From 917f5d480cc9cfb2c9ea0c39859daab80736f245 Mon Sep 17 00:00:00 2001
From: rajeshcpr <45383780+rajeshcpr@users.noreply.github.com>
Date: Fri, 10 Apr 2026 00:58:36 +0530
Subject: [PATCH 1/2] _pad_term_counts() uses string-concatenated SQL without
 prepared statement

$object_types values are not individually escaped via $wpdb->prepare(). They use esc_sql() only at the
  get_taxonomy() call, but imploded directly into the query string. The array keys are integer IDs but are not cast.
  This should use prepare() with placeholders.
---
 src/wp-includes/taxonomy.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/taxonomy.php b/src/wp-includes/taxonomy.php
index 80f457de0e6f7..1d5e2be80dbea 100644
--- a/src/wp-includes/taxonomy.php
+++ b/src/wp-includes/taxonomy.php
@@ -4066,8 +4066,13 @@ function _pad_term_counts( &$terms, $taxonomy ) {
 	// Get the object and term IDs and stick them in a lookup table.
 	$tax_obj      = get_taxonomy( $taxonomy );
 	$object_types = esc_sql( $tax_obj->object_type );
-	$results      = $wpdb->get_results( "SELECT object_id, term_taxonomy_id FROM $wpdb->term_relationships INNER JOIN $wpdb->posts ON object_id = ID WHERE term_taxonomy_id IN (" . implode( ',', array_keys( $term_ids ) ) . ") AND post_type IN ('" . implode( "', '", $object_types ) . "') AND post_status = 'publish'" );
-
+	$results      = $wpdb->get_results(
+		$wpdb->prepare(
+			"SELECT object_id, term_taxonomy_id FROM $wpdb->term_relationships INNER JOIN $wpdb->posts ON object_id = ID WHERE term_taxonomy_id IN (" . implode( ',', array_fill( 0, count( $term_ids ), '%d' ) ) . ') AND post_type IN (' . implode( ',', array_fill( 0, count( $object_types ), '%s' ) ) . ") AND post_status = 'publish'",
+			array_merge( array_keys( $term_ids ), $object_types )
+		)
+	);
+	
 	foreach ( $results as $row ) {
 		$id = $term_ids[ $row->term_taxonomy_id ];
 

From 7b4a4fefd7248b10818cb234089efa8770b05e90 Mon Sep 17 00:00:00 2001
From: rajeshcpr <45383780+rajeshcpr@users.noreply.github.com>
Date: Fri, 10 Apr 2026 01:18:12 +0530
Subject: [PATCH 2/2] _pad_term_counts() uses string-concatenated SQL without
 prepared statement

$object_types values are not individually escaped via $wpdb->prepare(). They use esc_sql() only at the
  get_taxonomy() call, but imploded directly into the query string. The array keys are integer IDs but are not cast.
  This should use prepare() with placeholders.
---
 src/wp-includes/taxonomy.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/wp-includes/taxonomy.php b/src/wp-includes/taxonomy.php
index 1d5e2be80dbea..a231adca36b31 100644
--- a/src/wp-includes/taxonomy.php
+++ b/src/wp-includes/taxonomy.php
@@ -4072,7 +4072,6 @@ function _pad_term_counts( &$terms, $taxonomy ) {
 			array_merge( array_keys( $term_ids ), $object_types )
 		)
 	);
-	
 	foreach ( $results as $row ) {
 		$id = $term_ids[ $row->term_taxonomy_id ];