WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Interpolated SQL is not prepared

Variables are interpolated into a SQL string before the query is prepared.

critical weight

Why It Shows Up

The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.

Why It Matters

Preparing a query after unsafe interpolation does not reliably protect the dynamic value.

How to Fix

  • Replace interpolated variables with placeholders.
  • Pass each dynamic value as a separate `$wpdb->prepare()` argument.
  • Use allowlists for SQL identifiers and directions that cannot be represented as normal values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#701Terms & Conditions Per Product275331,336800Non-prefixed global variable
#702Ultimate Watermark – Image Watermark, Image Protection & Bulk Watermarking271643031k+Nonce verification recommended
#703Watu Quiz271,0891,0143k+Output is not escaped
#704Wiremo – Product Reviews for WooCommerce27445212700Output is not escaped
#705Mihdan: Ajax Edit Comments271,300523500Text Domain Mismatch
#706Content Pilot – Autoblogging & Affiliate Marketing Suite27299269900Output is not escaped
#707WP-DBManager2738630460k+Non-prefixed global variable
#708WP Hide & Security Enhancer2712437550k+Input is not sanitized
#709YARPP – Yet Another Related Posts Plugin27191331100k+Non-prefixed global variable
#710Zibal Payment Gateway for Gravity Forms27828248400Text Domain Mismatch
#711Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms28632351800Text Domain Mismatch
#712Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms286493579k+Text Domain Mismatch
#713WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms28659359400Text Domain Mismatch
#714Code Engine – PHP Snippets, AI Functions & Automation for WordPress28124101700Non Singular String Literal Domain
#715Maspik – Ultimate Spam Protection2821286230k+Missing nonce verification
#716Database Cleaner2813729710k+Direct Query
#717Discount Rules and Dynamic Pricing for WooCommerce2818233410k+Output is not escaped
#718Educare – Students & Result Management System281,1141,043800Missing nonce verification
#719Event Tickets Manager for WooCommerce281816481k+Non-prefixed global variable
#720FAPI Member28279153500Exception output is not escaped
#721Fluent Support – Helpdesk & Customer Support Ticket System285027110k+Direct Query
#722گیت‌لند | درگاه پرداخت هوشمند گیت‌لند283272352k+Output is not escaped
#723Geo Mashup287752321k+Text Domain Mismatch
#724GS Books Showcase – Display Books in Grid, Slider & More | Library for WordPress2855437500Non-prefixed global variable
#725Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms286413481k+Text Domain Mismatch
#726Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms286263511k+Text Domain Mismatch
#727Maven Algolia28148896k+Non Singular String Literal Domain
#728Media Hygiene: Remove or Delete Unused Images and More!286543095k+Non Singular String Literal Domain
#729My auctions allegro28483235500Non Singular String Literal Domain
#730My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu)28164441100k+Non-prefixed global variable
#731Order Tracking – WordPress Status Tracking Plugin286197723k+Unsafe printing function
#732PDF for Contact Form 7 + Drag and Drop Template Builder28674101500wp function not compatible with requires wp
#733ووکامرس فارسی2815721590k+Output is not escaped
#734Podcast Importer SecondLine283561694k+Text Domain Mismatch
#735Query Wrangler28628229700Output is not escaped
#736ReDi Restaurant Reservation – Instant Availability & Confirmation281,013239800Unsafe printing function
#737Redis Object Cache28151103400k+Exception output is not escaped
#738Secure Downloads28616406600Output is not escaped
#739Praison AI SEO286493061k+Text Domain Mismatch
#740Transliterator – Multilingual and Multi-script Text Conversion283053203k+Output is not escaped
#741Slider Pro285835274k+Unsafe printing function
#742SureMembers – Membership & Content Restriction Plugin28364248900Text Domain Mismatch
#743Tab – Accordion, FAQ281045421k+Non-prefixed global variable
#744Jetpack VaultPress287136210k+Missing nonce verification
#745VG WORT METIS28150317900Nonce verification recommended
#746WP Booking System – Booking Calendar2850254920k+Output is not escaped
#747WhyDonate – FREE Donate button – Crowdfunding – Fundraising28216328800Non-prefixed global variable
#748WPS Bidouille2847221510k+Output is not escaped
#749WP Synchro – The Ultimate WordPress Migration Tool282432442k+Missing Translators Comment
#750WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买2857138500Request data is not unslashed