_pad_term_counts() uses string-concatenated SQL without prepared statement

rajeshcpr · web-flow · commit 7b4a4fefd724 · 2026-04-10T01:18:12.000+05:30
$object_types values are not individually escaped via $wpdb-&gt;prepare(). They use esc_sql() only at the
  get_taxonomy() call, but imploded directly into the query string. The array keys are integer IDs but are not cast.
  This should use prepare() with placeholders.
diff --git a/src/wp-includes/taxonomy.php b/src/wp-includes/taxonomy.php
@@ -4072,7 +4072,6 @@ function _pad_term_counts( &$terms, $taxonomy ) {
 			array_merge( array_keys( $term_ids ), $object_types )
 		)
 	);
-	
 	foreach ( $results as $row ) {
 		$id = $term_ids[ $row->term_taxonomy_id ];
 

Original file line number	Diff line number	Diff line change
`@@ -4072,7 +4072,6 @@ function _pad_term_counts( &$terms, $taxonomy ) {`
`4072`	`4072`	`array_merge( array_keys( $term_ids ), $object_types )`
`4073`	`4073`	`)`
`4074`	`4074`	`);`
`4075`		`-`
`4076`	`4075`	`foreach ( $results as $row ) {`
`4077`	`4076`	`$id = $term_ids[ $row->term_taxonomy_id ];`
`4078`	`4077`