WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Interpolated SQL is not prepared

Variables are interpolated into a SQL string before the query is prepared.

critical weight

Why It Shows Up

The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.

Why It Matters

Preparing a query after unsafe interpolation does not reliably protect the dynamic value.

How to Fix

  • Replace interpolated variables with placeholders.
  • Pass each dynamic value as a separate `$wpdb->prepare()` argument.
  • Use allowlists for SQL identifiers and directions that cannot be represented as normal values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#751Attribute Stock for WooCommerce – Shared Stock & Variable Quantities (Lite Version)294813132k+Text Domain Mismatch
#752Bitcoin Payments – Blockonomics292082272k+Output is not escaped
#753Plugin BlueX for WooCommerce294312162k+Text Domain Mismatch
#754Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms292363692k+Non-prefixed global variable
#755Chained Quiz291,1327211k+Text Domain Mismatch
#756CloudSecure WP Security2974350100k+Request data is not unslashed
#757Countdown, Coming Soon, Maintenance – Countdown & Clock291,73514310k+Non Singular String Literal Domain
#758DoLogin Security293123057k+Output is not escaped
#759FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider297478600k+Missing Translators Comment
#760reCaptcha by BestWebSoft29474272100k+Text Domain Mismatch
#761Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier )292082620k+Non-prefixed namespace
#762Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms296253511k+Text Domain Mismatch
#763Wishlist for WooCommerce29610296600Output is not escaped
#764Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress2986233500Nonce verification recommended
#765Meow Gallery2911318210k+Direct Query
#766Offload Media – Cloud Storage29126801k+unlink unlink
#767Page Restrict for WooCommerce29579374700Text Domain Mismatch
#768Page View Count2910824710k+Dynamic hook name
#769Post Timeline2991200800Missing nonce verification
#770Post Views Counter29179398200k+Non-prefixed hook name
#771Recipe Card Blocks Lite2915140810k+Non-prefixed global variable
#772SamedayCourier Shipping293362694k+Non Singular String Literal Domain
#773Security Ninja – WordPress Security & Firewall291493477k+Direct Query
#774Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce291482465k+Unsafe printing function
#775Social Engine2913390600Exception output is not escaped
#776SureForms – Drag & Drop Contact Form & Form Builder, Payment Form, Survey, Quiz & Calculator29336198500k+Text Domain Mismatch
#777ووسلام – همگام سازی ووکامرس و باسلام291926114k+Non-prefixed global variable
#778Ultimate Auction for WooCommerce – Excellent WP Auction Plugin29525232k+Non-prefixed global variable
#779User Verification by PickPlugins29413145k+Request data is not unslashed
#780Custom Post Types and Custom Fields creator – WCK291,30014310k+Text Domain Mismatch
#781Countdown Timer – Widget Countdown2929015210k+Output is not escaped
#782Woostify Sites Library2922919820k+Text Domain Mismatch
#783Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management29534963k+Direct Query
#784WP-PostRatings2942538430k+Output is not escaped
#785Xagio SEO – AI Powered SEO2921,27310k+Direct Query
#786Xpro Addons — 140+ Widgets for Elementor292782630k+Non-prefixed global variable
#787Dynamic Pricing With Discount Rules for WooCommerce301361315k+Output is not escaped
#788Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance30164439100k+Interpolated SQL is not prepared
#789PublishPress Blocks – Block Controls, Block Visibility, Block Permissions3025134020k+Unsafe printing function
#790AI Product Tools – Bulk Product Content Generator & AI Toolkit for WooCommerce30502560400SQL query is not prepared
#791AutoWP – AI Content Writer & Rewriter305483701k+Text Domain Mismatch
#792Private groups305833161k+Unsafe printing function
#793Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster3030643430k+Non-prefixed global variable
#794Cryptocurrency Donation Box – Bitcoin & Crypto Donations30334284500Output is not escaped
#795Easy Affiliate Links301861987k+Missing direct file access protection
#796EasyParcel Shipping– All-in-one Shipping Solution, Real-Time Shipping Rates3031610600Non-prefixed global variable
#797Edwiser Bridge – WordPress Moodle Integration3046694k+Non-prefixed hook name
#798FormLift for Keap (Legacy) Web Forms30162315400Request data is not unslashed
#799Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant302642214k+Non Singular String Literal Text
#800Import WooCommerce Suite for Products, Orders, Coupons, Reviews, and Customers | WP Ultimate CSV Importer30804344k+Interpolated SQL is not prepared