Version 5.8.4 – invalid SQL generated from malformed category

Good morning. I believe I may have found a bug in Advanced Post Types Order (APTO) version 5.8.4 on a WordPress site running MariaDB.

I am intermittently seeing WordPress database errors where APTO generates invalid SQL, specifically a comparison against a malformed term ID. The relevant fragment of the failing query looks like this:

AND (pm3.meta_key = '_term_id' AND CAST(pm3.meta_value AS CHAR) = ''') AND (pm4.meta_key = '_view_language' AND CAST(pm4.meta_value AS CHAR) = 'en') LIMIT 1

The ''' value is syntactically invalid SQL, which causes MariaDB to error.

I have verified that all stored apto_sort child view meta for this configuration contain only numeric _term_id values, so this does not appear to be caused by corrupted database data.

The errors correlate exactly with malformed requests to category archive URLs, likely from bots or probes, where the request path contains JavaScript-like text and ends with a single quote, for example (simplified):

/category/.../this.options[this.selectedIndex].value;'

It appears that under this edge case, the term ID derived from the request/context is not being forced to a safe numeric value (e.g. via absint()), and/or the SQL is not being constructed using fully parameterized $wpdb->prepare() placeholders for the term ID.

I am not suggesting SQL injection here, only that malformed input can cause APTO to generate invalid SQL and trigger wpdb errors. But that does need fixing.