WordPress.DB.PreparedSQL.InterpolatedNotPrepared
Interpolated SQL is not prepared
Variables are interpolated into a SQL string before the query is prepared.
Why It Shows Up
The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.
Why It Matters
Preparing a query after unsafe interpolation does not reliably protect the dynamic value.
How to Fix
- Replace interpolated variables with placeholders.
- Pass each dynamic value as a separate `$wpdb->prepare()` argument.
- Use allowlists for SQL identifiers and directions that cannot be represented as normal values.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #701 | Terms & Conditions Per Product | 27 | 533 | 1,336 | 800 | Non-prefixed global variable | ||
| #702 | Ultimate Watermark – Image Watermark, Image Protection & Bulk Watermarking | 27 | 164 | 303 | 1k+ | Nonce verification recommended | ||
| #703 | Watu Quiz | 27 | 1,089 | 1,014 | 3k+ | Output is not escaped | ||
| #704 | Wiremo – Product Reviews for WooCommerce | 27 | 445 | 212 | 700 | Output is not escaped | ||
| #705 | Mihdan: Ajax Edit Comments | 27 | 1,300 | 523 | 500 | Text Domain Mismatch | ||
| #706 | Content Pilot – Autoblogging & Affiliate Marketing Suite | 27 | 299 | 269 | 900 | Output is not escaped | ||
| #707 | WP-DBManager | 27 | 386 | 304 | 60k+ | Non-prefixed global variable | ||
| #708 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | Input is not sanitized | ||
| #709 | YARPP – Yet Another Related Posts Plugin | 27 | 191 | 331 | 100k+ | Non-prefixed global variable | ||
| #710 | Zibal Payment Gateway for Gravity Forms | 27 | 828 | 248 | 400 | Text Domain Mismatch | ||
| #711 | Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 632 | 351 | 800 | Text Domain Mismatch | ||
| #712 | Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 649 | 357 | 9k+ | Text Domain Mismatch | ||
| #713 | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | 28 | 659 | 359 | 400 | Text Domain Mismatch | ||
| #714 | Code Engine – PHP Snippets, AI Functions & Automation for WordPress | 28 | 124 | 101 | 700 | Non Singular String Literal Domain | ||
| #715 | Maspik – Ultimate Spam Protection | 28 | 212 | 862 | 30k+ | Missing nonce verification | ||
| #716 | Database Cleaner | 28 | 137 | 297 | 10k+ | Direct Query | ||
| #717 | Discount Rules and Dynamic Pricing for WooCommerce | 28 | 182 | 334 | 10k+ | Output is not escaped | ||
| #718 | Educare – Students & Result Management System | 28 | 1,114 | 1,043 | 800 | Missing nonce verification | ||
| #719 | Event Tickets Manager for WooCommerce | 28 | 181 | 648 | 1k+ | Non-prefixed global variable | ||
| #720 | FAPI Member | 28 | 279 | 153 | 500 | Exception output is not escaped | ||
| #721 | Fluent Support – Helpdesk & Customer Support Ticket System | 28 | 50 | 271 | 10k+ | Direct Query | ||
| #722 | گیتلند | درگاه پرداخت هوشمند گیتلند | 28 | 327 | 235 | 2k+ | Output is not escaped | ||
| #723 | Geo Mashup | 28 | 775 | 232 | 1k+ | Text Domain Mismatch | ||
| #724 | GS Books Showcase – Display Books in Grid, Slider & More | Library for WordPress | 28 | 55 | 437 | 500 | Non-prefixed global variable | ||
| #725 | Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 641 | 348 | 1k+ | Text Domain Mismatch | ||
| #726 | Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 626 | 351 | 1k+ | Text Domain Mismatch | ||
| #727 | Maven Algolia | 28 | 148 | 89 | 6k+ | Non Singular String Literal Domain | ||
| #728 | Media Hygiene: Remove or Delete Unused Images and More! | 28 | 654 | 309 | 5k+ | Non Singular String Literal Domain | ||
| #729 | My auctions allegro | 28 | 483 | 235 | 500 | Non Singular String Literal Domain | ||
| #730 | My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) | 28 | 164 | 441 | 100k+ | Non-prefixed global variable | ||
| #731 | Order Tracking – WordPress Status Tracking Plugin | 28 | 619 | 772 | 3k+ | Unsafe printing function | ||
| #732 | PDF for Contact Form 7 + Drag and Drop Template Builder | 28 | 674 | 101 | 500 | wp function not compatible with requires wp | ||
| #733 | ووکامرس فارسی | 28 | 157 | 215 | 90k+ | Output is not escaped | ||
| #734 | Podcast Importer SecondLine | 28 | 356 | 169 | 4k+ | Text Domain Mismatch | ||
| #735 | Query Wrangler | 28 | 628 | 229 | 700 | Output is not escaped | ||
| #736 | ReDi Restaurant Reservation – Instant Availability & Confirmation | 28 | 1,013 | 239 | 800 | Unsafe printing function | ||
| #737 | Redis Object Cache | 28 | 151 | 103 | 400k+ | Exception output is not escaped | ||
| #738 | Secure Downloads | 28 | 616 | 406 | 600 | Output is not escaped | ||
| #739 | Praison AI SEO | 28 | 649 | 306 | 1k+ | Text Domain Mismatch | ||
| #740 | Transliterator – Multilingual and Multi-script Text Conversion | 28 | 305 | 320 | 3k+ | Output is not escaped | ||
| #741 | Slider Pro | 28 | 583 | 527 | 4k+ | Unsafe printing function | ||
| #742 | SureMembers – Membership & Content Restriction Plugin | 28 | 364 | 248 | 900 | Text Domain Mismatch | ||
| #743 | Tab – Accordion, FAQ | 28 | 104 | 542 | 1k+ | Non-prefixed global variable | ||
| #744 | Jetpack VaultPress | 28 | 71 | 362 | 10k+ | Missing nonce verification | ||
| #745 | VG WORT METIS | 28 | 150 | 317 | 900 | Nonce verification recommended | ||
| #746 | WP Booking System – Booking Calendar | 28 | 502 | 549 | 20k+ | Output is not escaped | ||
| #747 | WhyDonate – FREE Donate button – Crowdfunding – Fundraising | 28 | 216 | 328 | 800 | Non-prefixed global variable | ||
| #748 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped | ||
| #749 | WP Synchro – The Ultimate WordPress Migration Tool | 28 | 243 | 244 | 2k+ | Missing Translators Comment | ||
| #750 | WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买 | 28 | 57 | 138 | 500 | Request data is not unslashed |