This is the WordPress way that retrieve result from database:

$posts = $wpdb->get_results($sql);

WordPress has a lot of filter will process with the $sql. But all those filter will never protect these code:

$sql = "SELECT * FROM $table_posts WHERE thread_id = $_GET[thread] ORDER BY `date` DESC “;

Oh, my god. This will cause SQL injection. Do not write code in this way.

Check the vulnerability code:

grep -r '$_GET' . | grep id