diff --git a/inc/objects/class-limitations.php b/inc/objects/class-limitations.php
index f06a17517..fdd64e000 100644
--- a/inc/objects/class-limitations.php
+++ b/inc/objects/class-limitations.php
@@ -478,6 +478,18 @@ public static function remove_limitations($slug, $id): void {
 
 		global $wpdb;
 
+		/*
+		 * $slug is used to build the meta table and column names below, so it
+		 * must never be taken from request input verbatim. Validate it against
+		 * a fixed allow-list of the models that actually carry limitations to
+		 * prevent SQL injection through the identifier.
+		 */
+		$allowed_models = ['membership', 'product', 'customer', 'site'];
+
+		if ( ! in_array($slug, $allowed_models, true)) {
+			return;
+		}
+
 		$wu_prefix = 'wu_';
 
 		/*