WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Interpolated SQL is not prepared

Variables are interpolated into a SQL string before the query is prepared.

critical weight

Why It Shows Up

The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.

Why It Matters

Preparing a query after unsafe interpolation does not reliably protect the dynamic value.

How to Fix

Replace interpolated variables with placeholders.
Pass each dynamic value as a separate `$wpdb->prepare()` argument.
Use allowlists for SQL identifiers and directions that cannot be represented as normal values.

References

WordPress database access

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Updated	Top Issue
#651	annasta Filters for WooCommerce	32	1,073	441	2k+	15 days ago	Text Domain Mismatch
#652	Author Avatars List/Block	32	85	135	4k+	1 month ago	Non-prefixed hook name
#653	Auto YouTube Importer	32	338	173	1k+	6 months ago	Text Domain Mismatch
#654	Blog2Social: Social Media Auto Post & Scheduler	32	7	955	50k+	21 days ago	Direct Query
#655	BuddyPress for LearnDash	32	190	284	1k+	6 years ago	Output is not escaped
#656	Addi – Cuotas que se adaptan a ti	32	106	210	2k+	1 year ago	Direct Query
#657	Fable Extra	32	79	282	4k+	14 days ago	Non-prefixed global variable
#658	Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages	32	53	773	9k+	26 days ago	Nonce verification recommended
#659	Insights from Google PageSpeed	32	414	475	20k+	2 years ago	Text Domain Mismatch
#660	Gwolle Guestbook	32	268	528	20k+	3 days ago	Output is not escaped
#661	HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce	32	396	142	20k+	today	Output is not escaped
#662	ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More	32	101	308	30k+	today	Non-prefixed global variable
#663	MapPress Maps for WordPress	32	694	133	30k+	12 days ago	Missing Arg Domain
#664	DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce	32	166	119	5k+	5 months ago	Output is not escaped
#665	گرویتی فرم فارسی	32	190	174	20k+	7 months ago	Text Domain Mismatch
#666	TS Poll – Survey, Versus Poll, Image Poll, Video Poll	32	570	171	4k+	2 months ago	Text Domain Mismatch
#667	Volunteer Sign Up Sheets	32	967	401	1k+	10 months ago	Output is not escaped
#668	Quick Featured Images	32	436	323	50k+	2 months ago	Non-prefixed global variable
#669	Restrict Usernames Emails Characters	32	327	367	1k+	20 days ago	Output is not escaped
#670	WowRevenue – Product Bundles & Bulk Discounts	32	19	2,027	1k+	5 days ago	Non-prefixed global variable
#671	Revolut Gateway for WooCommerce	32	85	157	6k+	22 days ago	Input is not sanitized
#672	Simple Ajax Chat – Add a Fast, Secure Chat Box	32	108	266	2k+	2 months ago	Output is not escaped
#673	Stock Sync for WooCommerce	32	362	232	1k+	5 months ago	Text Domain Mismatch
#674	Thrive Automator	32	84	84	10k+	1 year ago	SQL query is not prepared
#675	Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor	32	57	293	4k+	1 month ago	Post Not In exclude
#676	WebwinkelKeur: Webshop keurmerk & reviews for WordPress	32	200	47	4k+	10 months ago	Short PHP open tag found
#677	BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net	32	5	933	40k+	18 days ago	Non-prefixed global variable
#678	wp-jalali	32	219	66	10k+	9 years ago	Text Domain Mismatch
#679	SEOPress – AI SEO Plugin & On-site SEO	32	138	429	300k+	yesterday	Non-prefixed global variable
#680	WP-Stats	32	237	126	2k+	3 years ago	Output is not escaped
#681	Privacy Policy Generator – WPLP Legal Pages	32	26	409	10k+	yesterday	Non-prefixed global variable
#682	Advanced Forms for ACF	33	169	278	3k+	1 month ago	Non-prefixed hook name
#683	Auto Listings – Car Listings & Car Dealership Plugin for WordPress	33	80	321	2k+	4 months ago	Non-prefixed global variable
#684	Chartify – WordPress Chart Plugin	33	76	411	3k+	27 days ago	Non-prefixed global variable
#685	ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form	33	57	204	1k+	11 days ago	Non-prefixed global variable
#686	Companion Auto Update	33	159	298	50k+	3 months ago	Direct Query
#687	Companion Sitemap Generator – Simple, Smart, and SEO-Ready	33	118	57	7k+	2 months ago	Missing Translators Comment
#688	EchBay Phonering Alo	33	74	47	1k+	7 months ago	Output is not escaped
#689	Flipbox – Awesomes Flip Boxes Image Overlay	33	400	7,279	10k+	3 days ago	Input is not validated
#690	ImageLinks – Interactive Image Builder with Hotspots	33	517	90	1k+	2 days ago	Text Domain Mismatch
#691	ITRO Popup Plugin	33	591	135	6k+	3 years ago	Output is not escaped
#692	Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid	33	274	106	3k+	12 days ago	Text Domain Mismatch
#693	Forms for Mailchimp by Optin Cat – Grow Your MailChimp List	33	71	133	2k+	2 months ago	Missing direct file access protection
#694	MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics	33	26	279	7k+	2 months ago	Non-prefixed global variable
#695	MAS Companies For WP Job Manager	33	62	308	1k+	4 months ago	Non-prefixed hook name
#696	News Announcement Scroll	33	237	259	2k+	3 years ago	Non-prefixed global variable
#697	Frisbii Pay	33	91	292	1k+	11 days ago	Non-prefixed global variable
#698	Schema & Structured Data for WP & AMP	33	63	246	100k+	7 days ago	Non-prefixed global variable
#699	SMTP2GO for WordPress – Email Made Easy	33	186	111	30k+	29 days ago	Output is not escaped
#700	Social Rocket – Social Sharing Plugin	33	1,016	255	1k+	4 months ago	Unsafe printing function