) FROM {$this->table()} WHERE " . $this->get_where_sql( $config );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1542. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/modules/class-woocommerce-products.php:231 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = "SELECT count(*) FROM {$this->table()} WHERE " . $this->get_where_sql( $config );

Recommendation: Use $wpdb->prepare() with placeholders

1543. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/modules/class-full-sync-immediately.php:317 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $wpdb->get_results( "SELECT MAX({$id}) as max, MIN({$id}) as min, COUNT({$id}) as count FROM {$table} WHERE {$where_sql}" );

Recommendation: Use $wpdb->prepare() with placeholders

1544. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/replicastore/class-table-checksum.php:479 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $wpdb->get_results( "SHOW COLUMNS FROM {$this->table}", ARRAY_A );

Recommendation: Use $wpdb->prepare() with placeholders

1545. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/sync-queue/class-queue-storage-table.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query = $wpdb->query( "SELECT count(`ID`) FROM {$this->table_name}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1546. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/sync-queue/class-queue-storage-table.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return (bool) $wpdb->query( "DROP TABLE {$this->table_name}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1547. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-sync/src/sync-queue/class-queue-storage-table.php:687 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM {$custom_table_name}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1548. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/httpBL.class.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "Threat Rating: " . $this->getThreatRating() . " / 255" . $line_end;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1549. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/httpBL.class.php:197 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "Recency: ". $this->getRecency() . " / 255" . $line_end;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1550. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/httpBL.class.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "Threat Rating: " . $this->getThreatRating() . " / 255" . $line_end;

Recommendation: Use $wpdb->prepare() with placeholders

1551. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/httpBL.class.php:197 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "Recency: ". $this->getRecency() . " / 255" . $line_end;

Recommendation: Use $wpdb->prepare() with placeholders

1552. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1553. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1554. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1555. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1556. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1557. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1558. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1559. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-firewall/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1560. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/cxq-facebot.php:1766 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$url = "http://" . $url;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1561. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/cxq-facebot.php:322 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$locations = $wpdb->get_results("SELECT * FROM `{$this->table_names['locations']}` order by region, city");

Recommendation: Use $wpdb->prepare() with placeholders

1562. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/cxq-facebot.php:1278 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//$facebook_ids = $wpdb->get_results("SELECT `facebook_id` FROM {$this->table_names['archive']};");

Recommendation: Use $wpdb->prepare() with placeholders

1563. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/cxq-facebot.php:1766 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$url = "http://" . $url;

Recommendation: Use $wpdb->prepare() with placeholders

1564. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/show_main_page.php:152 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$locations = $wpdb->get_results("SELECT * FROM `{$this->table_names['locations']}` order by region, city");

Recommendation: Use $wpdb->prepare() with placeholders

1565. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/CxQ_FaceBot_Conditioner.php:549 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//$display_value.="<input type=\"hidden\" name=\"old_status\" value=\"".$this->get_matches('facebot',$place)[0]->status."\">";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1566. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/CxQ_FaceBot_Conditioner.php:86 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_matches[$id]['facebot'] = $wpdb->get_results("SELECT * FROM {$this->table_name} WHERE `{$record_identifier_key}`={$place[$record_identifier_key]}");

Recommendation: Use $wpdb->prepare() with placeholders

1567. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/CxQ_FaceBot_Conditioner.php:549 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//$display_value.="<input type=\"hidden\" name=\"old_status\" value=\"".$this->get_matches('facebot',$place)[0]->status."\">";

Recommendation: Use $wpdb->prepare() with placeholders

1568. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/class-rest-api.php:3557 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ FaceBot SSE: Exception processing item {$item->id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1569. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/class-rest-api.php:3611 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ FaceBot SSE: Loop error for item {$item->id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1570. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/class-rest-api.php:3737 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Playwright retry: Exception - " . $e->getMessage() . "\n" . $e->getTraceAsString());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1571. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/class-rest-api.php:3557 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ FaceBot SSE: Exception processing item {$item->id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

1572. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/class-rest-api.php:3611 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ FaceBot SSE: Loop error for item {$item->id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

1573. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/class-rest-api.php:3737 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Playwright retry: Exception - " . $e->getMessage() . "\n" . $e->getTraceAsString());

Recommendation: Use $wpdb->prepare() with placeholders

1574. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/class-rest-api.php:2063 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

var token = '{$token}';

Recommendation: Move credentials to environment variables or secure configuration

1575. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/tests/extraction-test.php:339 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ EXCEPTION: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1576. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/tests/extraction-test.php:339 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ EXCEPTION: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1577. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/tools/site-discovery.php:1766 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$errors[] = "Failed to insert $domain: " . $stmt->error;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1578. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/tools/site-discovery.php:1766 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$errors[] = "Failed to insert $domain: " . $stmt->error;

Recommendation: Use $wpdb->prepare() with placeholders

1579. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1580. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1581. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1582. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1583. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1584. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1585. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1586. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1587. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/migration/migrate-to-places.php:244 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log("Error creating place from record #{$record->id}: " . $place_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1588. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/migration/migrate-to-places.php:244 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log("Error creating place from record #{$record->id}: " . $place_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

1589. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:623 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$sources_table} ADD COLUMN domain VARCHAR(255) AFTER source_url");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1590. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:624 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$sources_table} ADD INDEX idx_domain (domain)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1591. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:648 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$sources_table} ADD COLUMN phone_normalized VARCHAR(20) AFTER phone");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1592. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:649 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$sources_table} ADD INDEX idx_phone_normalized (phone_normalized)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1593. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:675 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$sources_table} ADD COLUMN parent_source_id BIGINT(20) UNSIGNED AFTER detected_category");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1594. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:676 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$sources_table} ADD INDEX idx_parent_source_id (parent_source_id)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1595. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:688 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$sources_table} ADD COLUMN quality_score TINYINT UNSIGNED DEFAULT NULL AFTER status");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1596. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:689 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$sources_table} ADD INDEX idx_quality_score (quality_score)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1597. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:701 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$sources_table} ADD COLUMN requires_js TINYINT(1) DEFAULT 0 AFTER quality_score");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1598. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:729 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD COLUMN referrer_url VARCHAR(2048) DEFAULT NULL AFTER discovered_from");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1599. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:741 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD COLUMN api_token_id BIGINT(20) UNSIGNED DEFAULT NULL AFTER referrer_url");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1600. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:742 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD INDEX idx_api_token_id (api_token_id)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1601. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:754 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD COLUMN submission_context JSON DEFAULT NULL AFTER api_token_id");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1602. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:766 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD COLUMN redirect_to VARCHAR(2048) DEFAULT NULL AFTER status");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1603. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:767 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD COLUMN redirect_chain JSON DEFAULT NULL AFTER redirect_to");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1604. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:768 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD COLUMN canonical_url_hash CHAR(64) DEFAULT NULL AFTER redirect_chain");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1605. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:769 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD INDEX idx_canonical_url_hash (canonical_url_hash)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1606. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:793 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD COLUMN use_browser TINYINT(1) DEFAULT 0 AFTER priority");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1607. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:794 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD INDEX idx_use_browser (use_browser)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1608. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:806 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD COLUMN browser_attempts TINYINT UNSIGNED DEFAULT 0 AFTER use_browser");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1609. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:818 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD COLUMN last_http_status SMALLINT UNSIGNED DEFAULT NULL AFTER last_error");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1610. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:830 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$queue_table} ADD COLUMN protection_type VARCHAR(50) DEFAULT NULL AFTER last_http_status");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1611. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:852 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$links_table} ADD COLUMN entity_type VARCHAR(20) DEFAULT 'place' AFTER place_id");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1612. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:853 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE {$links_table} ADD INDEX idx_entity_type (entity_type, place_id)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1613. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/includes/database/class-source-tables.php:856 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("UPDATE {$links_table} SET entity_type = 'place' WHERE entity_type IS NULL");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1614. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/src/Services/CrawlQueueService.php:523 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ FaceBot: Could not mark item {$item->id} as failed: " . $markError->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1615. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/src/Services/CrawlQueueService.php:523 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ FaceBot: Could not mark item {$item->id} as failed: " . $markError->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

1616. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-facebot/src/Repositories/DomainBlacklistRepository.php:430 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("TRUNCATE TABLE {$table}");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1617. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-addons/includes/groups/class-wc-product-addons-group-validator.php:101 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception( "Invalid value given for '{$data_key}': " . $e->getMessage() );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1618. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-addons/includes/groups/class-wc-product-addons-group-validator.php:101 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception( "Invalid value given for '{$data_key}': " . $e->getMessage() );

Recommendation: Use $wpdb->prepare() with placeholders

1619. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-addons/legacy/groups/class-product-addon-group-validator.php:101 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception( "Invalid value given for '{$data_key}': " . $e->getMessage() );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1620. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-addons/legacy/groups/class-product-addon-group-validator.php:101 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception( "Invalid value given for '{$data_key}': " . $e->getMessage() );

Recommendation: Use $wpdb->prepare() with placeholders

1621. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-addons/legacy/includes/groups/class-product-addon-group-validator.php:101 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception( "Invalid value given for '{$data_key}': " . $e->getMessage() );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1622. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/woocommerce-product-addons/legacy/includes/groups/class-product-addon-group-validator.php:101 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception( "Invalid value given for '{$data_key}': " . $e->getMessage() );

Recommendation: Use $wpdb->prepare() with placeholders

1623. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/init.php:499 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lastErrorMessage = "\n\nLast error: ".$lastError['message'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1624. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/init.php:499 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lastErrorMessage = "\n\nLast error: ".$lastError['message'];

Recommendation: Use $wpdb->prepare() with placeholders

1625. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/functions.php:151 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$toKeep = $wpdb->get_results("SELECT ID FROM {$wpdb->posts} WHERE post_type = 'revision' AND post_parent = '{$revision->post_parent}' ORDER BY post_date DESC LIMIT ".$num_rev);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1626. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/functions.php:163 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->posts} WHERE post_type = 'revision' AND post_parent = '{$revision->post_parent}' AND ID NOT IN ({$keepQuery})");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1627. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/functions.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->comments} WHERE comment_ID IN ($commentIdsList)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1628. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/functions.php:244 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->commentmeta} WHERE comment_id IN ($commentIdsList)");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1629. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/functions.php:144 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$allRevisions = $wpdb->get_results("SELECT post_parent FROM {$wpdb->posts} WHERE post_type = 'revision' AND post_parent != 0 GROUP BY post_parent HAVING COUNT(ID) > {$num_rev}");

Recommendation: Use $wpdb->prepare() with placeholders

1630. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/functions.php:151 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$toKeep = $wpdb->get_results("SELECT ID FROM {$wpdb->posts} WHERE post_type = 'revision' AND post_parent = '{$revision->post_parent}' ORDER BY post_date DESC LIMIT ".$num_rev);

Recommendation: Use $wpdb->prepare() with placeholders

1631. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Stats.php:306 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$timeoutsToDelete[] = "'".$timeoutName.$transient."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1632. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Stats.php:307 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$transient          = "'".$name.$transient."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1633. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Stats.php:306 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$timeoutsToDelete[] = "'".$timeoutName.$transient."'";

Recommendation: Use $wpdb->prepare() with placeholders

1634. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Stats.php:307 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$transient          = "'".$name.$transient."'";

Recommendation: Use $wpdb->prepare() with placeholders

1635. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Stats.php:483 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$network_blogs = (array)$wpdb->get_results("select `blog_id`, `site_id` from `{$wpdb->blogs}`");

Recommendation: Use $wpdb->prepare() with placeholders

1636. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Comment.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$comment_array[] = "'".$status_val."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1637. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Comment.php:40 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql_query = "$wpdb->comments as c, $wpdb->posts as p WHERE c.comment_post_ID = p.ID ".$where;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1638. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Comment.php:42 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$comments_total    = $wpdb->get_results("SELECT count(*) as total_comments FROM ".$sql_query);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1639. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Comment.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query_comments = $wpdb->get_results("SELECT c.comment_ID, c.comment_post_ID, c.comment_author, c.comment_author_email, c.comment_author_url, c.comment_author_IP, c.comment_date, c.comment_content, c.comment_approved, c.comment_parent, p.post_title, p.post_type, p.guid FROM ".$sql_query." ORDER BY c.comment_date DESC LIMIT 500");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1640. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Comment.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_parent_author     = "SELECT comment_author FROM $wpdb->comments WHERE comment_ID = ".$comments_info->comment_parent;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1641. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Comment.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$comment_array[] = "'".$status_val."'";

Recommendation: Use $wpdb->prepare() with placeholders

1642. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Comment.php:40 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql_query = "$wpdb->comments as c, $wpdb->posts as p WHERE c.comment_post_ID = p.ID ".$where;

Recommendation: Use $wpdb->prepare() with placeholders

1643. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Comment.php:42 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$comments_total    = $wpdb->get_results("SELECT count(*) as total_comments FROM ".$sql_query);

Recommendation: Use $wpdb->prepare() with placeholders

1644. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Comment.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$query_comments = $wpdb->get_results("SELECT c.comment_ID, c.comment_post_ID, c.comment_author, c.comment_author_email, c.comment_author_url, c.comment_author_IP, c.comment_date, c.comment_content, c.comment_approved, c.comment_parent, p.post_title, p.post_type, p.guid FROM ".$sql_query." ORDER BY c.comment_date DESC LIMIT 500");

Recommendation: Use $wpdb->prepare() with placeholders

1645. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Comment.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_parent_author     = "SELECT comment_author FROM $wpdb->comments WHERE comment_ID = ".$comments_info->comment_parent;

Recommendation: Use $wpdb->prepare() with placeholders

1646. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Core.php:450 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return apply_filters("site_transient_".$option_name, $transient);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1647. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Core.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$network_blogs = $wpdb->get_results("select `blog_id`, `site_id` from `{$wpdb->blogs}`");

Recommendation: Use $wpdb->prepare() with placeholders

1648. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Core.php:406 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$networkBlogs = $wpdb->get_results("select `blog_id` from `{$wpdb->blogs}`");

Recommendation: Use $wpdb->prepare() with placeholders

1649. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MMB/Core.php:450 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return apply_filters("site_transient_".$option_name, $transient);

Recommendation: Use $wpdb->prepare() with placeholders

1650. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/Monolog/Formatter/HtmlFormatter.php:55 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<tr style=\"padding: 4px;spacing: 0;text-align: left;\">\n<th style=\"background: #cccccc\" width=\"100px\">$th:</th>\n<td style=\"padding: 4px;spacing: 0;text-align: left;background: #eeeeee\">".$td."</td>\n</tr>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1651. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/Monolog/Formatter/HtmlFormatter.php:55 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<tr style=\"padding: 4px;spacing: 0;text-align: left;\">\n<th style=\"background: #cccccc\" width=\"100px\">$th:</th>\n<td style=\"padding: 4px;spacing: 0;text-align: left;background: #eeeeee\">".$td."</td>\n</tr>";

Recommendation: Use $wpdb->prepare() with placeholders

1652. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/File/ASN1.php:448 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$current['content'] .= ".$valuen";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1653. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/File/ASN1.php:448 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$current['content'] .= ".$valuen";

Recommendation: Use $wpdb->prepare() with placeholders

1654. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/File/X509.php:3712 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->currentCert['signature'] = base64_encode("\0".$key->sign($this->signatureSubject));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1655. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/File/X509.php:3712 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->currentCert['signature'] = base64_encode("\0".$key->sign($this->signatureSubject));

Recommendation: Use $wpdb->prepare() with placeholders

1656. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Net/SSH2.php:3152 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->errors[count($this->errors)] .= "\r\n".$this->_string_shift($response, $length);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1657. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Net/SSH2.php:3152 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->errors[count($this->errors)] .= "\r\n".$this->_string_shift($response, $length);

Recommendation: Use $wpdb->prepare() with placeholders

1658. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Net/SFTP.php:2722 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<pre>\r\n".$this->_format_log(array($data), array($packet_type))."\r\n</pre>\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1659. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Net/SFTP.php:2800 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<pre>\r\n".$this->_format_log(array($packet), array($packet_type))."\r\n</pre>\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1660. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Net/SFTP.php:2722 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<pre>\r\n".$this->_format_log(array($data), array($packet_type))."\r\n</pre>\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1661. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Net/SFTP.php:2800 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<pre>\r\n".$this->_format_log(array($packet), array($packet_type))."\r\n</pre>\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1662. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Net/SSH1.php:1671 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<pre>\r\n".$this->_format_log(array($message), array($protocol_flags))."\r\n</pre>\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1663. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Net/SSH1.php:1671 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<pre>\r\n".$this->_format_log(array($message), array($protocol_flags))."\r\n</pre>\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1664. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Crypt/RSA.php:788 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$key .= "\r\nComment: ".$this->comment."\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1665. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Crypt/RSA.php:2631 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$m2          = "\0\0\0\0\0\0\0\0".$mHash.$salt;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1666. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Crypt/RSA.php:2687 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$m2   = "\0\0\0\0\0\0\0\0".$mHash.$salt;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1667. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Crypt/RSA.php:788 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$key .= "\r\nComment: ".$this->comment."\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1668. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Crypt/RSA.php:2631 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$m2          = "\0\0\0\0\0\0\0\0".$mHash.$salt;

Recommendation: Use $wpdb->prepare() with placeholders

1669. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/PHPSecLib/Crypt/RSA.php:2687 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$m2   = "\0\0\0\0\0\0\0\0".$mHash.$salt;

Recommendation: Use $wpdb->prepare() with placeholders

1670. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Migration/Migration.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$locked = $wpdb->query("INSERT INTO {$wpdb->prefix}options SET option_name = '$lockName', option_value = '$currentTimestamp'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1671. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Migration/Migration.php:67 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$released = $wpdb->query("DELETE FROM {$wpdb->prefix}options WHERE option_name = '$lockName'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1672. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Migration/Migration.php:91 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("INSERT INTO {$wpdb->prefix}options SET option_name = 'worker_migration_version', option_value = '$migrationVersion' ON DUPLICATE KEY UPDATE option_value = '$migrationVersion'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1673. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Http/JsonResponse.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $content;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1674. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Http/JsonResponse.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\n" . $content;

Recommendation: Use $wpdb->prepare() with placeholders

1675. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Http/MultipartResponse.php:27 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers["content-type"] = "multipart/mixed; boundary=".$this->boundary;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1676. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Http/MultipartResponse.php:45 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "\r\n".$this->getMultipartBoundary()."\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1677. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Http/MultipartResponse.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$stream->addStream(MWP_Stream_Stream::factory("\r\n".$this->getMultipartBoundary()));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1678. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Http/MultipartResponse.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$stream->addStream(MWP_Stream_Stream::factory("\r\n".$this->getMultipartBoundary()));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1679. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Http/MultipartResponse.php:27 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers["content-type"] = "multipart/mixed; boundary=".$this->boundary;

Recommendation: Use $wpdb->prepare() with placeholders

1680. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Http/MultipartResponse.php:45 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "\r\n".$this->getMultipartBoundary()."\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1681. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Http/MultipartResponse.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$stream->addStream(MWP_Stream_Stream::factory("\r\n".$this->getMultipartBoundary()));

Recommendation: Use $wpdb->prepare() with placeholders

1682. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Http/MultipartResponse.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$stream->addStream(MWP_Stream_Stream::factory("\r\n".$this->getMultipartBoundary()));

Recommendation: Use $wpdb->prepare() with placeholders

1683. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Signer/OpenSslSigner.php:29 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error = $errorRow."\n".$error;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1684. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Signer/OpenSslSigner.php:29 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error = $errorRow."\n".$error;

Recommendation: Use $wpdb->prepare() with placeholders

1685. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Action/DownloadFile.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$zip->addFile($file->getRealPath(), $file->getPath()."/".$file->getFilename());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1686. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Action/DownloadFile.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$zip->addFile($file->getRealPath(), $file->getPath()."/".$file->getFilename());

Recommendation: Use $wpdb->prepare() with placeholders

1687. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Action/ClearTransient.php:55 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$timeoutsToDelete[] = "'".$timeoutName.$transient."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1688. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Action/ClearTransient.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$transient          = "'".$transientType.$transient."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1689. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Action/ClearTransient.php:55 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$timeoutsToDelete[] = "'".$timeoutName.$transient."'";

Recommendation: Use $wpdb->prepare() with placeholders

1690. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Action/ClearTransient.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$transient          = "'".$transientType.$transient."'";

Recommendation: Use $wpdb->prepare() with placeholders

1691. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Crypter/OpenSslCrypter.php:26 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error = $errorRow."\n".$error;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1692. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Crypter/OpenSslCrypter.php:51 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error = $errorRow."\n".$error;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1693. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Crypter/OpenSslCrypter.php:26 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error = $errorRow."\n".$error;

Recommendation: Use $wpdb->prepare() with placeholders

1694. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/Crypter/OpenSslCrypter.php:51 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error = $errorRow."\n".$error;

Recommendation: Use $wpdb->prepare() with placeholders

1695. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/EventListener/PublicRequest/AddConnectionKeyInfo.php:72 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "DELETE FROM `". $wpdb->prefix ."options` WHERE `option_name` LIKE 'mwp_%';";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1696. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/EventListener/PublicRequest/AddConnectionKeyInfo.php:72 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "DELETE FROM `". $wpdb->prefix ."options` WHERE `option_name` LIKE 'mwp_%';";

Recommendation: Use $wpdb->prepare() with placeholders

1697. Deprecated mysql_query() with user input

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/IncrementalBackup/Database/MysqlConnection.php:63 CWE: CWE-89 Confidence: HIGH

Description: Deprecated mysql_query() with user input

Code:

$result = mysql_query($query, $this->connection);

Recommendation: Use PDO or mysqli with prepared statements

1698. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/IncrementalBackup/Database/MysqliConnection.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'".$this->connection->real_escape_string($value)."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1699. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/worker/src/MWP/IncrementalBackup/Database/MysqliConnection.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "'".$this->connection->real_escape_string($value)."'";

Recommendation: Use $wpdb->prepare() with placeholders

1700. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mphb-request-payment/classes/Plugin.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("UPDATE {$wpdb->options} SET autoload = 'yes' WHERE option_name IN ('mphbrp_configured', 'mphbrp_license_key')");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1701. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/mphb-request-payment/classes/Plugin.php:278 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("UPDATE {$wpdb->options} SET autoload = 'no' WHERE option_name LIKE 'mphbrp_%'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1702. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/cxq-event-calendar.php:1485 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->options} WHERE option_name LIKE 'cxq_event_calendar_%'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1703. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/cxq-event-calendar.php:1486 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->options} WHERE option_name LIKE 'external_event_%'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1704. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/fix-namespaces.php:23 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Failed to read: " . $file->getPathname() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1705. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/fix-namespaces.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Failed to write: " . $file->getPathname() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1706. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/fix-namespaces.php:23 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Failed to read: " . $file->getPathname() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1707. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/fix-namespaces.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Failed to write: " . $file->getPathname() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1708. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:153 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "UID:" . $uid . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1709. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:157 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "DTSTAMP:" . $dtstamp . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1710. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:162 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "DTSTART:" . $dtstart . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1711. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "DTEND:" . $dtend . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1712. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:179 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "DESCRIPTION:" . $description . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1713. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "LAST-MODIFIED:" . $last_modified . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1714. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:203 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "IMAGE;VALUE=URI:" . $event->cover_image_url . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1715. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:153 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "UID:" . $uid . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1716. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:157 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "DTSTAMP:" . $dtstamp . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1717. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:162 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "DTSTART:" . $dtstart . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1718. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "DTEND:" . $dtend . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1719. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:179 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "DESCRIPTION:" . $description . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1720. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "LAST-MODIFIED:" . $last_modified . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1721. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/public/class-ical-feed.php:203 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ical .= "IMAGE;VALUE=URI:" . $event->cover_image_url . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1722. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/includes/class-ical-export.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "X-WR-TIMEZONE:" . $timezone . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1723. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/includes/class-ical-export.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "UID:" . $event->id . "@" . get_bloginfo('url') . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1724. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/includes/class-ical-export.php:184 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "URL:" . $event->source_url . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1725. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/includes/class-ical-export.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "X-WR-TIMEZONE:" . $timezone . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1726. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/includes/class-ical-export.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "UID:" . $event->id . "@" . get_bloginfo('url') . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1727. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/includes/class-ical-export.php:184 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "URL:" . $event->source_url . "\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

1728. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1729. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1730. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1731. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1732. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1733. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1734. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1735. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-event-calendar/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

1736. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-spec-auditor/cxq-auditor.php:100 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

// $wpdb->query("DROP TABLE IF EXISTS {$wpdb->prefix}cxq_audit_requirement_check_items");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1737. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-enhance-wpforms/includes/admin/entries-page.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

esc_html_e( " for " . $entries_table->default_form_title );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1738. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-enhance-wpforms/includes/admin/entries-page.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

esc_html_e( " for " . $entries_table->default_form_title );

Recommendation: Use $wpdb->prepare() with placeholders

1739. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-doc-builder/migrate-from-cxq-documents.php:184 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->stats['errors'][] = "Failed to migrate taxonomy term: {$term->name} - " . $result->get_error_message();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1740. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-doc-builder/migrate-from-cxq-documents.php:277 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error_msg = "Failed to create document: {$source_post->post_title} - " . $new_post_id->get_error_message();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1741. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-doc-builder/migrate-from-cxq-documents.php:184 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->stats['errors'][] = "Failed to migrate taxonomy term: {$term->name} - " . $result->get_error_message();

Recommendation: Use $wpdb->prepare() with placeholders

1742. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-doc-builder/migrate-from-cxq-documents.php:277 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error_msg = "Failed to create document: {$source_post->post_title} - " . $new_post_id->get_error_message();

Recommendation: Use $wpdb->prepare() with placeholders

1743. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-submission-debug.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . get_class($callback['function'][0]) . "::" . $callback['function'][1] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1744. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-submission-debug.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . get_class($callback['function'][0]) . "::" . $callback['function'][1] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1745. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-phase2-integration.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Plugin version: " . $plugin->getVersion() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1746. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-phase2-integration.php:77 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Migration version: " . $status['current_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1747. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-phase2-integration.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Organization type: " . $status['organization_type'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1748. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-phase2-integration.php:100 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1749. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-phase2-integration.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Plugin version: " . $plugin->getVersion() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1750. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-phase2-integration.php:77 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Migration version: " . $status['current_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1751. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-phase2-integration.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Organization type: " . $status['organization_type'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1752. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-phase2-integration.php:100 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1753. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:75 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Using existing place (ID: $place_id) - " . $places[0]->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1754. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:88 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Claim code: " . $claim_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1755. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:98 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - ID: " . $orphan->ID . " | " . $orphan->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1756. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Email: " . $test_username . "@example.com\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1757. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:129 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1758. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Method: " . $claim->verification_method . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1759. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:131 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Code: " . $claim->verification_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1760. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $claim->claim_date . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1761. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:147 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  New status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1762. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:157 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - Claim #" . $pending->id . " | Place: " . $pending->place_name . " | User: " . $pending->display_name . " | Status: " . $pending->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1763. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Total claims: " . $stats['total'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1764. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Pending: " . $stats['pending'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1765. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Verified: " . $stats['verified'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1766. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:167 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Approved: " . $stats['approved'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1767. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejected: " . $stats['rejected'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1768. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Orphan places: " . $stats['orphan_places'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1769. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:189 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    - " . $manager->display_name . " (" . $manager->role . ")\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1770. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:194 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Final status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1771. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:195 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Reviewed by: User ID " . $claim->reviewed_by . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1772. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Notes: " . $claim->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1773. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:204 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Place URL: " . $place_url . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1774. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:219 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\nNext: Test frontend at: " . $place_url . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1775. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:75 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Using existing place (ID: $place_id) - " . $places[0]->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1776. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:88 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Claim code: " . $claim_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1777. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:98 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - ID: " . $orphan->ID . " | " . $orphan->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1778. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Email: " . $test_username . "@example.com\n";

Recommendation: Use $wpdb->prepare() with placeholders

1779. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:129 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1780. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Method: " . $claim->verification_method . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1781. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:131 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Code: " . $claim->verification_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1782. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $claim->claim_date . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1783. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:147 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  New status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1784. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:157 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - Claim #" . $pending->id . " | Place: " . $pending->place_name . " | User: " . $pending->display_name . " | Status: " . $pending->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1785. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Total claims: " . $stats['total'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1786. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Pending: " . $stats['pending'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1787. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Verified: " . $stats['verified'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1788. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:167 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Approved: " . $stats['approved'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1789. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejected: " . $stats['rejected'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1790. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Orphan places: " . $stats['orphan_places'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1791. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:189 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    - " . $manager->display_name . " (" . $manager->role . ")\n";

Recommendation: Use $wpdb->prepare() with placeholders

1792. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:194 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Final status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1793. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:195 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Reviewed by: User ID " . $claim->reviewed_by . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1794. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Notes: " . $claim->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1795. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:204 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Place URL: " . $place_url . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1796. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-workflow.php:219 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "\nNext: Test frontend at: " . $place_url . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1797. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Database error: " . $wpdb->last_error . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1798. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ID: " . $manager->id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1799. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Role: " . $manager->role . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1800. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $manager->date_added . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1801. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . $mgr->display_name . " (" . $mgr->role . ")\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1802. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Database error: " . $wpdb->last_error . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1803. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ID: " . $manager->id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1804. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Role: " . $manager->role . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1805. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $manager->date_added . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1806. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . $mgr->display_name . " (" . $mgr->role . ")\n";

Recommendation: Use $wpdb->prepare() with placeholders

1807. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/debug-frontend.php:52 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Found Places hook: $class::" . $callback['function'][1] . " at priority $priority\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1808. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/debug-frontend.php:52 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Found Places hook: $class::" . $callback['function'][1] . " at priority $priority\n";

Recommendation: Use $wpdb->prepare() with placeholders

1809. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/check-admin-status.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - {$id}: " . $module->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1810. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/check-admin-status.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✓ Active Module: " . $active->getName() . " ({$active->getId()})\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1811. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/check-admin-status.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error loading modules: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1812. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/check-admin-status.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - {$id}: " . $module->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1813. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/check-admin-status.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✓ Active Module: " . $active->getName() . " ({$active->getId()})\n";

Recommendation: Use $wpdb->prepare() with placeholders

1814. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/check-admin-status.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error loading modules: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1815. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/check-admin-status.php:89 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$all_org_options = $wpdb->get_results("SELECT option_name, option_value FROM {$wpdb->options} WHERE option_name LIKE 'cxq_mm_%' ORDER BY option_name");

Recommendation: Use $wpdb->prepare() with placeholders

1816. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:76 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    ID: " . $instance->getId() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1817. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:77 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Name: " . $instance->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1818. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Description: " . $instance->getDescription() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1819. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Icon: " . $instance->getIcon() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1820. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1821. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✓ Active module: " . $active->getName() . " ({$active->getId()})\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1822. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1823. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:76 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    ID: " . $instance->getId() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1824. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:77 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Name: " . $instance->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1825. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Description: " . $instance->getDescription() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1826. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    Icon: " . $instance->getIcon() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1827. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1828. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✓ Active module: " . $active->getName() . " ({$active->getId()})\n";

Recommendation: Use $wpdb->prepare() with placeholders

1829. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-org-types.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1830. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-libraries.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "❌ <strong>{$service_name}</strong>: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1831. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-libraries.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "❌ <strong>{$service_name}</strong>: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1832. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:82 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Query failed: " . $e->getMessage() . " ✗\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1833. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:91 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Failed to create test user: " . $test_user_id->get_error_message() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1834. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Place ID: " . $claim->place_id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1835. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  User ID: " . $claim->user_id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1836. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1837. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Method: " . $claim->verification_method . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1838. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:121 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Code: " . $claim->verification_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1839. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:122 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $claim->claim_date . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1840. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:158 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  New status: " . $claim_obj->status . " (should be 'verified')\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1841. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  First claim ID: " . $pending[0]->id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1842. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:173 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Place name: " . $pending[0]->place_name . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1843. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  User: " . $pending[0]->display_name . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1844. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:185 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Total: " . $stats['total'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1845. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:186 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Pending: " . $stats['pending'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1846. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:187 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Verified: " . $stats['verified'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1847. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Approved: " . $stats['approved'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1848. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:189 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejected: " . $stats['rejected'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1849. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Orphan places: " . $stats['orphan_places'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1850. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:211 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Final status: " . $claim_obj->status . " (should be 'approved')\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1851. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:212 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Reviewed by: " . $claim_obj->reviewed_by . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1852. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:213 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Notes: " . $claim_obj->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1853. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:249 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim_obj_2->status . " (should be 'rejected')\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1854. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:250 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejection reason: " . $claim_obj_2->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1855. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:82 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Query failed: " . $e->getMessage() . " ✗\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1856. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:91 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Failed to create test user: " . $test_user_id->get_error_message() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1857. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Place ID: " . $claim->place_id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1858. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  User ID: " . $claim->user_id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1859. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim->status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1860. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Method: " . $claim->verification_method . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1861. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:121 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Code: " . $claim->verification_code . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1862. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:122 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Date: " . $claim->claim_date . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1863. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:158 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  New status: " . $claim_obj->status . " (should be 'verified')\n";

Recommendation: Use $wpdb->prepare() with placeholders

1864. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  First claim ID: " . $pending[0]->id . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1865. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:173 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Place name: " . $pending[0]->place_name . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1866. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  User: " . $pending[0]->display_name . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1867. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:185 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Total: " . $stats['total'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1868. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:186 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Pending: " . $stats['pending'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1869. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:187 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Verified: " . $stats['verified'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1870. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Approved: " . $stats['approved'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1871. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:189 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejected: " . $stats['rejected'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1872. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Orphan places: " . $stats['orphan_places'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1873. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:211 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Final status: " . $claim_obj->status . " (should be 'approved')\n";

Recommendation: Use $wpdb->prepare() with placeholders

1874. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:212 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Reviewed by: " . $claim_obj->reviewed_by . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1875. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:213 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Notes: " . $claim_obj->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1876. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:249 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Status: " . $claim_obj_2->status . " (should be 'rejected')\n";

Recommendation: Use $wpdb->prepare() with placeholders

1877. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-claims-service-only.php:250 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Rejection reason: " . $claim_obj_2->notes . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1878. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1879. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Active Module: " . $active_module->getName() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1880. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1881. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard.php:81 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1882. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard.php:89 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1883. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1884. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Active Module: " . $active_module->getName() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1885. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1886. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard.php:81 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1887. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard.php:89 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1888. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-asset-manager.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error registering stylesheet: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1889. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-asset-manager.php:72 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error registering script: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1890. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-asset-manager.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error registering stylesheet: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1891. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-asset-manager.php:72 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Error registering script: " . $e->getMessage() . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

1892. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:666 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1893. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_event($user->ID,'Registration',"Failed to change username from `{$user->user_login}` to `{$new_username}`: ".$wpdb->show_errors(false));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1894. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2332 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1895. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2391 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1896. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2458 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "<select name='" . esc_attr( $parsed_args['name'] ) . "'" . $class . " id='" . esc_attr( $parsed_args['id'] ) . "'>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1897. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2460 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1898. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2510 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "<select name='" . esc_attr( $parsed_args['name'] ) . "'" . $class . " id='" . esc_attr( $parsed_args['id'] ) . "'>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1899. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2512 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1900. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2519 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"" . esc_attr( $parsed_args['option_now_value'] ) . "\"{$selected}>" . $parsed_args['show_option_now'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1901. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2523 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"" . esc_attr( $parsed_args['option_custom_default_value'] ) . "\"{$selected}>" . $parsed_args['show_option_custom_default'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1902. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:666 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1903. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->log_event($user->ID,'Registration',"Failed to change username from `{$user->user_login}` to `{$new_username}`: ".$wpdb->show_errors(false));

Recommendation: Use $wpdb->prepare() with placeholders

1904. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2332 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1905. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2391 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1906. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2458 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "<select name='" . esc_attr( $parsed_args['name'] ) . "'" . $class . " id='" . esc_attr( $parsed_args['id'] ) . "'>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1907. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2460 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1908. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2510 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output = "<select name='" . esc_attr( $parsed_args['name'] ) . "'" . $class . " id='" . esc_attr( $parsed_args['id'] ) . "'>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1909. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2512 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"-1\">" . $parsed_args['show_option_no_change'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1910. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2519 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"" . esc_attr( $parsed_args['option_now_value'] ) . "\"{$selected}>" . $parsed_args['show_option_now'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1911. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/cxq-membership.php:2523 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "\t<option value=\"" . esc_attr( $parsed_args['option_custom_default_value'] ) . "\"{$selected}>" . $parsed_args['show_option_custom_default'] . "</option>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1912. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-features-comprehensive.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Name: " . $org_instance->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1913. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-features-comprehensive.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Description: " . $org_instance->getDescription() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1914. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-features-comprehensive.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Icon: " . $org_instance->getIcon() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1915. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-features-comprehensive.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Name: " . $org_instance->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1916. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-features-comprehensive.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Description: " . $org_instance->getDescription() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1917. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-features-comprehensive.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Icon: " . $org_instance->getIcon() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1918. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-features-integration.php:69 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✓ Active module loaded: " . $active_module->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1919. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-features-integration.php:69 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✓ Active module loaded: " . $active_module->getName() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1920. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard-simulation.php:405 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . $result['name'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1921. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard-simulation.php:407 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    " . $result['details'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1922. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard-simulation.php:405 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  - " . $result['name'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1923. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-setup-wizard-simulation.php:407 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "    " . $result['details'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1924. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/simple-test.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ ServiceContainer instantiation failed: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1925. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/simple-test.php:73 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Service test failed: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1926. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/simple-test.php:58 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ ServiceContainer instantiation failed: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1927. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/simple-test.php:73 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✗ Service test failed: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1928. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions-debug.php:17 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Post type: " . $place->post_type . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1929. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions-debug.php:18 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Post title: " . $place->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1930. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions-debug.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Wrong post type! Expected 'cxq_mm_member', got '" . $place->post_type . "'\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1931. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions-debug.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Username: " . $user->user_login . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1932. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions-debug.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Email: " . $user->user_email . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1933. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions-debug.php:17 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Post type: " . $place->post_type . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1934. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions-debug.php:18 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Post title: " . $place->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1935. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions-debug.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  ✗ Wrong post type! Expected 'cxq_mm_member', got '" . $place->post_type . "'\n";

Recommendation: Use $wpdb->prepare() with placeholders

1936. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions-debug.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Username: " . $user->user_login . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1937. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/test-permissions-debug.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Email: " . $user->user_email . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1938. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/migration-phase2.php:194 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->usermeta} WHERE meta_key = '_org_positions'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1939. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/migration-phase2.php:195 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->usermeta} WHERE meta_key = '_primary_position'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1940. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/migration-phase2.php:196 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->usermeta} WHERE meta_key = '_credentials'");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1941. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/register-deregister-post-status.class.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

jQuery( 'select[name=\"post_status\"]' ).append( '<option value=\"{$status}\">{$label}</option>' );".$jq_status;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1942. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/register-deregister-post-status.class.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

jQuery( 'select[name=\"post_status\"]' ).append( '<option value=\"{$status}\">{$label}</option>' );".$jq_status;

Recommendation: Use $wpdb->prepare() with placeholders

1943. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/tests/simple-integration-test.php:188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Migration Version: " . $status['current_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1944. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/tests/simple-integration-test.php:188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Migration Version: " . $status['current_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

1945. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/build/build.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if (is_dir($dir . "/" . $object)) {

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1946. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/build/build.php:170 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

rrmdir($dir . "/" . $object);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1947. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/build/build.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

unlink($dir . "/" . $object);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1948. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/build/build.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if (is_dir($dir . "/" . $object)) {

Recommendation: Use $wpdb->prepare() with placeholders

1949. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/build/build.php:170 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

rrmdir($dir . "/" . $object);

Recommendation: Use $wpdb->prepare() with placeholders

1950. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/build/build.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

unlink($dir . "/" . $object);

Recommendation: Use $wpdb->prepare() with placeholders

1951. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1952. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1953. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1954. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1955. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1956. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1957. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1958. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1959. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1960. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1961. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1962. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1963. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1964. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1965. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

1966. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

1967. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

1968. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

1969. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

1970. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

1971. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1972. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

1973. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

1974. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

1975. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

1976. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

1977. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

1978. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/dev/dBug.class.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

1979. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/core/cxq-membership-profiles.php:1236 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html.="<td class=\"{$column_name}\">".$this->return_column_value( $column_name, $user).'</td>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1980. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/core/cxq-membership-profiles.php:1236 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html.="<td class=\"{$column_name}\">".$this->return_column_value( $column_name, $user).'</td>';

Recommendation: Use $wpdb->prepare() with placeholders

1981. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/custom/cxq-membership-cust-ems.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "SELECT meta_key,meta_value as member_id, count(meta_key) as count FROM `".$wpdb->usermeta."` WHERE meta_key = 'cxq_member_id_number' and meta_value<>'' group by meta_key,meta_value;";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1982. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/custom/cxq-membership-cust-ems.php:78 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "SELECT meta_key,meta_value as member_id, count(meta_key) as count FROM `".$wpdb->usermeta."` WHERE meta_key = 'cxq_member_id_number' and meta_value<>'' group by meta_key,meta_value;";

Recommendation: Use $wpdb->prepare() with placeholders

1983. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/custom/cxq-membership-cust-nsp.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "SELECT meta_key,meta_value as member_id, count(meta_key) as count FROM `".$wpdb->usermeta."` WHERE meta_key = 'cxq_member_id_number' and meta_value<>'' group by meta_key,meta_value;";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1984. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/custom/cxq-membership-cust-nsp.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "SELECT meta_key,meta_value as member_id, count(meta_key) as count FROM `".$wpdb->usermeta."` WHERE meta_key = 'cxq_member_id_number' and meta_value<>'' group by meta_key,meta_value;";

Recommendation: Use $wpdb->prepare() with placeholders

1985. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/core/optional/cxq-membership-attachments.php:613 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$exif[] = exif_read_data("data://{$mime_type};base64," . $file,$sections );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1986. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/includes/core/optional/cxq-membership-attachments.php:613 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$exif[] = exif_read_data("data://{$mime_type};base64," . $file,$sections );

Recommendation: Use $wpdb->prepare() with placeholders

1987. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/src/Core/ErrorHandler.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$context_str ? "\nContext: " . $context_str : ''

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1988. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/src/Core/ErrorHandler.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$context_str ? "\nContext: " . $context_str : ''

Recommendation: Use $wpdb->prepare() with placeholders

1989. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/src/Services/UserProfileService.php:305 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Failed to change username from `{$user->user_login}` to `{$new_username}`: " . $wpdb->show_errors(false)

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1990. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/src/Services/UserProfileService.php:305 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Failed to change username from `{$user->user_login}` to `{$new_username}`: " . $wpdb->show_errors(false)

Recommendation: Use $wpdb->prepare() with placeholders

1991. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/src/Services/WorkflowExecutionService.php:201 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Failed to update user: " . $user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1992. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/src/Services/WorkflowExecutionService.php:224 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Failed to create user: " . $user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1993. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/src/Services/WorkflowExecutionService.php:201 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Failed to update user: " . $user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

1994. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-membership.backup-20260115/src/Services/WorkflowExecutionService.php:224 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Failed to create user: " . $user_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

1995. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1996. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1997. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1998. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

1999. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2000. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2001. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2002. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:209 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2003. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2004. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2005. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2006. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2007. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2008. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2009. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

2010. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

2011. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2012. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

2013. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2014. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

2015. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2016. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:209 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2017. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2018. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2019. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

2020. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

2021. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2022. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/dBug.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

2023. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:221 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd = "array('Ascent'=>".$info['Ascender'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2024. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:223 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'Descent'=>".$info['Descender'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2025. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:226 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'CapHeight'=>".$info['CapHeight'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2026. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:228 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'CapHeight'=>".$info['Ascender'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2027. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:236 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'Flags'=>".$flags;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2028. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:239 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'FontBBox'=>'[".$fbb[0].' '.$fbb[1].' '.$fbb[2].' '.$fbb[3]."]'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2029. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'ItalicAngle'=>".$info['ItalicAngle'];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2030. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:249 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'StemV'=>".$stemv;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2031. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:251 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'MissingWidth'=>".$info['MissingWidth'].')';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2032. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:221 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd = "array('Ascent'=>".$info['Ascender'];

Recommendation: Use $wpdb->prepare() with placeholders

2033. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:223 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'Descent'=>".$info['Descender'];

Recommendation: Use $wpdb->prepare() with placeholders

2034. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:226 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'CapHeight'=>".$info['CapHeight'];

Recommendation: Use $wpdb->prepare() with placeholders

2035. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:228 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'CapHeight'=>".$info['Ascender'];

Recommendation: Use $wpdb->prepare() with placeholders

2036. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:236 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'Flags'=>".$flags;

Recommendation: Use $wpdb->prepare() with placeholders

2037. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:239 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'FontBBox'=>'[".$fbb[0].' '.$fbb[1].' '.$fbb[2].' '.$fbb[3]."]'";

Recommendation: Use $wpdb->prepare() with placeholders

2038. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'ItalicAngle'=>".$info['ItalicAngle'];

Recommendation: Use $wpdb->prepare() with placeholders

2039. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:249 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'StemV'=>".$stemv;

Recommendation: Use $wpdb->prepare() with placeholders

2040. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdf/makefont/makefont.php:251 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$fd .= ",'MissingWidth'=>".$info['MissingWidth'].')';

Recommendation: Use $wpdb->prepare() with placeholders

2041. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdi2/src/PdfParser/Filter/Flate.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

fwrite($fh, "\x1f\x8b\x08\x00\x00\x00\x00\x00" . $oData);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2042. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-autocomplete-awsc-form/fpdi2/src/PdfParser/Filter/Flate.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

fwrite($fh, "\x1f\x8b\x08\x00\x00\x00\x00\x00" . $oData);

Recommendation: Use $wpdb->prepare() with placeholders

2043. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2044. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2045. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2046. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2047. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2048. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2049. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2050. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:209 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2051. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2052. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2053. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2054. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2055. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2056. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2057. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

2058. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

2059. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2060. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

2061. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2062. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

2063. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2064. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:209 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2065. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2066. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2067. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

2068. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

2069. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2070. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/dBug.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

2071. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:325 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "<td>".$lpar.($row[$column]??0).$rpar."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2072. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:329 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "<td>".$other_total."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2073. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:331 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "<td>".$lpar.($row['total']??0).$rpar."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2074. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:376 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$phone_number = "-" . $phone_number;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2075. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:382 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$phone_number = ") " . $phone_number;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2076. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$phone_number = "(" . $phone_number;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2077. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:325 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "<td>".$lpar.($row[$column]??0).$rpar."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

2078. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:329 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "<td>".$other_total."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

2079. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:331 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$output .= "<td>".$lpar.($row['total']??0).$rpar."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

2080. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:376 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$phone_number = "-" . $phone_number;

Recommendation: Use $wpdb->prepare() with placeholders

2081. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:382 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$phone_number = ") " . $phone_number;

Recommendation: Use $wpdb->prepare() with placeholders

2082. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-listx/cxq-woocommerce-sales-list.php:387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$phone_number = "(" . $phone_number;

Recommendation: Use $wpdb->prepare() with placeholders

2083. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/pta-sus-global-functions.php:453 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

file_put_contents($log_file, date('Y-m-d H:i:s') . ": " . $msg . "\n", FILE_APPEND);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2084. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/pta-sus-global-functions.php:453 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

file_put_contents($log_file, date('Y-m-d H:i:s') . ": " . $msg . "\n", FILE_APPEND);

Recommendation: Use $wpdb->prepare() with placeholders

2085. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_admin.php:1771 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[]  = "From: " . $from_name . " <" . $from_email . ">";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2086. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_admin.php:1772 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[]  = "Reply-To: " . $reply_to;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2087. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_admin.php:1771 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[]  = "From: " . $from_name . " <" . $from_email . ">";

Recommendation: Use $wpdb->prepare() with placeholders

2088. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_admin.php:1772 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[]  = "Reply-To: " . $reply_to;

Recommendation: Use $wpdb->prepare() with placeholders

2089. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_emails.php:28 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[] = "From: " . get_bloginfo('name') . " <" . $from . ">";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2090. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_emails.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[] = "Reply-To: <" . $reply . ">";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2091. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_emails.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[] = "Reply-To: <" . $replyto . ">";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2092. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_emails.php:228 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->last_reminder = "To: " . $to . "\r\n\r\n" . $message . "\r\n\r\n\r\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2093. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_emails.php:28 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[] = "From: " . get_bloginfo('name') . " <" . $from . ">";

Recommendation: Use $wpdb->prepare() with placeholders

2094. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_emails.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[] = "Reply-To: <" . $reply . ">";

Recommendation: Use $wpdb->prepare() with placeholders

2095. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_emails.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[] = "Reply-To: <" . $replyto . ">";

Recommendation: Use $wpdb->prepare() with placeholders

2096. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_emails.php:228 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->last_reminder = "To: " . $to . "\r\n\r\n" . $message . "\r\n\r\n\r\n";

Recommendation: Use $wpdb->prepare() with placeholders

2097. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:115 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

FROM ".$this->tables['sheet']['name']."

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2098. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row = $this->wpdb->get_row($this->wpdb->prepare("SELECT * FROM ".$this->tables['sheet']['name']." WHERE id = %d" , $id));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2099. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

SELECT COUNT(*) FROM ".$this->tables['sheet']['name']." WHERE trash = %d", $trash));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2100. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:205 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

SELECT COUNT(*) FROM ".$this->tables['sheet']['name']." WHERE title = %s AND trash = 0", $title));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2101. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:225 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

SELECT COUNT(*) FROM ".$this->tables['signup']['name']."

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2102. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:296 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "UPDATE ".$this->tables['sheet']['name']."

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2103. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:311 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT * FROM ".$this->tables['task']['name']." WHERE sheet_id = %d ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2104. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:332 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT id FROM ".$this->tables['task']['name']." WHERE sheet_id = %d ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2105. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:359 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$task = $this->wpdb->get_row($this->wpdb->prepare("SELECT * FROM ".$this->tables['task']['name']." WHERE id = %d" , $id));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2106. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:368 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT DISTINCT dates FROM ".$this->tables['task']['name']." WHERE sheet_id = %d";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2107. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:398 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "UPDATE ".$this->tables['task']['name']." SET sheet_id = %d WHERE sheet_id = %d";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2108. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:415 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT * FROM ".$this->tables['signup']['name']." WHERE task_id = %d ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2109. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:431 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT * FROM ".$this->tables['signup']['name']." WHERE lastname like '%s' OR firstname like '%s' GROUP BY firstname, lastname";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2110. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:467 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT DISTINCT email FROM ".$this->tables['signup']['name']." ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2111. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:469 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$TASKSQL = "SELECT id FROM ".$this->tables['task']['name']." WHERE sheet_id = %d";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2112. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:486 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $this->wpdb->get_row($this->wpdb->prepare("SELECT * FROM ".$this->tables['signup']['name']." WHERE id = %d" , $id));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2113. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:577 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

FROM  ".$this->tables['sheet']['name']." sheet

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2114. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:578 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

INNER JOIN ".$this->tables['task']['name']." task ON sheet.id = task.sheet_id

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2115. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:579 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

INNER JOIN ".$this->tables['signup']['name']." signup ON task.id = signup.task_id

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2116. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:1209 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "DELETE FROM ".$this->tables['signup']['name']." WHERE %s > ADDDATE(date, %d)";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2117. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:1226 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "SELECT id FROM ".$this->tables['sheet']['name']." WHERE %s > ADDDATE(last_date, %d)";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2118. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:1724 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $firstname." ".$this->initials_arr($nwords);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2119. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:115 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

FROM ".$this->tables['sheet']['name']."

Recommendation: Use $wpdb->prepare() with placeholders

2120. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row = $this->wpdb->get_row($this->wpdb->prepare("SELECT * FROM ".$this->tables['sheet']['name']." WHERE id = %d" , $id));

Recommendation: Use $wpdb->prepare() with placeholders

2121. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

SELECT COUNT(*) FROM ".$this->tables['sheet']['name']." WHERE trash = %d", $trash));

Recommendation: Use $wpdb->prepare() with placeholders

2122. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:205 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

SELECT COUNT(*) FROM ".$this->tables['sheet']['name']." WHERE title = %s AND trash = 0", $title));

Recommendation: Use $wpdb->prepare() with placeholders

2123. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:225 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

SELECT COUNT(*) FROM ".$this->tables['signup']['name']."

Recommendation: Use $wpdb->prepare() with placeholders

2124. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:296 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "UPDATE ".$this->tables['sheet']['name']."

Recommendation: Use $wpdb->prepare() with placeholders

2125. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:311 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT * FROM ".$this->tables['task']['name']." WHERE sheet_id = %d ";

Recommendation: Use $wpdb->prepare() with placeholders

2126. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:332 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT id FROM ".$this->tables['task']['name']." WHERE sheet_id = %d ";

Recommendation: Use $wpdb->prepare() with placeholders

2127. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:359 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$task = $this->wpdb->get_row($this->wpdb->prepare("SELECT * FROM ".$this->tables['task']['name']." WHERE id = %d" , $id));

Recommendation: Use $wpdb->prepare() with placeholders

2128. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:368 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT DISTINCT dates FROM ".$this->tables['task']['name']." WHERE sheet_id = %d";

Recommendation: Use $wpdb->prepare() with placeholders

2129. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:398 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "UPDATE ".$this->tables['task']['name']." SET sheet_id = %d WHERE sheet_id = %d";

Recommendation: Use $wpdb->prepare() with placeholders

2130. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:415 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT * FROM ".$this->tables['signup']['name']." WHERE task_id = %d ";

Recommendation: Use $wpdb->prepare() with placeholders

2131. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:431 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT * FROM ".$this->tables['signup']['name']." WHERE lastname like '%s' OR firstname like '%s' GROUP BY firstname, lastname";

Recommendation: Use $wpdb->prepare() with placeholders

2132. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:467 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$SQL = "SELECT DISTINCT email FROM ".$this->tables['signup']['name']." ";

Recommendation: Use $wpdb->prepare() with placeholders

2133. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:469 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$TASKSQL = "SELECT id FROM ".$this->tables['task']['name']." WHERE sheet_id = %d";

Recommendation: Use $wpdb->prepare() with placeholders

2134. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:486 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $this->wpdb->get_row($this->wpdb->prepare("SELECT * FROM ".$this->tables['signup']['name']." WHERE id = %d" , $id));

Recommendation: Use $wpdb->prepare() with placeholders

2135. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:577 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

FROM  ".$this->tables['sheet']['name']." sheet

Recommendation: Use $wpdb->prepare() with placeholders

2136. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:578 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

INNER JOIN ".$this->tables['task']['name']." task ON sheet.id = task.sheet_id

Recommendation: Use $wpdb->prepare() with placeholders

2137. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:579 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

INNER JOIN ".$this->tables['signup']['name']." signup ON task.id = signup.task_id

Recommendation: Use $wpdb->prepare() with placeholders

2138. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:1209 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "DELETE FROM ".$this->tables['signup']['name']." WHERE %s > ADDDATE(date, %d)";

Recommendation: Use $wpdb->prepare() with placeholders

2139. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:1226 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql = "SELECT id FROM ".$this->tables['sheet']['name']." WHERE %s > ADDDATE(last_date, %d)";

Recommendation: Use $wpdb->prepare() with placeholders

2140. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/data.php:1724 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $firstname." ".$this->initials_arr($nwords);

Recommendation: Use $wpdb->prepare() with placeholders

2141. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_signup_functions.php:39 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $wpdb->get_row($wpdb->prepare("SELECT * FROM ".$signup_table." WHERE id = %d" , $signup_id));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2142. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/pta-volunteer-sign-up-sheets/classes/class-pta_sus_signup_functions.php:39 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $wpdb->get_row($wpdb->prepare("SELECT * FROM ".$signup_table." WHERE id = %d" , $signup_id));

Recommendation: Use $wpdb->prepare() with placeholders

2143. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/x_aurora.php:5 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = '306bfb022724a25c7d795719358609b1';   //bquig

Recommendation: Move credentials to environment variables or secure configuration

2144. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/x_aurora.php:6 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

//$api_key = 'e8d268dbf5ed7bfa6d01ec9377e1d415';  //lost768

Recommendation: Move credentials to environment variables or secure configuration

2145. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/drink_list.php:300 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this_list_content = "<h2>{$subtype}</h2>".$this_list_content;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2146. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/drink_list.php:300 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this_list_content = "<h2>{$subtype}</h2>".$this_list_content;

Recommendation: Use $wpdb->prepare() with placeholders

2147. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/weather-new.php:5 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = '306bfb022724a25c7d795719358609b1';   //bquig

Recommendation: Move credentials to environment variables or secure configuration

2148. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/weather-new.php:6 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

//$api_key = 'e8d268dbf5ed7bfa6d01ec9377e1d415';  //lost768

Recommendation: Move credentials to environment variables or secure configuration

2149. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/cache.php:179 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

new dBug2("HTTP request failed. Error was: " . $error['message']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2150. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/cache.php:179 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

new dBug2("HTTP request failed. Error was: " . $error['message']);

Recommendation: Use $wpdb->prepare() with placeholders

2151. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/drink_list_template_default.php:116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this_list_content = "<h2>{$subtype}</h2>".$this_list_content;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2152. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/drink_list_template_default.php:116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this_list_content = "<h2>{$subtype}</h2>".$this_list_content;

Recommendation: Use $wpdb->prepare() with placeholders

2153. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/weather.php:5 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = '306bfb022724a25c7d795719358609b1';   //bquig

Recommendation: Move credentials to environment variables or secure configuration

2154. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/weather.php:6 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

//$api_key = 'e8d268dbf5ed7bfa6d01ec9377e1d415';  //lost768

Recommendation: Move credentials to environment variables or secure configuration

2155. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/events.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

exec("ping -c 1 " . $domain, $output, $result);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2156. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/events.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//new dBug2($age."/".$max_refresh_interval);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2157. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/events.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

exec("ping -c 1 " . $domain, $output, $result);

Recommendation: Use $wpdb->prepare() with placeholders

2158. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/events.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//new dBug2($age."/".$max_refresh_interval);

Recommendation: Use $wpdb->prepare() with placeholders

2159. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2160. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2161. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2162. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2163. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2164. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2165. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2166. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2167. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2168. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2169. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2170. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2171. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:313 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2172. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2173. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

2174. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

2175. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2176. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

2177. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2178. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

2179. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2180. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2181. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2182. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2183. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

2184. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

2185. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:313 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2186. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/dBug.class.php:387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

2187. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/sports.php:5 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = 'd3be6efcb12a449c497d671557bbeb1e'; // limit hit for May 2022

Recommendation: Move credentials to environment variables or secure configuration

2188. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/sports.php:6 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = 'f837a07ab0344f6ec917fafdb0276ffa';

Recommendation: Move credentials to environment variables or secure configuration

2189. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/styles/weather-new.php:5 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = '306bfb022724a25c7d795719358609b1';   //bquig

Recommendation: Move credentials to environment variables or secure configuration

2190. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/styles/weather-new.php:6 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

//$api_key = 'e8d268dbf5ed7bfa6d01ec9377e1d415';  //lost768

Recommendation: Move credentials to environment variables or secure configuration

2191. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/weather-new.php:5 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = '306bfb022724a25c7d795719358609b1';   //bquig

Recommendation: Move credentials to environment variables or secure configuration

2192. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/weather-new.php:6 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

//$api_key = 'e8d268dbf5ed7bfa6d01ec9377e1d415';  //lost768

Recommendation: Move credentials to environment variables or secure configuration

2193. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/cache.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

new dBug2("HTTP request failed. Error was: " . $error['message']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2194. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/cache.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

new dBug2("HTTP request failed. Error was: " . $error['message']);

Recommendation: Use $wpdb->prepare() with placeholders

2195. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/drink_list_template_default.php:116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this_list_content = "<h2>{$subtype}</h2>".$this_list_content;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2196. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/drink_list_template_default.php:116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this_list_content = "<h2>{$subtype}</h2>".$this_list_content;

Recommendation: Use $wpdb->prepare() with placeholders

2197. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/Xweather-new.php:5 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = '306bfb022724a25c7d795719358609b1';   //bquig

Recommendation: Move credentials to environment variables or secure configuration

2198. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/Xweather-new.php:6 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

//$api_key = 'e8d268dbf5ed7bfa6d01ec9377e1d415';  //lost768

Recommendation: Move credentials to environment variables or secure configuration

2199. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/weather.php:5 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = '306bfb022724a25c7d795719358609b1';   //bquig

Recommendation: Move credentials to environment variables or secure configuration

2200. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/weather.php:6 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

//$api_key = 'e8d268dbf5ed7bfa6d01ec9377e1d415';  //lost768

Recommendation: Move credentials to environment variables or secure configuration

2201. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/events.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

exec("ping -c 1 " . $domain, $output, $result);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2202. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/events.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

exec("ping -c 1 " . $domain, $output, $result);

Recommendation: Use $wpdb->prepare() with placeholders

2203. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2204. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2205. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2206. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2207. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2208. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2209. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2210. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2211. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2212. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2213. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2214. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2215. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:313 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2216. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2217. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

2218. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

2219. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2220. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

2221. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2222. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

2223. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2224. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2225. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2226. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2227. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

2228. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

2229. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:313 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2230. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/dBug.class.php:387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

2231. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/sports.php:5 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = 'd3be6efcb12a449c497d671557bbeb1e'; // limit hit for May 2022

Recommendation: Move credentials to environment variables or secure configuration

2232. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-signage/templates/sports.php:6 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$api_key = 'f837a07ab0344f6ec917fafdb0276ffa';

Recommendation: Move credentials to environment variables or secure configuration

2233. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/common.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str .= "<option value='" . $field->id . "' " . $selected . '>' . $field_label . '</option>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2234. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/common.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str .= "<option value='" . $field->id . "' " . $selected . '>' . $field_label . '</option>';

Recommendation: Use $wpdb->prepare() with placeholders

2235. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/xml.php:44 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\r\n" . $indent;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2236. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/xml.php:77 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return strlen( $data ) == 0 && ! rgar( $option, "allow_empty" ) ? "" : "$padding<$parent_node_name>" . $this->xml_value( $parent_node_name, $data ) . "</$parent_node_name>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2237. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/xml.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$version = $path == $parent_node_name && isset( $this->options["version"] ) ? " version=\"" . $this->options["version"] . "\"" : "";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2238. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/xml.php:44 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "\r\n" . $indent;

Recommendation: Use $wpdb->prepare() with placeholders

2239. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/xml.php:77 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return strlen( $data ) == 0 && ! rgar( $option, "allow_empty" ) ? "" : "$padding<$parent_node_name>" . $this->xml_value( $parent_node_name, $data ) . "</$parent_node_name>";

Recommendation: Use $wpdb->prepare() with placeholders

2240. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/xml.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$version = $path == $parent_node_name && isset( $this->options["version"] ) ? " version=\"" . $this->options["version"] . "\"" : "";

Recommendation: Use $wpdb->prepare() with placeholders

2241. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/export.php:344 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

GFCommon::add_message( sprintf( esc_html__( 'Gravity Forms imported %d %s successfully', 'gravityforms' ), $count, $form_text ) . ". $edit_link" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2242. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/export.php:908 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value = "'" . $value;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2243. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/export.php:1071 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row_str = "'" . $row_str;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2244. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/export.php:1101 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value = "'" . $value;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2245. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/export.php:344 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

GFCommon::add_message( sprintf( esc_html__( 'Gravity Forms imported %d %s successfully', 'gravityforms' ), $count, $form_text ) . ". $edit_link" );

Recommendation: Use $wpdb->prepare() with placeholders

2246. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/export.php:908 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value = "'" . $value;

Recommendation: Use $wpdb->prepare() with placeholders

2247. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/export.php:1071 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row_str = "'" . $row_str;

Recommendation: Use $wpdb->prepare() with placeholders

2248. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/export.php:1101 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value = "'" . $value;

Recommendation: Use $wpdb->prepare() with placeholders

2249. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_detail.php:1556 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$modal = json_encode( "<div class='tb-title'><div class='tb-title__logo'></div><div class='tb-title__text'><div class='tb-title__main'>" . $window_title . "</div><div class='tb-title__sub'>" . esc_html__( 'Select a category and customize the predefined choices or paste your own list to bulk add choices.', 'gravityforms' ) . "</div></div></div>" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2250. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_detail.php:3014 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

die( "EndAddField($field_json, " . $field_html_json . ", $index);" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2251. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_detail.php:1556 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$modal = json_encode( "<div class='tb-title'><div class='tb-title__logo'></div><div class='tb-title__text'><div class='tb-title__main'>" . $window_title . "</div><div class='tb-title__sub'>" . esc_html__( 'Select a category and customize the predefined choices or paste your own list to bulk add choices.', 'gravityforms' ) . "</div></div></div>" );

Recommendation: Use $wpdb->prepare() with placeholders

2252. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_detail.php:3014 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

die( "EndAddField($field_json, " . $field_html_json . ", $index);" );

Recommendation: Use $wpdb->prepare() with placeholders

2253. File upload without malware scanning detected

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/forms_model.php:5636 CWE: CWE-434 Confidence: HIGH

Description: File upload without malware scanning detected

Code:

if ( move_uploaded_file( $file['tmp_name'], $target['path'] ) ) {

Recommendation: Scan uploaded files with ClamAV or similar before moving to permanent location

2254. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/forms_model.php:5733 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$target_path = $target_root . $file_name . "$counter" . $extension;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2255. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/forms_model.php:5733 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$target_path = $target_root . $file_name . "$counter" . $extension;

Recommendation: Use $wpdb->prepare() with placeholders

2256. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/gravityforms.php:5273 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$link = "<a class='{$link_class}' onclick='{$onclick}' onkeypress='{$onclick}' {$aria_label} href='{$url}' target='{$target}'>{$label}</a>" . $sub_menu_str;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2257. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/gravityforms.php:5273 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$link = "<a class='{$link_class}' onclick='{$onclick}' onkeypress='{$onclick}' {$aria_label} href='{$url}' target='{$target}'>{$label}</a>" . $sub_menu_str;

Recommendation: Use $wpdb->prepare() with placeholders

2258. File upload without malware scanning detected

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:460 CWE: CWE-434 Confidence: HIGH

Description: File upload without malware scanning detected

Code:

if ( $file_info && move_uploaded_file( $_FILES[ $input_name ]['tmp_name'], $target_path . $file_info['temp_filename'] ) ) {

Recommendation: Scan uploaded files with ClamAV or similar before moving to permanent location

2259. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:465 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

GFCommon::log_error( "GFFormDisplay::upload_files(): File could not be uploaded: tmp_name: {$_FILES[ $input_name ]['tmp_name']} - target location: " . $target_path . $file_info['temp_filename'] );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2260. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:1123 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<div class='{$wrapper_css_class}{$custom_wrapper_css_class}' {$form_theme} {$page_instance} id='gform_wrapper_$form_id' " . $style . '>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2261. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:1413 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<iframe style='{$iframe_style}' src='about:blank' name='gform_ajax_frame_{$form_id}' id='gform_ajax_frame_{$form_id}'" . $iframe_title . ">" . $iframe_content . "</iframe>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2262. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:2148 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message = empty( $confirmation['message'] ) ? "{$anchor} " : "{$anchor}<div id='gform_confirmation_wrapper_{$form['id']}' class='gform_confirmation_wrapper {$css_class}'><div id='gform_confirmation_message_{$form['id']}' class='gform_confirmation_message_{$form['id']} gform_confirmation_message'>" . $message . '</div></div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2263. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:3406 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"window['gf_number_format'] = '" . $number_format . "';" .

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2264. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:4138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$product_suffix            = "_{$form_id}_" . $field->productField;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2265. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:4779 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$confirmation_message = "<div class='form_saved_message'>" . $confirmation_message . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2266. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:4943 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ajax_iframe_content = "<!DOCTYPE html><html><head><meta charset='UTF-8' /></head><body class='GF_AJAX_POSTBACK'>" . $body_content . '</body></html>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2267. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:465 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

GFCommon::log_error( "GFFormDisplay::upload_files(): File could not be uploaded: tmp_name: {$_FILES[ $input_name ]['tmp_name']} - target location: " . $target_path . $file_info['temp_filename'] );

Recommendation: Use $wpdb->prepare() with placeholders

2268. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:1123 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<div class='{$wrapper_css_class}{$custom_wrapper_css_class}' {$form_theme} {$page_instance} id='gform_wrapper_$form_id' " . $style . '>';

Recommendation: Use $wpdb->prepare() with placeholders

2269. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:1413 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<iframe style='{$iframe_style}' src='about:blank' name='gform_ajax_frame_{$form_id}' id='gform_ajax_frame_{$form_id}'" . $iframe_title . ">" . $iframe_content . "</iframe>

Recommendation: Use $wpdb->prepare() with placeholders

2270. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:2148 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message = empty( $confirmation['message'] ) ? "{$anchor} " : "{$anchor}<div id='gform_confirmation_wrapper_{$form['id']}' class='gform_confirmation_wrapper {$css_class}'><div id='gform_confirmation_message_{$form['id']}' class='gform_confirmation_message_{$form['id']} gform_confirmation_message'>" . $message . '</div></div>';

Recommendation: Use $wpdb->prepare() with placeholders

2271. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:3406 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"window['gf_number_format'] = '" . $number_format . "';" .

Recommendation: Use $wpdb->prepare() with placeholders

2272. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:4138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$product_suffix            = "_{$form_id}_" . $field->productField;

Recommendation: Use $wpdb->prepare() with placeholders

2273. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:4779 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$confirmation_message = "<div class='form_saved_message'>" . $confirmation_message . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2274. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/form_display.php:4943 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$ajax_iframe_content = "<!DOCTYPE html><html><head><meta charset='UTF-8' /></head><body class='GF_AJAX_POSTBACK'>" . $body_content . '</body></html>';

Recommendation: Use $wpdb->prepare() with placeholders

2275. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/upload.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

GFCommon::log_debug( "GFAsyncUpload::upload(): Couldn't create the tmp folder: " . $target_dir );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2276. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/upload.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

GFCommon::log_debug( "GFAsyncUpload::upload(): Couldn't create the tmp folder: " . $target_dir );

Recommendation: Use $wpdb->prepare() with placeholders

2277. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/class-gf-upgrade.php:474 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$max    = $wpdb->query( "select id from {$table_name} order by id desc" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2278. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/class-gf-upgrade.php:1478 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $wpdb->query( "UPDATE {$lead_details_table} SET value = TRIM(value)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2279. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/class-gf-upgrade.php:1582 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DROP INDEX {$index} ON {$table}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2280. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/class-gf-upgrade.php:1733 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$result = $wpdb->query( "ALTER TABLE {$lead_detail_table} MODIFY `value` LONGTEXT;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2281. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/class-gf-upgrade.php:1480 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $wpdb->get_results( "SELECT form_id, display_meta, confirmations, notifications FROM {$meta_table_name}", ARRAY_A );

Recommendation: Use $wpdb->prepare() with placeholders

2282. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:571 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_results .= "<td class='gsurvey-likert-choice-label'>" . $choice['text'] . '</td>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2283. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:598 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_results .= "<td class='gsurvey-likert-row-label'>" . $row_text . '</td>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2284. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:608 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_results .= "<td class='gsurvey-likert-results' style='background-color:{$clr}'>" . $val . '</td>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2285. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:614 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_results .= "<td class='gsurvey-likert-results'>" . $average_row_score . '</td>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2286. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:571 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_results .= "<td class='gsurvey-likert-choice-label'>" . $choice['text'] . '</td>';

Recommendation: Use $wpdb->prepare() with placeholders

2287. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:598 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_results .= "<td class='gsurvey-likert-row-label'>" . $row_text . '</td>';

Recommendation: Use $wpdb->prepare() with placeholders

2288. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:608 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_results .= "<td class='gsurvey-likert-results' style='background-color:{$clr}'>" . $val . '</td>';

Recommendation: Use $wpdb->prepare() with placeholders

2289. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-results.php:614 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_results .= "<td class='gsurvey-likert-results'>" . $average_row_score . '</td>';

Recommendation: Use $wpdb->prepare() with placeholders

2290. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-addon.php:5427 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

die( esc_html__( "You don't have adequate permission to uninstall this add-on: " . $this->_title, 'gravityforms' ) );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2291. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-addon.php:5427 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

die( esc_html__( "You don't have adequate permission to uninstall this add-on: " . $this->_title, 'gravityforms' ) );

Recommendation: Use $wpdb->prepare() with placeholders

2292. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:2574 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html .= "<script type='text/javascript'>var " . $field['name'] . '_intervals = ' . json_encode( $intervals ) . ';</script>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2293. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:2966 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner1 = "yearweek(CONVERT_TZ(payment_date, '+00:00', '" . $tz_offset . "')) week";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2294. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:2967 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner2 = "yearweek(CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "')) week";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2295. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:2984 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner1 = "date_format(CONVERT_TZ(payment_date, '+00:00', '" . $tz_offset . "'), '%%Y-%%m-01') inner_month";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2296. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:2985 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner2 = "date_format(CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "'), '%%Y-%%m-01') inner_month";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2297. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3002 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner1 = "date(CONVERT_TZ(payment_date, '+00:00', '" . $tz_offset . "')) as date";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2298. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3003 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner2 = "date(CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "')) as date";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2299. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3025 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lead_date_filter        = $wpdb->prepare( " AND timestampdiff(SECOND, %s, CONVERT_TZ(l.payment_date, '+00:00', '" . $tz_offset . "')) >= 0", $search['start_date'] );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2300. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3026 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$transaction_date_filter = $wpdb->prepare( " AND timestampdiff(SECOND, %s, CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "')) >= 0", $search['start_date'] );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2301. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3031 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lead_date_filter        .= $wpdb->prepare( " AND timestampdiff(SECOND, %s, CONVERT_TZ(l.payment_date, '+00:00', '" . $tz_offset . "')) <= 0", $search['end_date'] );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2302. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3032 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$transaction_date_filter .= $wpdb->prepare( " AND timestampdiff(SECOND, %s, CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "')) <= 0", $search['end_date'] );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2303. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

SELECT  date( CONVERT_TZ(payment_date, '+00:00', '" . $tz_offset . "') ) as date,

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2304. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3194 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

WHERE status='active' AND form_id = %d AND datediff(now(), CONVERT_TZ(payment_date, '+00:00', '" . $tz_offset . "') ) <= 30

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2305. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3199 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

SELECT  date( CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "') ) as date,

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2306. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:2574 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html .= "<script type='text/javascript'>var " . $field['name'] . '_intervals = ' . json_encode( $intervals ) . ';</script>';

Recommendation: Use $wpdb->prepare() with placeholders

2307. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:2966 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner1 = "yearweek(CONVERT_TZ(payment_date, '+00:00', '" . $tz_offset . "')) week";

Recommendation: Use $wpdb->prepare() with placeholders

2308. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:2967 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner2 = "yearweek(CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "')) week";

Recommendation: Use $wpdb->prepare() with placeholders

2309. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:2984 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner1 = "date_format(CONVERT_TZ(payment_date, '+00:00', '" . $tz_offset . "'), '%%Y-%%m-01') inner_month";

Recommendation: Use $wpdb->prepare() with placeholders

2310. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:2985 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner2 = "date_format(CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "'), '%%Y-%%m-01') inner_month";

Recommendation: Use $wpdb->prepare() with placeholders

2311. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3002 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner1 = "date(CONVERT_TZ(payment_date, '+00:00', '" . $tz_offset . "')) as date";

Recommendation: Use $wpdb->prepare() with placeholders

2312. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3003 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$select_inner2 = "date(CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "')) as date";

Recommendation: Use $wpdb->prepare() with placeholders

2313. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3025 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lead_date_filter        = $wpdb->prepare( " AND timestampdiff(SECOND, %s, CONVERT_TZ(l.payment_date, '+00:00', '" . $tz_offset . "')) >= 0", $search['start_date'] );

Recommendation: Use $wpdb->prepare() with placeholders

2314. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3026 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$transaction_date_filter = $wpdb->prepare( " AND timestampdiff(SECOND, %s, CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "')) >= 0", $search['start_date'] );

Recommendation: Use $wpdb->prepare() with placeholders

2315. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3031 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$lead_date_filter        .= $wpdb->prepare( " AND timestampdiff(SECOND, %s, CONVERT_TZ(l.payment_date, '+00:00', '" . $tz_offset . "')) <= 0", $search['end_date'] );

Recommendation: Use $wpdb->prepare() with placeholders

2316. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3032 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$transaction_date_filter .= $wpdb->prepare( " AND timestampdiff(SECOND, %s, CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "')) <= 0", $search['end_date'] );

Recommendation: Use $wpdb->prepare() with placeholders

2317. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

SELECT  date( CONVERT_TZ(payment_date, '+00:00', '" . $tz_offset . "') ) as date,

Recommendation: Use $wpdb->prepare() with placeholders

2318. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3194 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

WHERE status='active' AND form_id = %d AND datediff(now(), CONVERT_TZ(payment_date, '+00:00', '" . $tz_offset . "') ) <= 30

Recommendation: Use $wpdb->prepare() with placeholders

2319. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-payment-addon.php:3199 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

SELECT  date( CONVERT_TZ(t.date_created, '+00:00', '" . $tz_offset . "') ) as date,

Recommendation: Use $wpdb->prepare() with placeholders

2320. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-feed-processor.php:149 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

), __METHOD__ . "(): Starting to process feed (#{$feed['id']} - {$feed_name}) for entry #{$entry['id']} for {$addon->get_slug()}. Attempt number: " . $item['attempts'] );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2321. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/addon/class-gf-feed-processor.php:149 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

), __METHOD__ . "(): Starting to process feed (#{$feed['id']} - {$feed_name}) for entry #{$entry['id']} for {$addon->get_slug()}. Attempt number: " . $item['attempts'] );

Recommendation: Use $wpdb->prepare() with placeholders

2322. File upload without malware scanning detected

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-fileupload.php:731 CWE: CWE-434 Confidence: HIGH

Description: File upload without malware scanning detected

Code:

if ( move_uploaded_file( $file['tmp_name'], $target['path'] ) ) {

Recommendation: Scan uploaded files with ClamAV or similar before moving to permanent location

2323. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-fileupload.php:462 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<div class='ginput_container ginput_container_fileupload'>" . $upload . " {$preview}</div>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2324. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-fileupload.php:467 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<div class='ginput_container ginput_container_fileupload'>$upload</div>" . $preview;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2325. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-fileupload.php:462 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<div class='ginput_container ginput_container_fileupload'>" . $upload . " {$preview}</div>";

Recommendation: Use $wpdb->prepare() with placeholders

2326. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-fileupload.php:467 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<div class='ginput_container ginput_container_fileupload'>$upload</div>" . $preview;

Recommendation: Use $wpdb->prepare() with placeholders

2327. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-creditcard.php:433 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<div class='ginput_complex{$class_suffix} ginput_container ginput_container_creditcard gform-grid-row' id='{$field_id}'>" . $card_field . $expiration_field . $security_field . $card_name_field . ' </div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2328. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-creditcard.php:433 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<div class='ginput_complex{$class_suffix} ginput_container ginput_container_creditcard gform-grid-row' id='{$field_id}'>" . $card_field . $expiration_field . $security_field . $card_name_field . ' </div>';

Recommendation: Use $wpdb->prepare() with placeholders

2329. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-checkbox.php:740 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<label for='{$id}' id='label_" . $this->id . "_select_all' class='gform-field-label  gform-field-label--type-inline' data-label-select='{$select_label}' data-label-deselect='{$deselect_label}'>{$toggle_label}</label>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2330. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-checkbox.php:740 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<label for='{$id}' id='label_" . $this->id . "_select_all' class='gform-field-label  gform-field-label--type-inline' data-label-select='{$select_label}' data-label-deselect='{$deselect_label}'>{$toggle_label}</label>

Recommendation: Use $wpdb->prepare() with placeholders

2331. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-number.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$instruction = "<div class='gfield_description instruction $validation_class' id='gfield_instruction_{$this->formId}_{$this->id}'>" . $message . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2332. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-number.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$instruction = "<div class='gfield_description instruction $validation_class' id='gfield_instruction_{$this->formId}_{$this->id}'>" . $message . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2333. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-name.php:412 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<label for='{$field_id}_6' class='gform-field-label gform-field-label--type-sub {$sub_label_class}'>" . $last_name_sub_label . "</label>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2334. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-name.php:412 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<label for='{$field_id}_6' class='gform-field-label gform-field-label--type-sub {$sub_label_class}'>" . $last_name_sub_label . "</label>

Recommendation: Use $wpdb->prepare() with placeholders

2335. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-address.php:561 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$state_field_id = "id='" . $field_id . "_4'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2336. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-address.php:561 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$state_field_id = "id='" . $field_id . "_4'";

Recommendation: Use $wpdb->prepare() with placeholders

2337. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-post-image.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<div class='ginput_complex$class_suffix ginput_container ginput_container_post_image gform-grid-row'>" . $upload . $alt_field . $title_field . $caption_field . $description_field . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2338. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-post-image.php:223 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value .= ! empty( $alt ) ? "\n\n" . $this->label . ' (' . __( 'Alternative Text', 'gravityforms' ) . '): ' . $description : '';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2339. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-post-image.php:224 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value .= ! empty( $title ) ? "\n\n" . $this->label . ' (' . __( 'Title', 'gravityforms' ) . '): ' . $title : '';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2340. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-post-image.php:225 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value .= ! empty( $caption ) ? "\n\n" . $this->label . ' (' . __( 'Caption', 'gravityforms' ) . '): ' . $caption : '';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2341. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-post-image.php:226 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value .= ! empty( $description ) ? "\n\n" . $this->label . ' (' . __( 'Description', 'gravityforms' ) . '): ' . $description : '';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2342. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-post-image.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "<div class='ginput_complex$class_suffix ginput_container ginput_container_post_image gform-grid-row'>" . $upload . $alt_field . $title_field . $caption_field . $description_field . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2343. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-post-image.php:223 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value .= ! empty( $alt ) ? "\n\n" . $this->label . ' (' . __( 'Alternative Text', 'gravityforms' ) . '): ' . $description : '';

Recommendation: Use $wpdb->prepare() with placeholders

2344. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-post-image.php:224 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value .= ! empty( $title ) ? "\n\n" . $this->label . ' (' . __( 'Title', 'gravityforms' ) . '): ' . $title : '';

Recommendation: Use $wpdb->prepare() with placeholders

2345. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-post-image.php:225 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value .= ! empty( $caption ) ? "\n\n" . $this->label . ' (' . __( 'Caption', 'gravityforms' ) . '): ' . $caption : '';

Recommendation: Use $wpdb->prepare() with placeholders

2346. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-post-image.php:226 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value .= ! empty( $description ) ? "\n\n" . $this->label . ' (' . __( 'Description', 'gravityforms' ) . '): ' . $description : '';

Recommendation: Use $wpdb->prepare() with placeholders

2347. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-list.php:218 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$list .= "<div class='gfield_list_group_item gfield_list_cell gfield_list_{$this->id}_cell{$colnum} gform-grid-col' {$data_label}>" . $this->get_list_input( $has_columns, $column, $val, $form_id, $rownum ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2348. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-list.php:401 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$list .= "<td class='gfield_list_cell gfield_list_{$this->id}_cell{$colnum}' {$data_label}>" . $this->get_list_input( $has_columns, $column, $val, $form_id, null ) . '</td>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2349. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-list.php:706 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$list .= "\n\n" . $this->label . ': ';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2350. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-list.php:218 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$list .= "<div class='gfield_list_group_item gfield_list_cell gfield_list_{$this->id}_cell{$colnum} gform-grid-col' {$data_label}>" . $this->get_list_input( $has_columns, $column, $val, $form_id, $rownum ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2351. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-list.php:401 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$list .= "<td class='gfield_list_cell gfield_list_{$this->id}_cell{$colnum}' {$data_label}>" . $this->get_list_input( $has_columns, $column, $val, $form_id, null ) . '</td>';

Recommendation: Use $wpdb->prepare() with placeholders

2352. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-list.php:706 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$list .= "\n\n" . $this->label . ': ';

Recommendation: Use $wpdb->prepare() with placeholders

2353. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:328 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$month_dropdown = "<div class='gfield_date_dropdown_month ginput_date_dropdown ginput_container ginput_container_date gform-grid-col' id='gfield_dropdown_date_month' style='display:$dropdown_display'>" . $this->get_month_dropdown( '', "{$field_id}_1", rgar( $date_info, 'month' ), '', $disabled_text, $month_placeholder_value ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2354. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:329 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$day_dropdown   = "<div class='gfield_date_dropdown_day ginput_date_dropdown ginput_container ginput_container_date gform-grid-col' id='gfield_dropdown_date_day' style='display:$dropdown_display'>" . $this->get_day_dropdown( '', "{$field_id}_2", rgar( $date_info, 'day' ), '', $disabled_text, $day_placeholder_value ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2355. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:330 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$year_dropdown  = "<div class='gfield_date_dropdown_year ginput_date_dropdown ginput_container ginput_container_date gform-grid-col' id='gfield_dropdown_date_year' style='display:$dropdown_display'>" . $this->get_year_dropdown( '', "{$field_id}_3", rgar( $date_info, 'year' ), '', $disabled_text, $year_placeholder_value, $form ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2356. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:374 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str = "{$clear_multi_div_open}<div class='gfield_date_dropdown_day ginput_container ginput_container_date gform-grid-col' id='{$field_id}_2_container'>" . $this->get_day_dropdown( "input_{$id}[]", "{$field_id}_2", rgar( $date_info, 'day' ), $tabindex, $disabled_text, $day_placeholder_value, $day_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2357. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:377 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_month ginput_container ginput_container_date gform-grid-col' id='{$field_id}_1_container'>" . $this->get_month_dropdown( "input_{$id}[]", "{$field_id}_1", rgar( $date_info, 'month' ), $tabindex, $disabled_text, $month_placeholder_value, $month_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2358. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:381 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_year ginput_container ginput_container_date gform-grid-col' id='{$field_id}_3_container'>" . $this->get_year_dropdown( "input_{$id}[]", "{$field_id}_3", rgar( $date_info, 'year' ), $tabindex, $disabled_text, $year_placeholder_value, $form, $year_aria_attributes ) ."</div>{$clear_multi_div_close}";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2359. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:432 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str = "{$clear_multi_div_open}<div class='gfield_date_dropdown_year ginput_container ginput_container_date gform-grid-col' id='{$field_id}_3_container'>" . $this->get_year_dropdown( "input_{$id}[]", "{$field_id}_3", rgar( $date_info, 'year' ), $tabindex, $disabled_text, $year_placeholder_value, $form, $year_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2360. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:436 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_month ginput_container ginput_container_date gform-grid-col' id='{$field_id}_1_container'>" . $this->get_month_dropdown( "input_{$id}[]", "{$field_id}_1", rgar( $date_info, 'month' ), $tabindex, $disabled_text, $month_placeholder_value, $month_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2361. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:440 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_day ginput_container ginput_container_date gform-grid-col' id='{$field_id}_2_container'>" . $this->get_day_dropdown( "input_{$id}[]", "{$field_id}_2", rgar( $date_info, 'day' ), $tabindex, $disabled_text, $day_placeholder_value, $day_aria_attributes ) . "</div>{$clear_multi_div_close}";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2362. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:489 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str = "{$clear_multi_div_open}<div class='gfield_date_dropdown_month ginput_container ginput_container_date gform-grid-col' id='{$field_id}_1_container'>" . $this->get_month_dropdown( "input_{$id}[]", "{$field_id}_1", rgar( $date_info, 'month' ), $tabindex, $disabled_text, $month_placeholder_value, $month_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2363. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:493 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_day ginput_container ginput_container_date gform-grid-col' id='{$field_id}_2_container'>" . $this->get_day_dropdown( "input_{$id}[]", "{$field_id}_2", rgar( $date_info, 'day' ), $tabindex, $disabled_text, $day_placeholder_value, $day_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2364. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:497 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_year ginput_container ginput_container_date gform-grid-col' id='{$field_id}_3_container'>" . $this->get_year_dropdown( "input_{$id}[]", "{$field_id}_3", rgar( $date_info, 'year' ), $tabindex, $disabled_text, $year_placeholder_value, $form, $year_aria_attributes ) . "</div>{$clear_multi_div_close}";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2365. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:328 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$month_dropdown = "<div class='gfield_date_dropdown_month ginput_date_dropdown ginput_container ginput_container_date gform-grid-col' id='gfield_dropdown_date_month' style='display:$dropdown_display'>" . $this->get_month_dropdown( '', "{$field_id}_1", rgar( $date_info, 'month' ), '', $disabled_text, $month_placeholder_value ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2366. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:329 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$day_dropdown   = "<div class='gfield_date_dropdown_day ginput_date_dropdown ginput_container ginput_container_date gform-grid-col' id='gfield_dropdown_date_day' style='display:$dropdown_display'>" . $this->get_day_dropdown( '', "{$field_id}_2", rgar( $date_info, 'day' ), '', $disabled_text, $day_placeholder_value ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2367. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:330 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$year_dropdown  = "<div class='gfield_date_dropdown_year ginput_date_dropdown ginput_container ginput_container_date gform-grid-col' id='gfield_dropdown_date_year' style='display:$dropdown_display'>" . $this->get_year_dropdown( '', "{$field_id}_3", rgar( $date_info, 'year' ), '', $disabled_text, $year_placeholder_value, $form ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2368. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:374 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str = "{$clear_multi_div_open}<div class='gfield_date_dropdown_day ginput_container ginput_container_date gform-grid-col' id='{$field_id}_2_container'>" . $this->get_day_dropdown( "input_{$id}[]", "{$field_id}_2", rgar( $date_info, 'day' ), $tabindex, $disabled_text, $day_placeholder_value, $day_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2369. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:377 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_month ginput_container ginput_container_date gform-grid-col' id='{$field_id}_1_container'>" . $this->get_month_dropdown( "input_{$id}[]", "{$field_id}_1", rgar( $date_info, 'month' ), $tabindex, $disabled_text, $month_placeholder_value, $month_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2370. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:381 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_year ginput_container ginput_container_date gform-grid-col' id='{$field_id}_3_container'>" . $this->get_year_dropdown( "input_{$id}[]", "{$field_id}_3", rgar( $date_info, 'year' ), $tabindex, $disabled_text, $year_placeholder_value, $form, $year_aria_attributes ) ."</div>{$clear_multi_div_close}";

Recommendation: Use $wpdb->prepare() with placeholders

2371. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:432 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str = "{$clear_multi_div_open}<div class='gfield_date_dropdown_year ginput_container ginput_container_date gform-grid-col' id='{$field_id}_3_container'>" . $this->get_year_dropdown( "input_{$id}[]", "{$field_id}_3", rgar( $date_info, 'year' ), $tabindex, $disabled_text, $year_placeholder_value, $form, $year_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2372. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:436 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_month ginput_container ginput_container_date gform-grid-col' id='{$field_id}_1_container'>" . $this->get_month_dropdown( "input_{$id}[]", "{$field_id}_1", rgar( $date_info, 'month' ), $tabindex, $disabled_text, $month_placeholder_value, $month_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2373. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:440 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_day ginput_container ginput_container_date gform-grid-col' id='{$field_id}_2_container'>" . $this->get_day_dropdown( "input_{$id}[]", "{$field_id}_2", rgar( $date_info, 'day' ), $tabindex, $disabled_text, $day_placeholder_value, $day_aria_attributes ) . "</div>{$clear_multi_div_close}";

Recommendation: Use $wpdb->prepare() with placeholders

2374. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:489 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str = "{$clear_multi_div_open}<div class='gfield_date_dropdown_month ginput_container ginput_container_date gform-grid-col' id='{$field_id}_1_container'>" . $this->get_month_dropdown( "input_{$id}[]", "{$field_id}_1", rgar( $date_info, 'month' ), $tabindex, $disabled_text, $month_placeholder_value, $month_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2375. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:493 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_day ginput_container ginput_container_date gform-grid-col' id='{$field_id}_2_container'>" . $this->get_day_dropdown( "input_{$id}[]", "{$field_id}_2", rgar( $date_info, 'day' ), $tabindex, $disabled_text, $day_placeholder_value, $day_aria_attributes ) . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2376. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-date.php:497 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$field_str .= "<div class='gfield_date_dropdown_year ginput_container ginput_container_date gform-grid-col' id='{$field_id}_3_container'>" . $this->get_year_dropdown( "input_{$id}[]", "{$field_id}_3", rgar( $date_info, 'year' ), $tabindex, $disabled_text, $year_placeholder_value, $form, $year_aria_attributes ) . "</div>{$clear_multi_div_close}";

Recommendation: Use $wpdb->prepare() with placeholders

2377. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-calculation.php:93 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$quantity_field            .= " <span class='ginput_quantity_label gform-field-label' aria-hidden='true'>" . $product_quantity_sub_label . "</span> <input type='{$qty_input_type}' name='input_{$id}.3' value='{$quantity}' id='input_{$form_id}_{$this->id}_1' class='ginput_quantity' size='10' {$qty_min_attr} {$tabindex} {$disabled_text} {$quantity_aria_describedby} />";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2378. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-calculation.php:93 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$quantity_field            .= " <span class='ginput_quantity_label gform-field-label' aria-hidden='true'>" . $product_quantity_sub_label . "</span> <input type='{$qty_input_type}' name='input_{$id}.3' value='{$quantity}' id='input_{$form_id}_{$this->id}_1' class='ginput_quantity' size='10' {$qty_min_attr} {$tabindex} {$disabled_text} {$quantity_aria_describedby} />";

Recommendation: Use $wpdb->prepare() with placeholders

2379. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:322 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row .= "<div class='gfield_repeater_cell'>" . $field_input . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2380. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html = "<button type='button' class='add_repeater_item gform-theme-button gform-theme-button--secondary gform-theme-button--size-sm {$disabled_icon_class} {$add_button_class}' {$add_events}>" . $add_button_text . "</button>" .

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2381. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:389 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"<button type='button' class='remove_repeater_item gform-theme-button gform-theme-button--secondary gform-theme-button--size-sm {$remove_button_class}' {$delete_events} style='{$delete_display}'>" . $remove_button_text . "</button>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2382. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:963 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$line      = $label . "\n" . $field->get_value_export_recursive( $field_value, $field->id, $use_text, $is_csv, $new_depth, $padding );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2383. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:982 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row_value = "'" . $row_value;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2384. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:992 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value = "'" . $value;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2385. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:322 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row .= "<div class='gfield_repeater_cell'>" . $field_input . '</div>';

Recommendation: Use $wpdb->prepare() with placeholders

2386. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html = "<button type='button' class='add_repeater_item gform-theme-button gform-theme-button--secondary gform-theme-button--size-sm {$disabled_icon_class} {$add_button_class}' {$add_events}>" . $add_button_text . "</button>" .

Recommendation: Use $wpdb->prepare() with placeholders

2387. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:389 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"<button type='button' class='remove_repeater_item gform-theme-button gform-theme-button--secondary gform-theme-button--size-sm {$remove_button_class}' {$delete_events} style='{$delete_display}'>" . $remove_button_text . "</button>";

Recommendation: Use $wpdb->prepare() with placeholders

2388. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:963 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$line      = $label . "\n" . $field->get_value_export_recursive( $field_value, $field->id, $use_text, $is_csv, $new_depth, $padding );

Recommendation: Use $wpdb->prepare() with placeholders

2389. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:982 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$row_value = "'" . $row_value;

Recommendation: Use $wpdb->prepare() with placeholders

2390. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-repeater.php:992 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$value = "'" . $value;

Recommendation: Use $wpdb->prepare() with placeholders

2391. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-email.php:212 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<label for='{$field_id}' class='gform-field-label gform-field-label--type-sub {$sub_label_class}'>" . $enter_email_label . "</label>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2392. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-email.php:212 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<label for='{$field_id}' class='gform-field-label gform-field-label--type-sub {$sub_label_class}'>" . $enter_email_label . "</label>

Recommendation: Use $wpdb->prepare() with placeholders

2393. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field.php:81 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

_deprecated_function( "Array access to the field object is now deprecated. Further notices will be suppressed. \$field['" . $offset . "']", '2.0', 'the object operator e.g. $field->' . $offset );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2394. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field.php:1220 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "onchange='gf_apply_rules(" . $this->formId . ',' . GFCommon::json_encode( $this->conditionalLogicFields ) . ");' onkeyup='clearTimeout(__gf_timeout_handle); __gf_timeout_handle = setTimeout(\"gf_apply_rules(" . $this->formId . ',' . GFCommon::json_encode( $this->conditionalLogicFields ) . ")\", 300);'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2395. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field.php:1224 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "onclick='gf_apply_rules(" . $this->formId . ',' . GFCommon::json_encode( $this->conditionalLogicFields ) . ");' onkeypress='gf_apply_rules(" . $this->formId . ',' . GFCommon::json_encode( $this->conditionalLogicFields ) . ");'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2396. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field.php:1228 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "onchange='gf_apply_rules(" . $this->formId . ',' . GFCommon::json_encode( $this->conditionalLogicFields ) . ");'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2397. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field.php:1791 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $is_admin || ! empty( $description ) ? "<div class='$css_class' id='$id'>" . $description . '</div>' : '';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2398. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field.php:81 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

_deprecated_function( "Array access to the field object is now deprecated. Further notices will be suppressed. \$field['" . $offset . "']", '2.0', 'the object operator e.g. $field->' . $offset );

Recommendation: Use $wpdb->prepare() with placeholders

2399. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field.php:1220 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "onchange='gf_apply_rules(" . $this->formId . ',' . GFCommon::json_encode( $this->conditionalLogicFields ) . ");' onkeyup='clearTimeout(__gf_timeout_handle); __gf_timeout_handle = setTimeout(\"gf_apply_rules(" . $this->formId . ',' . GFCommon::json_encode( $this->conditionalLogicFields ) . ")\", 300);'";

Recommendation: Use $wpdb->prepare() with placeholders

2400. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field.php:1224 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "onclick='gf_apply_rules(" . $this->formId . ',' . GFCommon::json_encode( $this->conditionalLogicFields ) . ");' onkeypress='gf_apply_rules(" . $this->formId . ',' . GFCommon::json_encode( $this->conditionalLogicFields ) . ");'";

Recommendation: Use $wpdb->prepare() with placeholders

2401. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field.php:1228 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return "onchange='gf_apply_rules(" . $this->formId . ',' . GFCommon::json_encode( $this->conditionalLogicFields ) . ");'";

Recommendation: Use $wpdb->prepare() with placeholders

2402. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field.php:1791 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return $is_admin || ! empty( $description ) ? "<div class='$css_class' id='$id'>" . $description . '</div>' : '';

Recommendation: Use $wpdb->prepare() with placeholders

2403. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-singleproduct.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$quantity_field            .= " <span class='ginput_quantity_label gform-field-label' aria-hidden='true'>" . $product_quantity_sub_label . "</span> <input type='{$qty_input_type}' name='input_{$id}.3' value='{$quantity}' id='input_{$form_id}_{$this->id}_1' class='ginput_quantity' size='10' {$qty_min_attr} {$tabindex} {$disabled_text} {$quantity_aria_label} {$quantity_aria_describedby} />";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2404. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/fields/class-gf-field-singleproduct.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$quantity_field            .= " <span class='ginput_quantity_label gform-field-label' aria-hidden='true'>" . $product_quantity_sub_label . "</span> <input type='{$qty_input_type}' name='input_{$id}.3' value='{$quantity}' id='input_{$form_id}_{$this->id}_1' class='ginput_quantity' size='10' {$qty_min_attr} {$tabindex} {$disabled_text} {$quantity_aria_label} {$quantity_aria_describedby} />";

Recommendation: Use $wpdb->prepare() with placeholders

2405. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/query/batch-processing/class-gf-entry-meta-batch-processor.php:93 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

array( "SELECT id, meta_key FROM {$meta_table} WHERE meta_key in " . $prepare_statement_placeholders ),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2406. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/query/batch-processing/class-gf-entry-meta-batch-processor.php:93 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

array( "SELECT id, meta_key FROM {$meta_table} WHERE meta_key in " . $prepare_statement_placeholders ),

Recommendation: Use $wpdb->prepare() with placeholders

2407. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/settings/fields/class-notification-routing.php:498 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str      .= "<option value='" . $field->id . "' " . $selected . '>' . $field_label . '</option>';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2408. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/gravityforms/includes/settings/fields/class-notification-routing.php:498 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str      .= "<option value='" . $field->id . "' " . $selected . '>' . $field_label . '</option>';

Recommendation: Use $wpdb->prepare() with placeholders

2409. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/all-in-one-wp-migration/uninstall.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "DELETE FROM `{$wpdb->options}` WHERE `option_name` LIKE 'ai1wm\_%'" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2410. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/antispam-bee/inc/columns.class.php:109 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$reasons     = $wpdb->get_results( "SELECT meta_value FROM {$wpdb->prefix}commentmeta WHERE meta_key = 'antispam_bee_reason' group by meta_value", ARRAY_A );

Recommendation: Use $wpdb->prepare() with placeholders

2411. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:37 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total plugins: " . $stats['total_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2412. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Active plugins: " . $stats['active_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2413. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:39 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total downloads: " . $stats['total_downloads'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2414. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total plugins: " . $stats['total_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2415. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:55 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Active plugins: " . $stats['active_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2416. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:81 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Testing plugin: " . $test_plugin->plugin_slug . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2417. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:82 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Registry version: " . $test_plugin->current_version . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2418. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:86 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Simulated installed version: " . $old_version . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2419. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:92 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Current: " . $update['current_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2420. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:93 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  New: " . $update['new_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2421. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Name: " . $retrieved->plugin_name . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2422. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Version: " . $retrieved->current_version . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2423. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:136 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✓ Plugin updated to v" . $retrieved2->current_version . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2424. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:154 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total plugins: " . $final_stats['total_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2425. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:155 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Active plugins: " . $final_stats['active_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2426. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:156 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total downloads: " . $final_stats['total_downloads'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2427. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:37 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total plugins: " . $stats['total_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2428. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Active plugins: " . $stats['active_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2429. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:39 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total downloads: " . $stats['total_downloads'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2430. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:54 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total plugins: " . $stats['total_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2431. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:55 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Active plugins: " . $stats['active_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2432. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:81 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Testing plugin: " . $test_plugin->plugin_slug . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2433. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:82 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Registry version: " . $test_plugin->current_version . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2434. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:86 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Simulated installed version: " . $old_version . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2435. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:92 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Current: " . $update['current_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2436. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:93 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  New: " . $update['new_version'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2437. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Name: " . $retrieved->plugin_name . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2438. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "  Version: " . $retrieved->current_version . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2439. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:136 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "✓ Plugin updated to v" . $retrieved2->current_version . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2440. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:154 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total plugins: " . $final_stats['total_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2441. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:155 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Active plugins: " . $final_stats['active_plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2442. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/test-plugin-registry.php:156 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total downloads: " . $final_stats['total_downloads'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2443. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/cxq-site-manager-host.class.php:1261 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$cols = $wpdb->get_col( "DESC " . $wpdb->posts, 0 );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2444. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/cxq-site-manager-host.class.php:2213 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$table_name}`

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2445. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/cxq-site-manager-host.class.php:2218 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("ALTER TABLE `{$table_name}` CHANGE `log_id` `log_id` BIGINT(20) UNSIGNED NOT NULL AUTO_INCREMENT;");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2446. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/cxq-site-manager-host.class.php:2721 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$needle = str_replace($e,"\\".$e,$needle);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2447. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/cxq-site-manager-host.class.php:2722 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$replace = str_replace($e,"\\".$e,$replace);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2448. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/cxq-site-manager-host.class.php:2985 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('error',"Installation of $type `{$slug}` failed (".$installed->get_error_message().')');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2449. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/cxq-site-manager-host.class.php:1261 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$cols = $wpdb->get_col( "DESC " . $wpdb->posts, 0 );

Recommendation: Use $wpdb->prepare() with placeholders

2450. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/cxq-site-manager-host.class.php:2721 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$needle = str_replace($e,"\\".$e,$needle);

Recommendation: Use $wpdb->prepare() with placeholders

2451. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/cxq-site-manager-host.class.php:2722 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$replace = str_replace($e,"\\".$e,$replace);

Recommendation: Use $wpdb->prepare() with placeholders

2452. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/cxq-site-manager-host.class.php:2985 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->add_notice('error',"Installation of $type `{$slug}` failed (".$installed->get_error_message().')');

Recommendation: Use $wpdb->prepare() with placeholders

2453. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2454. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Total updates: " . $data['total_all'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2455. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Core: " . $data['totals']['core'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2456. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Plugins: " . $data['totals']['plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2457. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Themes: " . $data['totals']['themes'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2458. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:67 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2459. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:35 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2460. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Total updates: " . $data['total_all'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2461. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Core: " . $data['totals']['core'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2462. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Plugins: " . $data['totals']['plugins'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2463. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   Themes: " . $data['totals']['themes'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2464. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/diag.php:67 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "   ✗ Error: " . $e->getMessage() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2465. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2466. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2467. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2468. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2469. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2470. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2471. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2472. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2473. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/includes/core/cxq-site-manager-host-cloudflare.php:13 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

//protected $zone_api_token = '-xHZ2Ut7wyszICtT_MMJT9out0uHSltENvyi85Ic';

Recommendation: Move credentials to environment variables or secure configuration

2474. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/includes/core/cxq-site-manager-host-cloudflare.php:14 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

protected $api_key = '3b55771ba3f2a783a2baaa0c11f512b29c7d2';

Recommendation: Move credentials to environment variables or secure configuration

2475. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/includes/core/cxq-site-manager-host-lightsail.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print($instance['name'] . ": " . $instance['state']['name'] . "\n");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2476. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/includes/core/cxq-site-manager-host-lightsail.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print($instance['name'] . ": " . $instance['state']['name'] . "\n");

Recommendation: Use $wpdb->prepare() with placeholders

2477. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-site-manager-host/includes/core/cxq-site-manager-host-lightsail.php:20 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$secret = 'v5UZpJWwVhFJjO2fe0BaobZw+K4gXIbASKjnOCu1';

Recommendation: Move credentials to environment variables or secure configuration

2478. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-documents/includes/core/cxq-docmgr-document.php:331 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$exif[] = exif_read_data("data://{$mime_type};base64," . $file,$sections );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2479. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-documents/includes/core/cxq-docmgr-document.php:331 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$exif[] = exif_read_data("data://{$mime_type};base64," . $file,$sections );

Recommendation: Use $wpdb->prepare() with placeholders

2480. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-api-rules.php:1027 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "TRUNCATE TABLE {$table_name}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2481. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:168 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$this->table_name} ADD COLUMN sm_client_id BIGINT UNSIGNED DEFAULT NULL" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2482. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:169 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$this->table_name} ADD KEY sm_client_id (sm_client_id)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2483. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:473 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD COLUMN source_category VARCHAR(30) NOT NULL DEFAULT 'auto_uncertain' AFTER confidence_level" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2484. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:478 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD COLUMN original_client_verdict VARCHAR(20) DEFAULT NULL AFTER source_category" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2485. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:483 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD COLUMN priority INT NOT NULL DEFAULT 50 AFTER original_client_verdict" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2486. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:484 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD KEY idx_priority (priority)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2487. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:489 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD COLUMN client_submission_log_id BIGINT DEFAULT NULL AFTER priority" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2488. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:494 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD COLUMN deferred_response_needed BOOLEAN DEFAULT FALSE AFTER client_submission_log_id" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2489. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:499 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD COLUMN deferred_deadline DATETIME DEFAULT NULL AFTER deferred_response_needed" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2490. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:500 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD KEY idx_deferred_deadline (deferred_deadline)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2491. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:505 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD COLUMN verdict_pushed_to_client BOOLEAN DEFAULT FALSE AFTER client_notified" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2492. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:510 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD COLUMN verdict_push_attempts INT DEFAULT 0 AFTER verdict_pushed_to_client" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2493. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:515 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD COLUMN verdict_pushed_at DATETIME DEFAULT NULL AFTER verdict_push_attempts" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2494. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:525 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "ALTER TABLE {$table_name} ADD KEY idx_source_category (source_category)" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2495. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:466 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$columns = $wpdb->get_results( "SHOW COLUMNS FROM {$table_name}" );

Recommendation: Use $wpdb->prepare() with placeholders

2496. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-client-manager.php:519 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$indexes = $wpdb->get_results( "SHOW INDEX FROM {$table_name}" );

Recommendation: Use $wpdb->prepare() with placeholders

2497. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-health-monitor.php:158 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->get_results( "SELECT COUNT(*) FROM {$wpdb->prefix}cxq_antispam_clients" );

Recommendation: Use $wpdb->prepare() with placeholders

2498. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-captcha-manager.php:182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results = $wpdb->get_results( "SELECT * FROM {$this->config_table}", ARRAY_A );

Recommendation: Use $wpdb->prepare() with placeholders

2499. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-api.php:1397 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Content: " . $feedback_data['content'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2500. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-api.php:1399 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Original Verdict: " . $feedback_data['original_verdict'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2501. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-api.php:1400 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Original Score: " . $feedback_data['original_score'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2502. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-api.php:1401 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Timestamp: " . $feedback_data['timestamp'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2503. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-api.php:1397 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Content: " . $feedback_data['content'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2504. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-api.php:1399 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Original Verdict: " . $feedback_data['original_verdict'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2505. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-api.php:1400 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Original Score: " . $feedback_data['original_score'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2506. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-api.php:1401 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Timestamp: " . $feedback_data['timestamp'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2507. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/includes/class-cxq-antispam-host-cli.php:185 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "TRUNCATE TABLE {$table_name}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2508. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/admin/class-cxq-antispam-host-admin.php:723 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$rules = $wpdb->get_results( "SELECT * FROM {$rules_table} ORDER BY priority DESC, rule_name ASC" );

Recommendation: Use $wpdb->prepare() with placeholders

2509. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam-host/admin/class-cxq-antispam-host-admin.php:1084 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$clients = $wpdb->get_results( "SELECT id, client_name FROM {$clients_table} WHERE status = 'approved' ORDER BY client_name" );

Recommendation: Use $wpdb->prepare() with placeholders

2510. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:23 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Status: " . $post->post_status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2511. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:24 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Type: " . $post->post_type . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2512. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:25 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Title: " . $post->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2513. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:26 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Date: " . $post->post_date . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2514. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Shift Title: " . $shift_post->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2515. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Shift Status: " . $shift_post->post_status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2516. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:23 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Status: " . $post->post_status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2517. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:24 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Type: " . $post->post_type . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2518. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:25 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Title: " . $post->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2519. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:26 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Date: " . $post->post_date . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

2520. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:65 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Shift Title: " . $shift_post->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2521. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1950.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Shift Status: " . $shift_post->post_status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2522. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:20 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Status: " . $post->post_status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2523. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Type: " . $post->post_type . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2524. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Title: " . $post->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2525. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:23 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Date: " . $post->post_date . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2526. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Shift Title: " . $shift_post->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2527. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Shift Status: " . $shift_post->post_status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2528. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:20 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Status: " . $post->post_status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2529. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Type: " . $post->post_type . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2530. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Title: " . $post->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2531. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:23 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Date: " . $post->post_date . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

2532. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Shift Title: " . $shift_post->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2533. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_diagnostic_1948.php:64 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Shift Status: " . $shift_post->post_status . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2534. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_find_schedules_oct14.php:30 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Found " . $query->found_posts . " schedules for October 14, 2025\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2535. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_find_schedules_oct14.php:30 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Found " . $query->found_posts . " schedules for October 14, 2025\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

2536. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_fix_staff_titles.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "ERROR: Post ID $post_id - " . $result->get_error_message() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2537. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_fix_staff_titles.php:70 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "ERROR: Post ID $post_id - " . $result->get_error_message() . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2538. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total staff found: " . $query->found_posts . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2539. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff.php:49 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Label: " . $post_type_object->label . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2540. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Capability type: " . $post_type_object->capability_type . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2541. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Total staff found: " . $query->found_posts . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

2542. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff.php:49 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Label: " . $post_type_object->label . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2543. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Capability type: " . $post_type_object->capability_type . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2544. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_list_recent_schedules.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Found " . $query->found_posts . " schedules\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2545. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_list_recent_schedules.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Found " . $query->found_posts . " schedules\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

2546. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_test_member_sync.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Message: " . $result['message'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2547. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_test_member_sync.php:42 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "- Synced: " . $result['synced'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2548. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_test_member_sync.php:43 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "- Created: " . $result['created'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2549. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_test_member_sync.php:44 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "- Updated: " . $result['updated'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2550. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_test_member_sync.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Message: " . $result['message'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2551. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_test_member_sync.php:42 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "- Synced: " . $result['synced'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2552. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_test_member_sync.php:43 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "- Created: " . $result['created'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2553. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_test_member_sync.php:44 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "- Updated: " . $result['updated'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2554. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff_detail.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Title: '" . $post->post_title . "'\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2555. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff_detail.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Name (slug): '" . $post->post_name . "'\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2556. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff_detail.php:24 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Status: " . $post->post_status . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2557. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff_detail.php:21 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Title: '" . $post->post_title . "'\n";

Recommendation: Use $wpdb->prepare() with placeholders

2558. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff_detail.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Name (slug): '" . $post->post_name . "'\n";

Recommendation: Use $wpdb->prepare() with placeholders

2559. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/temp_check_staff_detail.php:24 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Post Status: " . $post->post_status . "\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

2560. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to convert UTC time '{$utc_time}' to local: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2561. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:318 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: " . $error_msg);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2562. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:621 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: Failed to update schedule: " . $result->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2563. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:653 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: Failed to create schedule: " . $post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2564. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:721 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to create staff: " . $staff_post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2565. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:939 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to create staff: " . $staff_post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2566. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to convert UTC time '{$utc_time}' to local: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2567. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:318 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: " . $error_msg);

Recommendation: Use $wpdb->prepare() with placeholders

2568. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:621 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: Failed to update schedule: " . $result->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

2569. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:653 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: Failed to create schedule: " . $post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

2570. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:721 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to create staff: " . $staff_post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

2571. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/class-cxq-schedule-sync.php:939 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to create staff: " . $staff_post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

2572. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Pairing: About to call filterOutStaffedPlaceholders with " . $total_count . " events");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2573. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Pairing: filterOutStaffedPlaceholders returned " . $displayed_count . " events");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2574. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:627 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("    Part[$idx]: " . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2575. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:646 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("    Part[$idx]: " . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2576. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:683 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Schedule $schedule_id: " . $sched_start->format('Y-m-d H:i') . " to " . $sched_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2577. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:688 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Part $idx: UID=$part_uid, Time=" . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2578. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:705 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Part $idx: UID=$part_uid, Time=" . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2579. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:724 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("    Part[$idx]: " . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2580. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:737 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Pairing: Adding to unstaffedSlots - UID: $part_uid, Time: " . $start->format('H:i') . "-" . $end->format('H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2581. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:936 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Part[$idx]: " . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2582. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:996 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Pairing: In combinedSchedule - UID: $evt_uid, Time: " . $start->format('H:i') . "-" . $end->format('H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2583. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1100 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Placeholder time: " . $p_start->format('Y-m-d H:i') . " to " . $p_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2584. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1102 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Scheduled time: " . $s_start->format('Y-m-d H:i') . " to " . $s_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2585. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1123 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Created BEFORE portion: " . $p_start->format('Y-m-d H:i') . " to " . $s_start->format('Y-m-d H:i') . " (UID: " . $newEvent->getUID() . ")");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2586. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Created AFTER portion: " . $s_end->format('Y-m-d H:i') . " to " . $p_end->format('Y-m-d H:i') . " (UID: " . $newEvent->getUID() . ")");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2587. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1982 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Existing schedule_id: " . $converted_positions[$position_key]['schedule_id']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2588. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1983 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Existing time: " . $converted_positions[$position_key]['time']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2589. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1992 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Start DateTime: " . $start_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2590. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1993 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  End DateTime: " . $end_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2591. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2006 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Start DateTime: " . $start_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2592. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2007 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  End DateTime: " . $end_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2593. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2019 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Start DateTime: " . $start_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2594. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2020 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  End DateTime: " . $end_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2595. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2533 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$converted_data[$assignment['date_key']][$assignment['shift_name']][$assignment['pos_index']]['validation_message'] . "\n" . $overload_message :

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2596. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2592 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Validation: Credential issue detected - Staff ID $staff_id, Position $position_key: " . $validation['message']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2597. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:3922 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Calendar: First schedule ID: " . $posts[0]->ID);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2598. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:56 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Pairing: About to call filterOutStaffedPlaceholders with " . $total_count . " events");

Recommendation: Use $wpdb->prepare() with placeholders

2599. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:59 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Pairing: filterOutStaffedPlaceholders returned " . $displayed_count . " events");

Recommendation: Use $wpdb->prepare() with placeholders

2600. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:627 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("    Part[$idx]: " . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2601. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:646 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("    Part[$idx]: " . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2602. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:683 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Schedule $schedule_id: " . $sched_start->format('Y-m-d H:i') . " to " . $sched_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2603. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:688 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Part $idx: UID=$part_uid, Time=" . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2604. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:705 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Part $idx: UID=$part_uid, Time=" . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2605. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:724 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("    Part[$idx]: " . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2606. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:737 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Pairing: Adding to unstaffedSlots - UID: $part_uid, Time: " . $start->format('H:i') . "-" . $end->format('H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2607. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:936 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Part[$idx]: " . $part_start->format('Y-m-d H:i') . " to " . $part_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2608. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:996 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Pairing: In combinedSchedule - UID: $evt_uid, Time: " . $start->format('H:i') . "-" . $end->format('H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2609. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1100 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Placeholder time: " . $p_start->format('Y-m-d H:i') . " to " . $p_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2610. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1102 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Scheduled time: " . $s_start->format('Y-m-d H:i') . " to " . $s_end->format('Y-m-d H:i'));

Recommendation: Use $wpdb->prepare() with placeholders

2611. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1123 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Created BEFORE portion: " . $p_start->format('Y-m-d H:i') . " to " . $s_start->format('Y-m-d H:i') . " (UID: " . $newEvent->getUID() . ")");

Recommendation: Use $wpdb->prepare() with placeholders

2612. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Created AFTER portion: " . $s_end->format('Y-m-d H:i') . " to " . $p_end->format('Y-m-d H:i') . " (UID: " . $newEvent->getUID() . ")");

Recommendation: Use $wpdb->prepare() with placeholders

2613. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1982 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Existing schedule_id: " . $converted_positions[$position_key]['schedule_id']);

Recommendation: Use $wpdb->prepare() with placeholders

2614. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1983 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Existing time: " . $converted_positions[$position_key]['time']);

Recommendation: Use $wpdb->prepare() with placeholders

2615. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1992 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Start DateTime: " . $start_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders

2616. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:1993 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  End DateTime: " . $end_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders

2617. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2006 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Start DateTime: " . $start_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders

2618. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2007 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  End DateTime: " . $end_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders

2619. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2019 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  Start DateTime: " . $start_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders

2620. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2020 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("  End DateTime: " . $end_date->format('Y-m-d H:i:s'));

Recommendation: Use $wpdb->prepare() with placeholders

2621. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2533 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$converted_data[$assignment['date_key']][$assignment['shift_name']][$assignment['pos_index']]['validation_message'] . "\n" . $overload_message :

Recommendation: Use $wpdb->prepare() with placeholders

2622. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:2592 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Validation: Credential issue detected - Staff ID $staff_id, Position $position_key: " . $validation['message']);

Recommendation: Use $wpdb->prepare() with placeholders

2623. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/scheduler.class.php:3922 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Calendar: First schedule ID: " . $posts[0]->ID);

Recommendation: Use $wpdb->prepare() with placeholders

2624. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2625. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2626. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2627. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2628. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2629. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2630. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2631. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2632. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2633. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2634. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2635. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2636. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:313 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2637. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2638. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

2639. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

2640. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2641. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

2642. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2643. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

2644. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2645. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2646. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:242 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2647. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2648. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

2649. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

2650. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:313 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2651. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/dBug.class.php:387 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

2652. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/iCal.class.php:846 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str = "{$this->ordinal($this->bysetpos)} {$weekday} of ".$dt->format('Y-m');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2653. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/iCal.class.php:978 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$eventStartDT = new DateTime("{$this->ordinal($bysetpos)} {$weekday} of ".$eventStartDT->format('Y-m'));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2654. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/iCal.class.php:981 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//new dBug2(array("{$this->ordinal($bysetpos)} {$weekday} of ".$eventStartDT->format('Y-m')));

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2655. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/iCal.class.php:846 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str = "{$this->ordinal($this->bysetpos)} {$weekday} of ".$dt->format('Y-m');

Recommendation: Use $wpdb->prepare() with placeholders

2656. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/iCal.class.php:978 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$eventStartDT = new DateTime("{$this->ordinal($bysetpos)} {$weekday} of ".$eventStartDT->format('Y-m'));

Recommendation: Use $wpdb->prepare() with placeholders

2657. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/iCal.class.php:981 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//new dBug2(array("{$this->ordinal($bysetpos)} {$weekday} of ".$eventStartDT->format('Y-m')));

Recommendation: Use $wpdb->prepare() with placeholders

2658. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/tests/get-test-info.php:12 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Username: " . $u->user_login . ", Email: " . $u->user_email . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2659. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/tests/get-test-info.php:39 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "- " . $ct->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2660. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/tests/get-test-info.php:12 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Username: " . $u->user_login . ", Email: " . $u->user_email . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2661. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/tests/get-test-info.php:39 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "- " . $ct->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2662. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/_debug-archive/diagnose-splits.php:171 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<p>Found " . $schedule_query->found_posts . " schedule(s) for Brandon in November 2025</p>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2663. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/_debug-archive/diagnose-splits.php:171 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<p>Found " . $schedule_query->found_posts . " schedule(s) for Brandon in November 2025</p>";

Recommendation: Use $wpdb->prepare() with placeholders

2664. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2665. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2666. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2667. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2668. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2669. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2670. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2671. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2672. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to convert UTC time '{$utc_time}' to local: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2673. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:319 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: " . $error_msg);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2674. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:693 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: Failed to update schedule: " . $result->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2675. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:725 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: Failed to create schedule: " . $post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2676. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:795 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to fetch member details for {$member_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2677. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:807 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to create staff: " . $staff_post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2678. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:1076 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to create staff: " . $staff_post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2679. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:1420 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Staff Sync: Exception syncing member {$member_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2680. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:1476 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Staff Sync: API error fetching member {$member_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2681. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:1507 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Staff Sync: Failed to create staff: " . $staff_post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2682. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to convert UTC time '{$utc_time}' to local: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2683. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:319 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: " . $error_msg);

Recommendation: Use $wpdb->prepare() with placeholders

2684. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:693 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: Failed to update schedule: " . $result->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

2685. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:725 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync ERROR: Failed to create schedule: " . $post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

2686. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:795 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to fetch member details for {$member_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2687. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:807 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to create staff: " . $staff_post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

2688. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:1076 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Schedule Sync: Failed to create staff: " . $staff_post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

2689. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:1420 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Staff Sync: Exception syncing member {$member_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2690. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:1476 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Staff Sync: API error fetching member {$member_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2691. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-schedule-sync.php:1507 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Staff Sync: Failed to create staff: " . $staff_post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

2692. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-outbound-schedule-sync.php:307 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Outbound Sync: Exception syncing schedule {$post_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2693. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-outbound-schedule-sync.php:418 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Outbound Sync: Exception transferring schedule {$post_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2694. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-outbound-schedule-sync.php:452 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Outbound Sync: Exception updating schedule {$post_id} after metadata change: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2695. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-outbound-schedule-sync.php:552 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Outbound Sync: Exception deleting shift {$iar_schedule_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2696. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-outbound-schedule-sync.php:651 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Outbound Sync: Exception transferring shift {$iar_schedule_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2697. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-outbound-schedule-sync.php:307 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Outbound Sync: Exception syncing schedule {$post_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2698. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-outbound-schedule-sync.php:418 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Outbound Sync: Exception transferring schedule {$post_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2699. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-outbound-schedule-sync.php:452 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Outbound Sync: Exception updating schedule {$post_id} after metadata change: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2700. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-outbound-schedule-sync.php:552 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Outbound Sync: Exception deleting shift {$iar_schedule_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2701. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-outbound-schedule-sync.php:651 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Outbound Sync: Exception transferring shift {$iar_schedule_id}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2702. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-member-sync.php:223 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Member Sync: wp_insert_post FAILED - Error: " . $post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2703. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/sync/class-cxq-member-sync.php:223 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Member Sync: wp_insert_post FAILED - Error: " . $post_id->get_error_message());

Recommendation: Use $wpdb->prepare() with placeholders

2704. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/ajax/class-cxq-ajax-handlers.php:896 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Timesheet: Created 'Other' position for duty '$duty' with total hours: " . $total_other_hours);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2705. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/ajax/class-cxq-ajax-handlers.php:896 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CxQ Timesheet: Created 'Other' position for duty '$duty' with total hours: " . $total_other_hours);

Recommendation: Use $wpdb->prepare() with placeholders

2706. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/ajax/class-cxq-manual-assignment-ajax.php:1127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Schedule: " . $schedule->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2707. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/ajax/class-cxq-manual-assignment-ajax.php:1128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Shift: " . $shift->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2708. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/ajax/class-cxq-manual-assignment-ajax.php:1127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Schedule: " . $schedule->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2709. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/ajax/class-cxq-manual-assignment-ajax.php:1128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Shift: " . $shift->post_title . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2710. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/post-types/class-cxq-post-types.php:1198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$duplicate_list[] = "'{$mapping}' (already in " . $cred_type->post_title . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2711. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/post-types/class-cxq-post-types.php:1198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$duplicate_list[] = "'{$mapping}' (already in " . $cred_type->post_title . ")";

Recommendation: Use $wpdb->prepare() with placeholders

2712. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/api/CxQ_SchedulerClient.php:181 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$errorMessage = "✗ Authentication failed for {$this->getSystemName()}: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2713. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/api/CxQ_SchedulerClient.php:181 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$errorMessage = "✗ Authentication failed for {$this->getSystemName()}: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

2714. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/api/class-cxq-api-client.php:139 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

// error_log('CxQ save_tokens: session_token = ' . substr($tokens['session_token'] ?? 'MISSING', 0, 30));

Recommendation: Move credentials to environment variables or secure configuration

2715. Hardcoded credentials detected

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/api/class-cxq-api-client.php:183 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

// error_log('CxQ load_tokens: session_token = ' . substr($sessionToken ?: 'EMPTY', 0, 30));

Recommendation: Move credentials to environment variables or secure configuration

2716. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/api/CxQ_Scheduler_Error_Handling.php:375 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Operation failed after {$maxAttempts} attempts: " . $e->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2717. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/api/CxQ_Scheduler_Error_Handling.php:375 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"Operation failed after {$maxAttempts} attempts: " . $e->getMessage(),

Recommendation: Use $wpdb->prepare() with placeholders

2718. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:61 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Schedules deleted: " . $purge_stats['schedules_deleted'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2719. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - External events deleted: " . $purge_stats['external_events_deleted'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2720. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Staff records deleted: " . $purge_stats['staff_deleted'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2721. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Schedules created: " . $iar_stats['created'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2722. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Schedules updated: " . $iar_stats['updated'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2723. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:81 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Total synced: " . $iar_stats['total'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2724. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("✗ IamResponding sync failed: " . $iar_stats['error'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2725. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:95 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Subscriptions processed: " . $google_stats['subscriptions'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2726. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:96 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Events created: " . $google_stats['events_created'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2727. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:97 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Events updated: " . $google_stats['events_updated'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2728. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("✗ Google Calendar sync failed: " . $google_stats['error'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2729. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:284 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query("DELETE FROM {$wpdb->postmeta} WHERE post_id NOT IN (SELECT ID FROM {$wpdb->posts})");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2730. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:61 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Schedules deleted: " . $purge_stats['schedules_deleted'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2731. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - External events deleted: " . $purge_stats['external_events_deleted'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2732. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:63 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Staff records deleted: " . $purge_stats['staff_deleted'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2733. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Schedules created: " . $iar_stats['created'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2734. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Schedules updated: " . $iar_stats['updated'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2735. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:81 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Total synced: " . $iar_stats['total'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2736. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:83 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("✗ IamResponding sync failed: " . $iar_stats['error'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2737. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:95 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Subscriptions processed: " . $google_stats['subscriptions'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2738. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:96 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Events created: " . $google_stats['events_created'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2739. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:97 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("  - Events updated: " . $google_stats['events_updated'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2740. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-scheduler/includes/admin/purge-and-resync.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::log("✗ Google Calendar sync failed: " . $google_stats['error'], $options['verbose']);

Recommendation: Use $wpdb->prepare() with placeholders

2741. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/includes/class-cxq-antispam-rules-sync.php:582 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$wpdb->query( "TRUNCATE TABLE {$this->rules_table}" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2742. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/includes/class-cxq-antispam-email-digest.php:215 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Period: " . $queue[0]['timestamp'] . " to " . $queue[ count( $queue ) - 1 ]['timestamp'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2743. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/includes/class-cxq-antispam-email-digest.php:215 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message .= "Period: " . $queue[0]['timestamp'] . " to " . $queue[ count( $queue ) - 1 ]['timestamp'] . "\n";

Recommendation: Use $wpdb->prepare() with placeholders

2744. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2745. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2746. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/vendor-scoped/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2747. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/vendor-scoped/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2748. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2749. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2750. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:172 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2751. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-antispam/vendor-scoped/cxq-libs-metapackage/packages/cxq-util-handshake-kit/src/Host.php:198 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$canonical = strtoupper($method) . "\n" . $url . "\n" . $timestamp . "\n" . hash('sha256', $body);

Recommendation: Use $wpdb->prepare() with placeholders

2752. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-places/class-cxq-woocommerce-place-editor.php:178 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$id = "{$name}_".$cat['slug']."_{$archive_id}";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2753. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-places/class-cxq-woocommerce-place-editor.php:18 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$locations = $wpdb->get_results("SELECT * FROM `{$this->table_names['locations']}` order by region, city /* (in ".__FILE__.':'.__LINE__." )*/");

Recommendation: Use $wpdb->prepare() with placeholders

2754. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-places/class-cxq-woocommerce-place-editor.php:178 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$id = "{$name}_".$cat['slug']."_{$archive_id}";

Recommendation: Use $wpdb->prepare() with placeholders

2755. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/cxq-license-manager.php:689 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

jQuery( 'select[name=\"post_status\"]' ).append( '<option value=\"{$status}\">{$label}</option>' );".$jq_status;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2756. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/cxq-license-manager.php:689 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

jQuery( 'select[name=\"post_status\"]' ).append( '<option value=\"{$status}\">{$label}</option>' );".$jq_status;

Recommendation: Use $wpdb->prepare() with placeholders

2757. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2758. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2759. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2760. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2761. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2762. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2763. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2764. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:209 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2765. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2766. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2767. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2768. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2769. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2770. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2771. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

2772. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:118 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

2773. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:120 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2774. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

2775. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2776. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

2777. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2778. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:209 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2779. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:243 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2780. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:246 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2781. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:293 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

2782. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:303 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

2783. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:314 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2784. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/dBug.php:388 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

2785. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/cxq-license-checker.php:185 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//return "-----BEGIN PUBLIC KEY-----\r\n".$public_key."\r\n-----END PUBLIC KEY-----";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2786. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/cxq-license-checker.php:185 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//return "-----BEGIN PUBLIC KEY-----\r\n".$public_key."\r\n-----END PUBLIC KEY-----";

Recommendation: Use $wpdb->prepare() with placeholders

2787. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/includes/GHRelay.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$file = "{$slug}/".$this->get_package_name($slug); //TODO: don't assume all plugins match this format.

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2788. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/includes/GHRelay.php:33 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$file = "{$slug}/".$this->get_package_name($slug); //TODO: don't assume all plugins match this format.

Recommendation: Use $wpdb->prepare() with placeholders

2789. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/includes/register-deregister-post-status.class.php:183 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

jQuery( 'select[name=\"post_status\"]' ).append( '<option value=\"{$status}\">{$label}</option>' );".$jq_status;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2790. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-license-manager/includes/register-deregister-post-status.class.php:183 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

jQuery( 'select[name=\"post_status\"]' ).append( '<option value=\"{$status}\">{$label}</option>' );".$jq_status;

Recommendation: Use $wpdb->prepare() with placeholders

2791. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-list/cxq-woocommerce-sales-list.php:235 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug_log( "TEAM/CART ERROR: " . $error_msg);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2792. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-list/cxq-woocommerce-sales-list.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug_log( "TEAM/CART ERROR: " . $error_msg);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2793. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-list/cxq-woocommerce-sales-list.php:390 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error_msg = "Failed to save item {$item_id}: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2794. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-list/cxq-woocommerce-sales-list.php:392 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug_log( "TEAM/CART ERROR: " . $error_msg);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2795. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-list/cxq-woocommerce-sales-list.php:415 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug_log( "TEAM/CART RESULT: " . $message);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2796. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-list/cxq-woocommerce-sales-list.php:235 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug_log( "TEAM/CART ERROR: " . $error_msg);

Recommendation: Use $wpdb->prepare() with placeholders

2797. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-list/cxq-woocommerce-sales-list.php:245 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug_log( "TEAM/CART ERROR: " . $error_msg);

Recommendation: Use $wpdb->prepare() with placeholders

2798. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-list/cxq-woocommerce-sales-list.php:390 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$error_msg = "Failed to save item {$item_id}: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

2799. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-list/cxq-woocommerce-sales-list.php:392 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug_log( "TEAM/CART ERROR: " . $error_msg);

Recommendation: Use $wpdb->prepare() with placeholders

2800. Possible SQL injection via string concatenation

File: /var/www/html/wordpress/wp-content/plugins/cxq-woocommerce-sales-list/cxq-woocommerce-sales-list.php:415 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

self::debug_log( "TEAM/CART RESULT: " . $message);

Recommendation: Use $wpdb->prepare() with placeholders

2801. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay/db-helper.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Database connection failed: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2802. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay/db-helper.php:61 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Query failed: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2803. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay/db-helper.php:75 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Query failed: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2804. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay/db-helper.php:96 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Exec failed: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2805. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay/db-helper.php:48 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Database connection failed: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2806. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay/db-helper.php:61 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Query failed: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2807. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay/db-helper.php:75 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Query failed: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2808. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay/db-helper.php:96 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Exec failed: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2809. Hardcoded credentials detected

File: /opt/claude-workspace/projects/ecoeye-alert-relay/api-thumbnails.php:35 CWE: CWE-798 Confidence: HIGH

Description: Hardcoded credentials detected

Code:

$valid_api_key = 'your-api-key-here'; // TODO: Replace with actual key

Recommendation: Move credentials to environment variables or secure configuration

2810. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/cyber-guardian/api/malware.php:139 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Malware API Error: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2811. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/cyber-guardian/api/malware.php:139 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Malware API Error: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2812. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/cyber-guardian/api/posture.php:84 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Malware score calculation failed: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2813. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/cyber-guardian/api/posture.php:84 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Malware score calculation failed: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

2814. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/cxq-woocommerce-product-map/products-xml.php:114 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$attribute_taxonomies = $wpdb->get_results( "SELECT * FROM " . $wpdb->prefix . "woocommerce_attribute_taxonomies order by attribute_name ASC;" );

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2815. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/cxq-woocommerce-product-map/products-xml.php:114 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$attribute_taxonomies = $wpdb->get_results( "SELECT * FROM " . $wpdb->prefix . "woocommerce_attribute_taxonomies order by attribute_name ASC;" );

Recommendation: Use $wpdb->prepare() with placeholders

2816. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay-old/events-viewer.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$cmd = "sqlite3 -json " . escapeshellarg($dbPath) . " " . $escapedSql . " 2>/dev/null";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2817. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay-old/events-viewer.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$cmd = "sqlite3 " . escapeshellarg($dbPath) . " " . $escapedSql . " 2>/dev/null";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2818. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay-old/events-viewer.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$cmd = "sqlite3 -json " . escapeshellarg($dbPath) . " " . $escapedSql . " 2>/dev/null";

Recommendation: Use $wpdb->prepare() with placeholders

2819. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/ecoeye-alert-relay-old/events-viewer.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$cmd = "sqlite3 " . escapeshellarg($dbPath) . " " . $escapedSql . " 2>/dev/null";

Recommendation: Use $wpdb->prepare() with placeholders

2820. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno_project_form.php:125 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html.="var roomCount = ".$roomNo.";\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2821. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno_project_form.php:410 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$outStr=htmlspecialchars($oMaterial->name." (".$currency_units.number_format($oMaterial->Price(1), 2, '.', ',')." / ".$oMaterial->quantity_units.")", ENT_QUOTES);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2822. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno_project_form.php:536 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$customerSelect.="<option value=".$thisCustomer['id_code'].">".$thisCustomer['title']."</option>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2823. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno_project_form.php:125 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html.="var roomCount = ".$roomNo.";\n";

Recommendation: Use $wpdb->prepare() with placeholders

2824. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno_project_form.php:410 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$outStr=htmlspecialchars($oMaterial->name." (".$currency_units.number_format($oMaterial->Price(1), 2, '.', ',')." / ".$oMaterial->quantity_units.")", ENT_QUOTES);

Recommendation: Use $wpdb->prepare() with placeholders

2825. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno_project_form.php:536 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$customerSelect.="<option value=".$thisCustomer['id_code'].">".$thisCustomer['title']."</option>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2826. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/_header.php:10 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$bottom_host_name = $host_names[0]=="localhost"?$host_names[0]:($host_names[count($host_names)-2] . "." . $host_names[count($host_names)-1]);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2827. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/_header.php:10 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$bottom_host_name = $host_names[0]=="localhost"?$host_names[0]:($host_names[count($host_names)-2] . "." . $host_names[count($host_names)-1]);

Recommendation: Use $wpdb->prepare() with placeholders

2828. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/discgolfid/test.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$s = preg_replace("|\[".$k."\](.*)\[/".$k."\]|isU", "<font color=\"#".$v."\">\\1</font>", $s);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2829. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/discgolfid/test.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$s = preg_replace("|\[".$k."\](.*)\[/".$k."\]|isU", "<font color=\"#".$v."\">\\1</font>", $s);

Recommendation: Use $wpdb->prepare() with placeholders

2830. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2831. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2832. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2833. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2834. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2835. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2836. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2837. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2838. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2839. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:244 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2840. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:291 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2841. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:301 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2842. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:312 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2843. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:386 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2844. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

2845. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

2846. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2847. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

2848. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

2849. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

2850. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2851. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2852. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2853. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:244 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

2854. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:291 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

2855. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:301 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

2856. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:312 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

2857. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/dBug.php:386 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

2858. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/form.php:374 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$outStr=htmlspecialchars($oMaterial->name." (".$currency_units.number_format($oMaterial->Price(1), 2, '.', ',')." / ".$oMaterial->quantity_units.")", ENT_QUOTES);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2859. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/form.php:375 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "                        '<option value=\"$id\">".$outStr."</option>'+"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2860. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/form.php:417 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$customerSelect.="<option value=".$thisCustomer['id_code'].">".$thisCustomer['title']."</option>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2861. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/form.php:374 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$outStr=htmlspecialchars($oMaterial->name." (".$currency_units.number_format($oMaterial->Price(1), 2, '.', ',')." / ".$oMaterial->quantity_units.")", ENT_QUOTES);

Recommendation: Use $wpdb->prepare() with placeholders

2862. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/form.php:375 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "                        '<option value=\"$id\">".$outStr."</option>'+"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2863. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/form.php:417 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$customerSelect.="<option value=".$thisCustomer['id_code'].">".$thisCustomer['title']."</option>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2864. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/dbOps_CMartifacts.class.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.=" AND `artifact_value` LIKE '%\"category1\":\"".$this->mysqli->real_escape_string($category1)."\"%'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2865. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/dbOps_CMartifacts.class.php:216 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.=" AND `artifact_key`='".$this->mysqli->real_escape_string($key)."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2866. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/dbOps_CMartifacts.class.php:31 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.=" AND `artifact_value` LIKE '%\"category1\":\"".$this->mysqli->real_escape_string($category1)."\"%'";

Recommendation: Use $wpdb->prepare() with placeholders

2867. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/dbOps_CMartifacts.class.php:216 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.=" AND `artifact_key`='".$this->mysqli->real_escape_string($key)."'";

Recommendation: Use $wpdb->prepare() with placeholders

2868. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:19 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while(array_key_exists($name."_".$i, $this->projects)){

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2869. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$name=$name."_".$i;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2870. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while(array_key_exists($name."_".$i, $this->people)){

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2871. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$name=$name."_".$i;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2872. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:86 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while(array_key_exists($name."_".$i, $this->rooms)){

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2873. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:89 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$name=$name."_".$i;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2874. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while(array_key_exists($name."_".$i, $this->physicals)){

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2875. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:133 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$name=$name."_".$i;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2876. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:192 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Invalid Number of Physical Dimensions (".$dimension_count.')');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2877. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' not recognized as a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2878. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:217 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while(array_key_exists($name."_".$i, $this->materials)){

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2879. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:220 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$name=$name."_".$i;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2880. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:300 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Invalid Number of Physical Dimensions (".$this->dimension_count.')');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2881. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:19 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while(array_key_exists($name."_".$i, $this->projects)){

Recommendation: Use $wpdb->prepare() with placeholders

2882. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$name=$name."_".$i;

Recommendation: Use $wpdb->prepare() with placeholders

2883. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:50 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while(array_key_exists($name."_".$i, $this->people)){

Recommendation: Use $wpdb->prepare() with placeholders

2884. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:53 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$name=$name."_".$i;

Recommendation: Use $wpdb->prepare() with placeholders

2885. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:86 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while(array_key_exists($name."_".$i, $this->rooms)){

Recommendation: Use $wpdb->prepare() with placeholders

2886. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:89 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$name=$name."_".$i;

Recommendation: Use $wpdb->prepare() with placeholders

2887. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while(array_key_exists($name."_".$i, $this->physicals)){

Recommendation: Use $wpdb->prepare() with placeholders

2888. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:133 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$name=$name."_".$i;

Recommendation: Use $wpdb->prepare() with placeholders

2889. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:192 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Invalid Number of Physical Dimensions (".$dimension_count.')');

Recommendation: Use $wpdb->prepare() with placeholders

2890. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:208 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' not recognized as a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders

2891. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:217 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while(array_key_exists($name."_".$i, $this->materials)){

Recommendation: Use $wpdb->prepare() with placeholders

2892. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:220 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$name=$name."_".$i;

Recommendation: Use $wpdb->prepare() with placeholders

2893. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/classes/renovate.php:300 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Invalid Number of Physical Dimensions (".$this->dimension_count.')');

Recommendation: Use $wpdb->prepare() with placeholders

2894. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:4866 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2895. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:5730 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$s .= "\n".$this->linestyleWidth.' '.$this->linestyleCap.' '.$this->linestyleJoin.' '.$this->linestyleDash.' '.$this->DrawColor."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2896. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8017 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out('<<'.$filter.'/Length '.strlen($p).'>> stream'."\n".$p."\n".'endstream'."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2897. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8140 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out($this->_getobj($radio_button_obj_id)."\n".$annots."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2898. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8710 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out($this->_getobj($annot_obj_id)."\n".$annots."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2899. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8748 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2900. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8816 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2901. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8940 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out('<<'.$filter.'/Length '.strlen($stream).'>> stream'."\n".$stream."\n".'endstream'."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2902. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9001 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2903. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9167 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2904. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9176 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out('<</N '.$info['ch'].' /Alternate /'.$info['cs'].' '.$filter.'/Length '.strlen($icc).'>> stream'."\n".$icc."\n".'endstream'."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2905. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out('<<'.$filter.'/Length '.strlen($pal).'>> stream'."\n".$pal."\n".'endstream'."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2906. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9285 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2907. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9602 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out = '<< /Type /Metadata /Subtype /XML /Length '.strlen($xmp).' >> stream'."\n".$xmp."\n".'endstream'."\n".'endobj';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2908. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9628 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out('<</N 3 '.$filter.'/Length '.strlen($icc).'>> stream'."\n".$icc."\n".'endstream'."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2909. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:10268 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return 'stream'."\n".$this->_getrawstream($s, $n)."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2910. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:10297 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->setPageBuffer($this->page, $page.$s."\n".$footer);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2911. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:12541 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->javascript = $jsa."\n".$this->javascript."\n".$jsb;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2912. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:12594 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->javascript .= sprintf("f".$name."=this.addField('%s','%s',%u,[%F,%F,%F,%F]);", $name, $type, $this->PageNo()-1, $x*$k, ($this->h-$y)*$k+1, ($x+$w)*$k, ($this->h-$y-$h)*$k+1)."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2913. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:12600 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$val = "'".$val."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2914. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:14639 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2915. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:14690 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2916. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:16274 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while (preg_match("'<xre([^\>]*)>(.*?)".$this->re_space['p']."(.*?)</pre>'".$this->re_space['m'], $html_b)) {

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2917. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:16276 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html_b = preg_replace("'<xre([^\>]*)>(.*?)".$this->re_space['p']."(.*?)</pre>'".$this->re_space['m'], "<xre\\1>\\2&nbsp;\\3</pre>", $html_b);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2918. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->setPageBuffer($this->page, $tstart."\nq\n".$try."\n".$linebeg."\nQ\n".$tend);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2919. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17355 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->setPageBuffer($this->page, $tstart."\nq\n".$try."\n".$linebeg."\nQ\n".$tend);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2920. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17638 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$pmid = $pmid_b."\nq\n".$trx."\n".$pmid_m."\nQ\n".$pmid_e;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2921. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17798 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xobjects[$this->xobjid]['outdata'] = $pstart."\n".$pmid."\n".$pend;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2922. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17800 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->setPageBuffer($startlinepage, $pstart."\n".$pmid."\n".$pend);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2923. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17802 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$endlinepos = strlen($pstart."\n".$pmid."\n");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2924. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17813 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xobjects[$this->xobjid]['outdata'] = $pstart."\n".$pmid."\nBT 0 Tw ET\n".$pend;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2925. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17815 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->setPageBuffer($startlinepage, $pstart."\n".$pmid."\nBT 0 Tw ET\n".$pend);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2926. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17817 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$endlinepos = strlen($pstart."\n".$pmid."\nBT 0 Tw ET\n");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2927. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17825 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$pstart .= "\nq\n".$trx."\n".$pmid."\nQ\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2928. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:18505 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$pstart .= "\nq\n".$trx."\n".$pmid."\nQ\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2929. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:20923 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$newjs = "this.addField(\'".$pamatch[1][$pk]."\',\'".$pamatch[2][$pk]."\',".$newpage;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2930. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:21105 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$newjs = "this.addField(\'".$pamatch[1][$pk]."\',\'".$pamatch[2][$pk]."\',".$newpage;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2931. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:4866 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders

2932. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:5730 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$s .= "\n".$this->linestyleWidth.' '.$this->linestyleCap.' '.$this->linestyleJoin.' '.$this->linestyleDash.' '.$this->DrawColor."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2933. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8017 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out('<<'.$filter.'/Length '.strlen($p).'>> stream'."\n".$p."\n".'endstream'."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders

2934. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8140 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out($this->_getobj($radio_button_obj_id)."\n".$annots."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders

2935. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8710 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out($this->_getobj($annot_obj_id)."\n".$annots."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders

2936. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8748 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders

2937. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8816 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders

2938. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:8940 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out('<<'.$filter.'/Length '.strlen($stream).'>> stream'."\n".$stream."\n".'endstream'."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders

2939. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9001 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders

2940. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9167 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders

2941. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9176 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out('<</N '.$info['ch'].' /Alternate /'.$info['cs'].' '.$filter.'/Length '.strlen($icc).'>> stream'."\n".$icc."\n".'endstream'."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders

2942. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9182 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out('<<'.$filter.'/Length '.strlen($pal).'>> stream'."\n".$pal."\n".'endstream'."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders

2943. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9285 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders

2944. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9602 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out = '<< /Type /Metadata /Subtype /XML /Length '.strlen($xmp).' >> stream'."\n".$xmp."\n".'endstream'."\n".'endobj';

Recommendation: Use $wpdb->prepare() with placeholders

2945. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:9628 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->_out('<</N 3 '.$filter.'/Length '.strlen($icc).'>> stream'."\n".$icc."\n".'endstream'."\n".'endobj');

Recommendation: Use $wpdb->prepare() with placeholders

2946. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:10268 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return 'stream'."\n".$this->_getrawstream($s, $n)."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders

2947. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:10297 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->setPageBuffer($this->page, $page.$s."\n".$footer);

Recommendation: Use $wpdb->prepare() with placeholders

2948. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:12541 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->javascript = $jsa."\n".$this->javascript."\n".$jsb;

Recommendation: Use $wpdb->prepare() with placeholders

2949. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:12594 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->javascript .= sprintf("f".$name."=this.addField('%s','%s',%u,[%F,%F,%F,%F]);", $name, $type, $this->PageNo()-1, $x*$k, ($this->h-$y)*$k+1, ($x+$w)*$k, ($this->h-$y-$h)*$k+1)."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2950. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:12600 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$val = "'".$val."'";

Recommendation: Use $wpdb->prepare() with placeholders

2951. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:14639 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders

2952. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:14690 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$out .= ' stream'."\n".$stream."\n".'endstream';

Recommendation: Use $wpdb->prepare() with placeholders

2953. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:16274 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

while (preg_match("'<xre([^\>]*)>(.*?)".$this->re_space['p']."(.*?)</pre>'".$this->re_space['m'], $html_b)) {

Recommendation: Use $wpdb->prepare() with placeholders

2954. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:16276 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$html_b = preg_replace("'<xre([^\>]*)>(.*?)".$this->re_space['p']."(.*?)</pre>'".$this->re_space['m'], "<xre\\1>\\2&nbsp;\\3</pre>", $html_b);

Recommendation: Use $wpdb->prepare() with placeholders

2955. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17292 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->setPageBuffer($this->page, $tstart."\nq\n".$try."\n".$linebeg."\nQ\n".$tend);

Recommendation: Use $wpdb->prepare() with placeholders

2956. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17355 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->setPageBuffer($this->page, $tstart."\nq\n".$try."\n".$linebeg."\nQ\n".$tend);

Recommendation: Use $wpdb->prepare() with placeholders

2957. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17638 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$pmid = $pmid_b."\nq\n".$trx."\n".$pmid_m."\nQ\n".$pmid_e;

Recommendation: Use $wpdb->prepare() with placeholders

2958. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17798 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xobjects[$this->xobjid]['outdata'] = $pstart."\n".$pmid."\n".$pend;

Recommendation: Use $wpdb->prepare() with placeholders

2959. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17800 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->setPageBuffer($startlinepage, $pstart."\n".$pmid."\n".$pend);

Recommendation: Use $wpdb->prepare() with placeholders

2960. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17802 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$endlinepos = strlen($pstart."\n".$pmid."\n");

Recommendation: Use $wpdb->prepare() with placeholders

2961. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17813 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xobjects[$this->xobjid]['outdata'] = $pstart."\n".$pmid."\nBT 0 Tw ET\n".$pend;

Recommendation: Use $wpdb->prepare() with placeholders

2962. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17815 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->setPageBuffer($startlinepage, $pstart."\n".$pmid."\nBT 0 Tw ET\n".$pend);

Recommendation: Use $wpdb->prepare() with placeholders

2963. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17817 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$endlinepos = strlen($pstart."\n".$pmid."\nBT 0 Tw ET\n");

Recommendation: Use $wpdb->prepare() with placeholders

2964. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:17825 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$pstart .= "\nq\n".$trx."\n".$pmid."\nQ\n";

Recommendation: Use $wpdb->prepare() with placeholders

2965. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:18505 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$pstart .= "\nq\n".$trx."\n".$pmid."\nQ\n";

Recommendation: Use $wpdb->prepare() with placeholders

2966. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:20923 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$newjs = "this.addField(\'".$pamatch[1][$pk]."\',\'".$pamatch[2][$pk]."\',".$newpage;

Recommendation: Use $wpdb->prepare() with placeholders

2967. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tcpdf.php:21105 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$newjs = "this.addField(\'".$pamatch[1][$pk]."\',\'".$pamatch[2][$pk]."\',".$newpage;

Recommendation: Use $wpdb->prepare() with placeholders

2968. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:8 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "result:".$result."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2969. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "latLngs:".$latLngs."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2970. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:23 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Type:".$type."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2971. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:25 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "preARray:".$preARray."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2972. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:32 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "latLngsArr[$j]:".$latLngsArr[$j]."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2973. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "thesePoints:".$thesePoints[0].",".$thesePoints[1]."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2974. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "1:".$arr[1]."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2975. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:43 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "numDec:".$numDec."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2976. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:8 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "result:".$result."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2977. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:22 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "latLngs:".$latLngs."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2978. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:23 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "Type:".$type."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2979. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:25 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "preARray:".$preARray."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2980. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:32 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "latLngsArr[$j]:".$latLngsArr[$j]."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2981. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:34 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "thesePoints:".$thesePoints[0].",".$thesePoints[1]."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2982. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:38 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "1:".$arr[1]."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2983. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/constructimator/leaf_save.php:43 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "numDec:".$numDec."<br/>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

2984. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:44 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004b] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2985. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:52 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_HttpRequest("https://www.google.com/m8/feeds/groups/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2986. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2987. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:69 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004c] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2988. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:85 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_HttpRequest("https://www.google.com/m8/feeds/groups/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2989. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004d] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2990. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2991. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_HttpRequest("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?group=".urlencode($baseurl.$groupID)."&alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2992. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:150 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004e] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2993. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:297 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:givenName>".$this->givenName."</gd:givenName>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2994. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:familyName>".$this->familyName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2995. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:307 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:fullName>".$this->fullName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2996. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:312 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<atom:content type='text'>".$this->notes."</atom:content>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2997. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:316 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:email rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2998. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:320 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" address='".$this->email[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

2999. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:321 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" displayName='".$this->email[$type]['displayName']."'/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3000. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:324 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:phoneNumber rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3001. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:328 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=">".$this->phone[$type]['number']."</gd:phoneNumber>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3002. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:331 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:im address='".$this->instantMessaging[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3003. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:332 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" protocol='".$this->instantMessaging[$type]['protocol']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3004. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:334 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" rel='http://schemas.google.com/g/2005#".$type."'/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3005. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:338 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3006. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:341 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:city>".$this->postalAddress[$type]['city']."</gd:city>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3007. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:342 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:street>".$this->postalAddress[$type]['street']."</gd:street>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3008. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:343 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:region>".$this->postalAddress[$type]['region']."</gd:region>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3009. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:344 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:postcode>".$this->postalAddress[$type]['postcode']."</gd:postcode>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3010. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:345 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:country>".$this->postalAddress[$type]['country']."</gd:country>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3011. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:349 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:formattedAddress>".$this->postalAddress[$type]['formattedAddress']."</gd:formattedAddress>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3012. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:355 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gContact:groupMembershipInfo deleted='false' href='http://www.google.com/m8/feeds/groups/".$this->user_email."/base/".$group_id."'/> ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3013. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:358 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "\n"."\n"."\n".$contact."\n"."\n"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3014. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:365 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_HttpRequest("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3015. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:380 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3016. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:381 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_HttpRequest("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3017. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:411 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_HttpRequest($url="https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/".$contactId."?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3018. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:423 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3019. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:44 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004b] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3020. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:52 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_HttpRequest("https://www.google.com/m8/feeds/groups/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3021. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3022. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:69 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004c] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3023. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:85 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_HttpRequest("https://www.google.com/m8/feeds/groups/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders

3024. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:99 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004d] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3025. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3026. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:128 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_HttpRequest("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?group=".urlencode($baseurl.$groupID)."&alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3027. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:150 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004e] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3028. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:297 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:givenName>".$this->givenName."</gd:givenName>

Recommendation: Use $wpdb->prepare() with placeholders

3029. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:302 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:familyName>".$this->familyName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders

3030. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:307 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:fullName>".$this->fullName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders

3031. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:312 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<atom:content type='text'>".$this->notes."</atom:content>";

Recommendation: Use $wpdb->prepare() with placeholders

3032. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:316 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:email rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders

3033. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:320 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" address='".$this->email[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3034. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:321 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" displayName='".$this->email[$type]['displayName']."'/>";

Recommendation: Use $wpdb->prepare() with placeholders

3035. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:324 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:phoneNumber rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders

3036. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:328 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=">".$this->phone[$type]['number']."</gd:phoneNumber>";

Recommendation: Use $wpdb->prepare() with placeholders

3037. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:331 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:im address='".$this->instantMessaging[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3038. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:332 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" protocol='".$this->instantMessaging[$type]['protocol']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3039. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:334 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" rel='http://schemas.google.com/g/2005#".$type."'/>";

Recommendation: Use $wpdb->prepare() with placeholders

3040. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:338 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders

3041. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:341 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:city>".$this->postalAddress[$type]['city']."</gd:city>

Recommendation: Use $wpdb->prepare() with placeholders

3042. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:342 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:street>".$this->postalAddress[$type]['street']."</gd:street>

Recommendation: Use $wpdb->prepare() with placeholders

3043. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:343 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:region>".$this->postalAddress[$type]['region']."</gd:region>

Recommendation: Use $wpdb->prepare() with placeholders

3044. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:344 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:postcode>".$this->postalAddress[$type]['postcode']."</gd:postcode>

Recommendation: Use $wpdb->prepare() with placeholders

3045. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:345 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:country>".$this->postalAddress[$type]['country']."</gd:country>";

Recommendation: Use $wpdb->prepare() with placeholders

3046. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:349 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:formattedAddress>".$this->postalAddress[$type]['formattedAddress']."</gd:formattedAddress>";

Recommendation: Use $wpdb->prepare() with placeholders

3047. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:355 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gContact:groupMembershipInfo deleted='false' href='http://www.google.com/m8/feeds/groups/".$this->user_email."/base/".$group_id."'/> ";

Recommendation: Use $wpdb->prepare() with placeholders

3048. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:358 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "\n"."\n"."\n".$contact."\n"."\n"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

3049. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:365 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_HttpRequest("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders

3050. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:380 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3051. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:381 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_HttpRequest("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3052. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:411 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_HttpRequest($url="https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/".$contactId."?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3053. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/Google_Contacts.php:423 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3054. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/GoogleAPI.php:55 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print "[003] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3055. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/GoogleAPI.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print "[004] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3056. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/GoogleAPI.php:111 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print "[003] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3057. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/GoogleAPI.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print "[002] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3058. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/GoogleAPI.php:122 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print "[001] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3059. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/GoogleAPI.php:55 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print "[003] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3060. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/GoogleAPI.php:62 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print "[004] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3061. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/GoogleAPI.php:111 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print "[003] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3062. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/GoogleAPI.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print "[002] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3063. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/GoogleAPI.php:122 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

print "[001] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3064. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/contacts.php:57 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$customerSelect.="<option value=$i>".$thisCustomer['title']."</option>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3065. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/contacts.php:68 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$user_email."/full/".$contactId."?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3066. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/contacts.php:74 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//$group="http%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds%2Fgroups%2F".$user_email."%2Fbase%2F6";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3067. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/contacts.php:76 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$user_email."/full?group=".$group);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3068. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/contacts.php:57 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$customerSelect.="<option value=$i>".$thisCustomer['title']."</option>"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

3069. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/contacts.php:68 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$user_email."/full/".$contactId."?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3070. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/contacts.php:74 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//$group="http%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds%2Fgroups%2F".$user_email."%2Fbase%2F6";

Recommendation: Use $wpdb->prepare() with placeholders

3071. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/contacts.php:76 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$user_email."/full?group=".$group);

Recommendation: Use $wpdb->prepare() with placeholders

3072. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3073. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3074. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3075. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3076. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3077. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3078. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3079. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3080. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3081. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:244 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3082. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:291 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3083. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:301 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3084. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:312 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3085. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:386 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3086. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

3087. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

3088. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

3089. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

3090. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

3091. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

3092. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

3093. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

3094. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

3095. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:244 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

3096. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:291 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

3097. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:301 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

3098. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:312 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

3099. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/dBug.php:386 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

3100. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:123 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Invalid Number of Physical Dimensions (".$dimension_count.')');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3101. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' is not a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3102. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:147 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' not a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3103. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:153 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' not a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3104. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' not a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3105. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:173 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' not recognized as a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3106. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:219 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Invalid Number of Physical Dimensions (".$this->dimension_count.')');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3107. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:123 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Invalid Number of Physical Dimensions (".$dimension_count.')');

Recommendation: Use $wpdb->prepare() with placeholders

3108. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' is not a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders

3109. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:147 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' not a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders

3110. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:153 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' not a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders

3111. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:166 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' not a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders

3112. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:173 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Unit Mismatch: '$quantity_units' not recognized as a unit of ".$this->quantity_term.'"');

Recommendation: Use $wpdb->prepare() with placeholders

3113. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/leafM/renovate.php:219 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Invalid Number of Physical Dimensions (".$this->dimension_count.')');

Recommendation: Use $wpdb->prepare() with placeholders

3114. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tools/tcpdf_addfont.php:237 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "ERROR: Can't write to ".$options['outpath']."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3115. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tools/tcpdf_addfont.php:253 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "--- ERROR: can't add ".$font."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3116. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tools/tcpdf_addfont.php:255 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "+++ OK   : ".$fontfile.' added as '.$fontname."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3117. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tools/tcpdf_addfont.php:237 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "ERROR: Can't write to ".$options['outpath']."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

3118. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tools/tcpdf_addfont.php:253 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "--- ERROR: can't add ".$font."\n";

Recommendation: Use $wpdb->prepare() with placeholders

3119. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/tcpdf/tools/tcpdf_addfont.php:255 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "+++ OK   : ".$fontfile.' added as '.$fontname."\n";

Recommendation: Use $wpdb->prepare() with placeholders

3120. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/src/io/Google_CurlIO.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$responseHeaders[$header] .= "\n" . $value;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3121. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/src/io/Google_CurlIO.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$responseHeaders[$header] .= "\n" . $value;

Recommendation: Use $wpdb->prepare() with placeholders

3122. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/src/auth/Google_OAuth2.php:378 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$signed = $segments[0] . "." . $segments[1];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3123. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/src/auth/Google_OAuth2.php:384 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Google_AuthException("Can't parse token envelope: " . $segments[0]);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3124. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/src/auth/Google_OAuth2.php:391 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Google_AuthException("Can't parse token payload: " . $segments[1]);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3125. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/src/auth/Google_OAuth2.php:378 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$signed = $segments[0] . "." . $segments[1];

Recommendation: Use $wpdb->prepare() with placeholders

3126. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/src/auth/Google_OAuth2.php:384 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Google_AuthException("Can't parse token envelope: " . $segments[0]);

Recommendation: Use $wpdb->prepare() with placeholders

3127. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/constructimator.com/reno/contacts/src/auth/Google_OAuth2.php:391 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Google_AuthException("Can't parse token payload: " . $segments[1]);

Recommendation: Use $wpdb->prepare() with placeholders

3128. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/usergroups.dbOps.class.php:236 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$thisUserGroup=$usergroup_basename."_".$suffix;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3129. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/usergroups.dbOps.class.php:236 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$thisUserGroup=$usergroup_basename."_".$suffix;

Recommendation: Use $wpdb->prepare() with placeholders

3130. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.="`$varKey` ".$varConfig['type']." ".(isset($varConfig['size'])?("(".$varConfig['size'].")"):'').' '.(isset($varConfig['flags'])?$varConfig['flags']:'');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3131. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.=" COMMENT '".$varConfig['comment']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3132. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:144 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.="ADD COLUMN `$varKey` ".$varConfig['type']." ".(isset($varConfig['size'])?("(".$varConfig['size'].")"):'').' '.(isset($varConfig['flags'])?$varConfig['flags']:'');

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3133. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:146 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.=" AFTER `".$varConfig['after']."`";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3134. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:157 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.=" COMMENT '".$varConfig['comment']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3135. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:200 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql="DROP TABLE  `".$tableName."`;";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3136. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:71 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.="`$varKey` ".$varConfig['type']." ".(isset($varConfig['size'])?("(".$varConfig['size'].")"):'').' '.(isset($varConfig['flags'])?$varConfig['flags']:'');

Recommendation: Use $wpdb->prepare() with placeholders

3137. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:79 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.=" COMMENT '".$varConfig['comment']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3138. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:144 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.="ADD COLUMN `$varKey` ".$varConfig['type']." ".(isset($varConfig['size'])?("(".$varConfig['size'].")"):'').' '.(isset($varConfig['flags'])?$varConfig['flags']:'');

Recommendation: Use $wpdb->prepare() with placeholders

3139. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:146 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.=" AFTER `".$varConfig['after']."`";

Recommendation: Use $wpdb->prepare() with placeholders

3140. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:157 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql.=" COMMENT '".$varConfig['comment']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3141. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:200 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql="DROP TABLE  `".$tableName."`;";

Recommendation: Use $wpdb->prepare() with placeholders

3142. Deprecated mysql_query() with user input

File: /opt/claude-workspace/projects/archive/_shared/database/dbOps.class.php:327 CWE: CWE-89 Confidence: HIGH

Description: Deprecated mysql_query() with user input

Code:

mysql_query($query, $link);

Recommendation: Use PDO or mysqli with prepared statements

3143. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/subscribers.dbOps.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql= sprintf(' UPDATE %s SET '.implode(',', array_map(function ($v, $k) { return "`".$k . "`='" . $v."'"; }, $subscriber, array_keys($subscriber))),

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3144. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/database/subscribers.dbOps.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$sql= sprintf(' UPDATE %s SET '.implode(',', array_map(function ($v, $k) { return "`".$k . "`='" . $v."'"; }, $subscriber, array_keys($subscriber))),

Recommendation: Use $wpdb->prepare() with placeholders

3145. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/TimeZones.class.php:108 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$defs_data_orig = file(realpath(dirname(__FILE__))."/src_TimeZones/timezones/".$region,FILE_SKIP_EMPTY_LINES);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3146. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/TimeZones.class.php:108 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$defs_data_orig = file(realpath(dirname(__FILE__))."/src_TimeZones/timezones/".$region,FILE_SKIP_EMPTY_LINES);

Recommendation: Use $wpdb->prepare() with placeholders

3147. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:106 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:givenName>".$this->givenName."</gd:givenName>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3148. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:111 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:familyName>".$this->familyName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3149. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:fullName>".$this->fullName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3150. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:121 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<atom:content type='text'>".$this->notes."</atom:content>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3151. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:125 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:email rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3152. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:129 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" address='".$this->email[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3153. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" displayName='".$this->email[$type]['displayName']."'/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3154. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:133 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:phoneNumber rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3155. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=">".$this->phone[$type]['number']."</gd:phoneNumber>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3156. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:140 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:im address='".$this->instantMessaging[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3157. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:141 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" protocol='".$this->instantMessaging[$type]['protocol']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3158. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" rel='http://schemas.google.com/g/2005#".$type."'/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3159. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:147 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3160. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:150 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:city>".$this->postalAddress[$type]['city']."</gd:city>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3161. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:151 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:street>".$this->postalAddress[$type]['street']."</gd:street>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3162. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:152 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:region>".$this->postalAddress[$type]['region']."</gd:region>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3163. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:153 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:postcode>".$this->postalAddress[$type]['postcode']."</gd:postcode>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3164. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:154 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:country>".$this->postalAddress[$type]['country']."</gd:country>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3165. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:158 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:formattedAddress>".$this->postalAddress[$type]['formattedAddress']."</gd:formattedAddress>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3166. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gContact:groupMembershipInfo deleted='false' href='http://www.google.com/m8/feeds/groups/".$this->user_email."/base/".$group_id."'/> ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3167. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:167 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "\n"."\n"."\n".$contact."\n"."\n"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3168. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3169. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:189 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3170. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3171. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:220 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request($url="https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/".$contactId."?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3172. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:232 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3173. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:106 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:givenName>".$this->givenName."</gd:givenName>

Recommendation: Use $wpdb->prepare() with placeholders

3174. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:111 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:familyName>".$this->familyName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders

3175. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:116 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:fullName>".$this->fullName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders

3176. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:121 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<atom:content type='text'>".$this->notes."</atom:content>";

Recommendation: Use $wpdb->prepare() with placeholders

3177. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:125 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:email rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders

3178. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:129 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" address='".$this->email[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3179. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:130 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" displayName='".$this->email[$type]['displayName']."'/>";

Recommendation: Use $wpdb->prepare() with placeholders

3180. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:133 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:phoneNumber rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders

3181. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=">".$this->phone[$type]['number']."</gd:phoneNumber>";

Recommendation: Use $wpdb->prepare() with placeholders

3182. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:140 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:im address='".$this->instantMessaging[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3183. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:141 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" protocol='".$this->instantMessaging[$type]['protocol']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3184. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:143 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" rel='http://schemas.google.com/g/2005#".$type."'/>";

Recommendation: Use $wpdb->prepare() with placeholders

3185. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:147 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders

3186. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:150 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:city>".$this->postalAddress[$type]['city']."</gd:city>

Recommendation: Use $wpdb->prepare() with placeholders

3187. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:151 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:street>".$this->postalAddress[$type]['street']."</gd:street>

Recommendation: Use $wpdb->prepare() with placeholders

3188. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:152 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:region>".$this->postalAddress[$type]['region']."</gd:region>

Recommendation: Use $wpdb->prepare() with placeholders

3189. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:153 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:postcode>".$this->postalAddress[$type]['postcode']."</gd:postcode>

Recommendation: Use $wpdb->prepare() with placeholders

3190. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:154 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:country>".$this->postalAddress[$type]['country']."</gd:country>";

Recommendation: Use $wpdb->prepare() with placeholders

3191. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:158 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:formattedAddress>".$this->postalAddress[$type]['formattedAddress']."</gd:formattedAddress>";

Recommendation: Use $wpdb->prepare() with placeholders

3192. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gContact:groupMembershipInfo deleted='false' href='http://www.google.com/m8/feeds/groups/".$this->user_email."/base/".$group_id."'/> ";

Recommendation: Use $wpdb->prepare() with placeholders

3193. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:167 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "\n"."\n"."\n".$contact."\n"."\n"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

3194. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders

3195. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:189 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3196. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:190 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3197. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:220 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request($url="https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/".$contactId."?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3198. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContact.class.php:232 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3199. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:28 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004b] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3200. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/groups/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3201. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3202. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004c] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3203. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_Http_Request("https://www.google.com/m8/feeds/groups/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3204. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:94 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004d] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3205. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3206. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?group=".urlencode($baseurl.$groupID)."&alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3207. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004e] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3208. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:28 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004b] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3209. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/groups/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3210. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3211. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004c] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3212. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_Http_Request("https://www.google.com/m8/feeds/groups/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders

3213. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:94 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004d] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3214. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3215. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?group=".urlencode($baseurl.$groupID)."&alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3216. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/GContacts.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004e] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3217. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Mailman.class.php:43 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if($custom_message!='') $message_template .= "<br>" . $custom_message . "";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3218. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Mailman.class.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message_template .= "<tr><td><strong>Decision:</strong> </td><td>" . $link_accept .'&nbsp;&nbsp;&nbsp;&nbsp;'.$link_reject. "</td></tr>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3219. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Mailman.class.php:100 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if($welcome_message!='') $message_template .= "" . $welcome_message . "";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3220. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Mailman.class.php:104 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if($site_url!='') $message_template .= "<tr><td><strong>Site URL:</strong> </td><td>" . $site_url . "</td></tr>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3221. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Mailman.class.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message_extra_admin_only.="<tr><td><strong>Picture:</strong> </td><td><img src=\"" . $userinfo['user_gdata_decode']->picture . "\" alt=\"".$userinfo['user_name']."\" height=\"200\"></td></tr>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3222. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Mailman.class.php:43 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if($custom_message!='') $message_template .= "<br>" . $custom_message . "";

Recommendation: Use $wpdb->prepare() with placeholders

3223. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Mailman.class.php:47 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message_template .= "<tr><td><strong>Decision:</strong> </td><td>" . $link_accept .'&nbsp;&nbsp;&nbsp;&nbsp;'.$link_reject. "</td></tr>";

Recommendation: Use $wpdb->prepare() with placeholders

3224. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Mailman.class.php:100 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if($welcome_message!='') $message_template .= "" . $welcome_message . "";

Recommendation: Use $wpdb->prepare() with placeholders

3225. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Mailman.class.php:104 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

if($site_url!='') $message_template .= "<tr><td><strong>Site URL:</strong> </td><td>" . $site_url . "</td></tr>";

Recommendation: Use $wpdb->prepare() with placeholders

3226. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Mailman.class.php:113 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$message_extra_admin_only.="<tr><td><strong>Picture:</strong> </td><td><img src=\"" . $userinfo['user_gdata_decode']->picture . "\" alt=\"".$userinfo['user_name']."\" height=\"200\"></td></tr>";

Recommendation: Use $wpdb->prepare() with placeholders

3227. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:28 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004b] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3228. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/groups/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3229. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3230. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004c] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3231. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_Http_Request("https://www.google.com/m8/feeds/groups/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3232. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:94 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004d] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3233. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3234. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?group=".urlencode($baseurl.$groupID)."&alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3235. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004e] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3236. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:424 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:givenName>".$this->givenName."</gd:givenName>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3237. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:429 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:familyName>".$this->familyName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3238. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:434 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:fullName>".$this->fullName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3239. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:439 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<atom:content type='text'>".$this->notes."</atom:content>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3240. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:443 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:email rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3241. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:447 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" address='".$this->email[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3242. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:448 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" displayName='".$this->email[$type]['displayName']."'/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3243. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:451 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:phoneNumber rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3244. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:455 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=">".$this->phone[$type]['number']."</gd:phoneNumber>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3245. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:458 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:im address='".$this->instantMessaging[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3246. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:459 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" protocol='".$this->instantMessaging[$type]['protocol']."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3247. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:461 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" rel='http://schemas.google.com/g/2005#".$type."'/>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3248. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:465 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3249. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:468 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:city>".$this->postalAddress[$type]['city']."</gd:city>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3250. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:469 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:street>".$this->postalAddress[$type]['street']."</gd:street>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3251. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:470 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:region>".$this->postalAddress[$type]['region']."</gd:region>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3252. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:471 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:postcode>".$this->postalAddress[$type]['postcode']."</gd:postcode>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3253. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:472 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:country>".$this->postalAddress[$type]['country']."</gd:country>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3254. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:476 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:formattedAddress>".$this->postalAddress[$type]['formattedAddress']."</gd:formattedAddress>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3255. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:482 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gContact:groupMembershipInfo deleted='false' href='http://www.google.com/m8/feeds/groups/".$this->user_email."/base/".$group_id."'/> ";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3256. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:485 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "\n"."\n"."\n".$contact."\n"."\n"."\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3257. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:492 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3258. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:507 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3259. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:508 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3260. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:538 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request($url="https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/".$contactId."?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3261. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:550 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3262. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:28 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004b] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3263. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:36 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/groups/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3264. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:46 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3265. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004c] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3266. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:80 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_Http_Request("https://www.google.com/m8/feeds/groups/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders

3267. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:94 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004d] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3268. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:137 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3269. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:138 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?group=".urlencode($baseurl.$groupID)."&alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3270. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//print "[004e] An error occurred: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3271. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:424 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:givenName>".$this->givenName."</gd:givenName>

Recommendation: Use $wpdb->prepare() with placeholders

3272. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:429 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:familyName>".$this->familyName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders

3273. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:434 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:fullName>".$this->fullName."</gd:familyName>

Recommendation: Use $wpdb->prepare() with placeholders

3274. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:439 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<atom:content type='text'>".$this->notes."</atom:content>";

Recommendation: Use $wpdb->prepare() with placeholders

3275. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:443 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:email rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders

3276. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:447 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" address='".$this->email[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3277. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:448 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" displayName='".$this->email[$type]['displayName']."'/>";

Recommendation: Use $wpdb->prepare() with placeholders

3278. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:451 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:phoneNumber rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders

3279. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:455 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=">".$this->phone[$type]['number']."</gd:phoneNumber>";

Recommendation: Use $wpdb->prepare() with placeholders

3280. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:458 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:im address='".$this->instantMessaging[$type]['address']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3281. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:459 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" protocol='".$this->instantMessaging[$type]['protocol']."'";

Recommendation: Use $wpdb->prepare() with placeholders

3282. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:461 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.=" rel='http://schemas.google.com/g/2005#".$type."'/>";

Recommendation: Use $wpdb->prepare() with placeholders

3283. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:465 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

rel='http://schemas.google.com/g/2005#".$type."'";

Recommendation: Use $wpdb->prepare() with placeholders

3284. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:468 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:city>".$this->postalAddress[$type]['city']."</gd:city>

Recommendation: Use $wpdb->prepare() with placeholders

3285. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:469 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:street>".$this->postalAddress[$type]['street']."</gd:street>

Recommendation: Use $wpdb->prepare() with placeholders

3286. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:470 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:region>".$this->postalAddress[$type]['region']."</gd:region>

Recommendation: Use $wpdb->prepare() with placeholders

3287. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:471 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:postcode>".$this->postalAddress[$type]['postcode']."</gd:postcode>

Recommendation: Use $wpdb->prepare() with placeholders

3288. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:472 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<gd:country>".$this->postalAddress[$type]['country']."</gd:country>";

Recommendation: Use $wpdb->prepare() with placeholders

3289. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:476 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gd:formattedAddress>".$this->postalAddress[$type]['formattedAddress']."</gd:formattedAddress>";

Recommendation: Use $wpdb->prepare() with placeholders

3290. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:482 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$contact.="<gContact:groupMembershipInfo deleted='false' href='http://www.google.com/m8/feeds/groups/".$this->user_email."/base/".$group_id."'/> ";

Recommendation: Use $wpdb->prepare() with placeholders

3291. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:485 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

//echo "\n"."\n"."\n".$contact."\n"."\n"."\n";

Recommendation: Use $wpdb->prepare() with placeholders

3292. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:492 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$add = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/");

Recommendation: Use $wpdb->prepare() with placeholders

3293. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:507 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3294. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:508 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request("https://www.google.com/m8/feeds/contacts/".$this->user_email."/full?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3295. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:538 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$req = new Google_Http_Request($url="https://www.google.com/m8/feeds/contacts/".$this->user_email."/full/".$contactId."?alt=json");

Recommendation: Use $wpdb->prepare() with placeholders

3296. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/Contacts_Google.php:550 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$baseurl="http://www.google.com/m8/feeds/groups/".$this->user_email."/base/";

Recommendation: Use $wpdb->prepare() with placeholders

3297. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3298. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3299. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3300. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3301. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3302. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3303. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3304. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3305. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3306. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:244 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3307. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:291 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3308. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:301 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3309. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:312 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3310. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:386 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3311. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:112 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$header = $this->getVariableName() . " (" . $header . ")";

Recommendation: Use $wpdb->prepare() with placeholders

3312. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:117 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=2 cellpadding=3 class=\"dBug_".$type."\">

Recommendation: Use $wpdb->prepare() with placeholders

3313. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:119 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td ".$str_i."class=\"dBug_".$type."Header\" colspan=".$colspan." onClick='dBug_toggleTable(this)'>".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

3314. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:126 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<tr".$str_d.">

Recommendation: Use $wpdb->prepare() with placeholders

3315. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:127 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

<td valign=\"top\" onClick='dBug_toggleRow(this)' class=\"dBug_".$type."Key\">".$header."</td>

Recommendation: Use $wpdb->prepare() with placeholders

3316. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:142 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

return ($error." ".$type." type");

Recommendation: Use $wpdb->prepare() with placeholders

3317. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<table cellspacing=0><tr>\n<td>".$var."</td>\n</tr>\n</table>\n";

Recommendation: Use $wpdb->prepare() with placeholders

3318. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:207 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("array").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

3319. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "[function]".$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

3320. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:244 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

else echo "<tr><td>".$this->error("object").$this->closeTDRow();

Recommendation: Use $wpdb->prepare() with placeholders

3321. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:291 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$db_func = $db."_field_".$arrFields[$j];

Recommendation: Use $wpdb->prepare() with placeholders

3322. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:301 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td class=\"dBug_resourceKey\" title=\"".$field_header."\">".$field_name."</td>";

Recommendation: Use $wpdb->prepare() with placeholders

3323. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:312 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

echo "<td>".$fieldrow."</td>\n";

Recommendation: Use $wpdb->prepare() with placeholders

3324. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/classes/dBug.class.php:386 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->xmlSData[$this->xmlCount].='echo "<strong>'.$this->xmlName[$this->xmlCount].'</strong>".$this->closeTDRow();';

Recommendation: Use $wpdb->prepare() with placeholders

3325. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/phpqrcode-master/tools/merge.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$outputCode .= "\n\n".$anotherCode."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3326. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/phpqrcode-master/tools/merge.php:60 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$outputCode .= "\n\n".$anotherCode."\n\n";

Recommendation: Use $wpdb->prepare() with placeholders

3327. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Http/Batch.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->expected_classes["response-" . $key] = $req->getExpectedClass();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3328. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Http/Batch.php:66 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$this->expected_classes["response-" . $key] = $req->getExpectedClass();

Recommendation: Use $wpdb->prepare() with placeholders

3329. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Http/Request.php:232 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"?" . $this->buildQuery($this->queryParams) :

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3330. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Http/Request.php:289 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

isset($parts['port']) ? ":" . $parts['port'] : ''

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3331. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Http/Request.php:409 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str = $headers . "\n" . $str;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3332. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Http/Request.php:232 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

"?" . $this->buildQuery($this->queryParams) :

Recommendation: Use $wpdb->prepare() with placeholders

3333. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Http/Request.php:289 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

isset($parts['port']) ? ":" . $parts['port'] : ''

Recommendation: Use $wpdb->prepare() with placeholders

3334. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Http/Request.php:409 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$str = $headers . "\n" . $str;

Recommendation: Use $wpdb->prepare() with placeholders

3335. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Utils/URITemplate.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$values[] = $pkey . "=" . $pvalue; // Explode triggers = combine.

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3336. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Utils/URITemplate.php:241 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$values[] = $pkey . "=" . $pvalue; // Explode triggers = combine.

Recommendation: Use $wpdb->prepare() with placeholders

3337. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/IO/Abstract.php:287 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[$header] .= "\n" . $value;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3338. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/IO/Abstract.php:287 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$headers[$header] .= "\n" . $value;

Recommendation: Use $wpdb->prepare() with placeholders

3339. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Auth/OAuth2.php:475 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$signed = $segments[0] . "." . $segments[1];

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3340. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Auth/OAuth2.php:481 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Google_Auth_Exception("Can't parse token envelope: " . $segments[0]);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3341. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Auth/OAuth2.php:488 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Google_Auth_Exception("Can't parse token payload: " . $segments[1]);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3342. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Auth/OAuth2.php:475 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$signed = $segments[0] . "." . $segments[1];

Recommendation: Use $wpdb->prepare() with placeholders

3343. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Auth/OAuth2.php:481 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Google_Auth_Exception("Can't parse token envelope: " . $segments[0]);

Recommendation: Use $wpdb->prepare() with placeholders

3344. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/archive/_shared/includes/api-clients/Google/Auth/OAuth2.php:488 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Google_Auth_Exception("Can't parse token payload: " . $segments[1]);

Recommendation: Use $wpdb->prepare() with placeholders

3345. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/dashboard-api.php:628 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Warning: Could not enable redirect for alias '$alias': " . $redirectError->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3346. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/dashboard-api.php:2102 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Dashboard API Error: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3347. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/dashboard-api.php:628 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Warning: Could not enable redirect for alias '$alias': " . $redirectError->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3348. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/dashboard-api.php:2102 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Dashboard API Error: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3349. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/fix-dns.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Fix DNS Error: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3350. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/fix-dns.php:132 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Fix DNS Error: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3351. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/api.php:188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$progress->failStep('preflight', "Failed to resolve {$failedCount} conflict(s): " . $firstFailed['error']);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3352. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/api.php:566 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Service restart error (non-fatal): " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3353. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/api.php:608 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Hestia Automation Error: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3354. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/api.php:188 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$progress->failStep('preflight', "Failed to resolve {$failedCount} conflict(s): " . $firstFailed['error']);

Recommendation: Use $wpdb->prepare() with placeholders

3355. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/api.php:566 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Service restart error (non-fatal): " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3356. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/api.php:608 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Hestia Automation Error: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3357. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:973 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$warnings[] = "SendGrid error: " . $sgError->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3358. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:988 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$warnings[] = "Error retrieving DKIM records: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3359. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1148 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Check for existing records: " . $checkError->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3360. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$errorMsg = "Cloudflare API error for {$record['name']}: " . $cfError->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3361. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CLOUDFLARE ERROR: " . $errorMsg);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3362. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1176 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$errorMsg = $record['name'] . ": " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3363. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1177 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("EXCEPTION creating DKIM record: " . $errorMsg);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3364. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1231 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results[] = "⚠ DNS records created but validation failed: " . $validateError->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3365. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1477 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Configure DNS Error: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3366. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:973 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$warnings[] = "SendGrid error: " . $sgError->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3367. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:988 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$warnings[] = "Error retrieving DKIM records: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3368. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1148 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Check for existing records: " . $checkError->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3369. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$errorMsg = "Cloudflare API error for {$record['name']}: " . $cfError->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3370. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1165 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("CLOUDFLARE ERROR: " . $errorMsg);

Recommendation: Use $wpdb->prepare() with placeholders

3371. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1176 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$errorMsg = $record['name'] . ": " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3372. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1177 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("EXCEPTION creating DKIM record: " . $errorMsg);

Recommendation: Use $wpdb->prepare() with placeholders

3373. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1231 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results[] = "⚠ DNS records created but validation failed: " . $validateError->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3374. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/configure-dns.php:1477 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("Configure DNS Error: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3375. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/EmailConfig.php:114 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results[] = "Error: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3376. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/EmailConfig.php:114 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$results[] = "Error: " . $e->getMessage();

Recommendation: Use $wpdb->prepare() with placeholders

3377. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/SendGridAPI.php:424 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Cannot retrieve DKIM records: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3378. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/SendGridAPI.php:424 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

throw new Exception("Cannot retrieve DKIM records: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3379. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressConfigurator.php:358 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

file_put_contents($htaccess, $rules . "\n" . $content);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3380. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressConfigurator.php:389 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

file_put_contents($functionsPhp, $content . "\n" . $code);

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3381. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressConfigurator.php:358 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

file_put_contents($htaccess, $rules . "\n" . $content);

Recommendation: Use $wpdb->prepare() with placeholders

3382. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressConfigurator.php:389 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

file_put_contents($functionsPhp, $content . "\n" . $code);

Recommendation: Use $wpdb->prepare() with placeholders

3383. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to check WordPress for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3384. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:294 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to scan for WordPress sites: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3385. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:428 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get overview data for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3386. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:500 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get config data for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3387. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:579 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get users list for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3388. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:774 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$method = "get_test_" . $test_id;

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3389. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:837 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get site health for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3390. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:1174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get updates for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3391. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:1263 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get plugins for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3392. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:1661 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get security data for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3393. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:1854 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get performance data for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3394. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:2040 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get themes for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3395. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:2304 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get settings for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3396. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:2517 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get backup data for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders instead of string concatenation

3397. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:164 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to check WordPress for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3398. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:294 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to scan for WordPress sites: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3399. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:428 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get overview data for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3400. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:500 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get config data for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3401. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:579 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get users list for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3402. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:774 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

$method = "get_test_" . $test_id;

Recommendation: Use $wpdb->prepare() with placeholders

3403. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:837 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get site health for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3404. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:1174 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get updates for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3405. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:1263 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get plugins for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3406. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:1661 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get security data for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3407. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:1854 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get performance data for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3408. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:2040 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get themes for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3409. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:2304 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get settings for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

3410. Possible SQL injection via string concatenation

File: /opt/claude-workspace/projects/hestia-automation/includes/WordPressValidator.php:2517 CWE: CWE-89 Confidence: HIGH

Description: Possible SQL injection via string concatenation

Code:

error_log("WordPressValidator: Failed to get backup data for {$domain}: " . $e->getMessage());

Recommendation: Use $wpdb->prepare() with placeholders

Projects Summary

Project	Files	Issues	CRITICAL	HIGH	MEDIUM
archive	537	560	525	0	35
cxq-membership	468	274	255	7	12
mailpoet	3569	261	242	0	19
cxq-membership.backup-20260115	190	258	252	2	4
cxq-scheduler	217	243	231	2	10
woocommerce	2996	231	172	8	51
jetpack	1351	204	133	17	54
gravityforms	331	198	176	7	15
wordfence	383	196	180	0	16
motopress-hotel-booking	1035	125	102	5	18
worker	316	111	77	0	34
cxq-signage	50	94	90	0	4
cxq-site-manager-host	254	81	67	4	10
hestia-automation	37	79	66	6	7
cxq-site-manager-client	97	77	74	0	3
cxq-facebot	292	76	57	4	15
the-events-calendar	1959	68	21	0	47
woocommerce-product-vendors	363	66	66	0	0
pta-volunteer-sign-up-sheets	35	61	60	0	1
wpforms	1161	58	29	12	17
all-in-one-seo-pack-pro	532	57	25	0	32
wpforms-lite	3541	50	28	4	18
cxq-email-relay	226	49	39	4	6
cxq-autocomplete-awsc-form	82	48	48	0	0
cxq-event-calendar	255	44	34	4	6
cxq-cashdrawer	54	41	38	0	3
cxq-woocommerce-sales-listx	3	40	40	0	0
cxq-license-manager	9	39	36	0	3
wp-mail-smtp	436	35	34	0	1
cxq-antispam-host	23	33	30	0	3
cxq-dev-tools	3	28	28	0	0
cxq-firewall	222	26	12	4	10
cxq-updater-host	18	25	15	0	10
google-analytics-for-wordpress	213	24	17	2	5
cxq-antispam	251	23	11	4	8
cxq-google-hours	231	22	10	4	8
woocommerce-product-addons	87	21	6	3	12
cxq-board-docs	224	18	8	4	6
akismet	22	11	11	0	0
cxq-woocommerce-sales-list	8	11	10	0	1
ecoeye-alert-relay	7	10	9	0	1
woocommerce-gateway-stripe	143	8	6	0	2
woocommerce-payments	410	8	0	0	8
antispam-bee	3	8	1	0	7
all-in-one-wp-migration	142	7	1	4	2
query-monitor	141	6	4	0	2
woocommerce-checkout-manager	106	5	0	3	2
mphb-request-payment	42	5	2	0	3
cxq-doc-builder	16	5	4	0	1
distributor	46	5	0	0	5
woocommerce-ajax-layered-nav	6	4	4	0	0
mphb-notifier	41	4	0	0	4
cyber-guardian	2	4	4	0	0
ecoeye-alert-relay-old	3	4	4	0	0
cxq-libs	89	4	0	2	2
gravityformsuserregistration	12	3	3	0	0
cxq-woocommerce-places	19	3	3	0	0
cxq-cloudflare-manager	2	2	2	0	0
debug-bar	10	2	0	0	2
cxq-enhance-wpforms	9	2	2	0	0
cxq-documents	5	2	2	0	0
cxq-woocommerce-product-map	4	2	2	0	0
all-in-one-wp-migration-unlimited-extension	15	1	1	0	0
cxq-spec-auditor	6	1	1	0	0

Issues by Category

SQL INJECTION (3367 issues)

CRITICAL: 3367, HIGH: 0

WEAK CRYPTO (545 issues)

CRITICAL: 0, HIGH: 0

FILE UPLOAD (126 issues)

CRITICAL: 10, HIGH: 116

CREDENTIALS (33 issues)

CRITICAL: 33, HIGH: 0

🕸️ Ada Research Browser

Codebase Security Scan Report

Executive Summary

Critical Findings

3410 Critical Issues Require Immediate Attention

1. Possible SQL injection via string concatenation

2. Possible SQL injection via string concatenation

3. Possible SQL injection via string concatenation

4. Possible SQL injection via string concatenation

5. Possible SQL injection via string concatenation

6. Possible SQL injection via string concatenation

7. Possible SQL injection via string concatenation

8. Possible SQL injection via string concatenation

9. Possible SQL injection via string concatenation

10. Possible SQL injection via string concatenation

11. Possible SQL injection via string concatenation

12. Possible SQL injection via string concatenation

13. Possible SQL injection via string concatenation

14. Possible SQL injection via string concatenation

15. Possible SQL injection via string concatenation

16. Possible SQL injection via string concatenation

17. Possible SQL injection via string concatenation

18. Possible SQL injection via string concatenation

19. Possible SQL injection via string concatenation

20. Possible SQL injection via string concatenation

21. Possible SQL injection via string concatenation

22. Possible SQL injection via string concatenation

23. Possible SQL injection via string concatenation

24. Possible SQL injection via string concatenation

25. Possible SQL injection via string concatenation

26. Possible SQL injection via string concatenation

27. Possible SQL injection via string concatenation

28. Possible SQL injection via string concatenation

29. Possible SQL injection via string concatenation

30. Possible SQL injection via string concatenation

31. Possible SQL injection via string concatenation

32. Possible SQL injection via string concatenation

33. Possible SQL injection via string concatenation

34. Possible SQL injection via string concatenation

35. Possible SQL injection via string concatenation

36. Possible SQL injection via string concatenation

37. Possible SQL injection via string concatenation

38. Possible SQL injection via string concatenation

39. Possible SQL injection via string concatenation

40. Possible SQL injection via string concatenation

41. Possible SQL injection via string concatenation

42. Possible SQL injection via string concatenation

43. Possible SQL injection via string concatenation

44. Possible SQL injection via string concatenation

45. Possible SQL injection via string concatenation

46. Possible SQL injection via string concatenation

47. Possible SQL injection via string concatenation

48. Possible SQL injection via string concatenation

49. Possible SQL injection via string concatenation

50. Possible SQL injection via string concatenation

51. Possible SQL injection via string concatenation

52. Possible SQL injection via string concatenation

53. Possible SQL injection via string concatenation

54. Possible SQL injection via string concatenation

55. Possible SQL injection via string concatenation

56. Possible SQL injection via string concatenation

57. Possible SQL injection via string concatenation

58. Possible SQL injection via string concatenation

59. Possible SQL injection via string concatenation

60. Possible SQL injection via string concatenation

61. Possible SQL injection via string concatenation

62. Possible SQL injection via string concatenation

63. Possible SQL injection via string concatenation

64. Possible SQL injection via string concatenation

65. Possible SQL injection via string concatenation

66. Possible SQL injection via string concatenation

67. Possible SQL injection via string concatenation

68. Possible SQL injection via string concatenation

69. Possible SQL injection via string concatenation

70. Possible SQL injection via string concatenation

71. Possible SQL injection via string concatenation

72. Possible SQL injection via string concatenation

73. Possible SQL injection via string concatenation

74. Possible SQL injection via string concatenation

75. Possible SQL injection via string concatenation