WordPress.DB.PreparedSQL.InterpolatedNotPrepared
Interpolated SQL is not prepared
Variables are interpolated into a SQL string before the query is prepared.
Why It Shows Up
The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.
Why It Matters
Preparing a query after unsafe interpolation does not reliably protect the dynamic value.
How to Fix
- Replace interpolated variables with placeholders.
- Pass each dynamic value as a separate `$wpdb->prepare()` argument.
- Use allowlists for SQL identifiers and directions that cannot be represented as normal values.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1001 | Mass Ping Tool for SEO – WordPress ping list to get indexed faster on Google, Yandex, … | 34 | 77 | 96 | 500 | Output is not escaped | ||
| #1002 | Montonio for WooCommerce | 34 | 44 | 257 | 10k+ | Non-prefixed global variable | ||
| #1003 | Multi Step Form | 34 | 277 | 136 | 9k+ | Output is not escaped | ||
| #1004 | PW WooCommerce Bulk Edit | 34 | 219 | 149 | 20k+ | Unsafe printing function | ||
| #1005 | PW WooCommerce Gift Cards | 34 | 238 | 185 | 20k+ | Output is not escaped | ||
| #1006 | Event Timeline – Vertical Timeline | 34 | 26 | 684 | 1k+ | Non-prefixed global variable | ||
| #1007 | Route ‑ Shipping Protection | 34 | 65 | 150 | 500 | Missing nonce verification | ||
| #1008 | Search Meter | 34 | 191 | 94 | 20k+ | Output is not escaped | ||
| #1009 | Security Safe | 34 | 193 | 164 | 700 | Missing Translators Comment | ||
| #1010 | Seriously Simple Stats | 34 | 99 | 126 | 5k+ | Output is not escaped | ||
| #1011 | Student Result or Employee Database | 34 | 89 | 98 | 1k+ | Direct Query | ||
| #1012 | Social Integration for BlueSky | 34 | 98 | 147 | 700 | Non-prefixed global variable | ||
| #1013 | Software License Manager | 34 | 69 | 289 | 900 | Nonce verification recommended | ||
| #1014 | Subscribe to Download Lite – Email Before Download Plugin | 34 | 106 | 157 | 400 | Non-prefixed global variable | ||
| #1015 | SuperFrete | 34 | 84 | 242 | 1k+ | Request data is not unslashed | ||
| #1016 | TaxJar – Sales Tax Automation for WooCommerce | 34 | 236 | 170 | 5k+ | Text Domain Mismatch | ||
| #1017 | Testimonial Slider | 34 | 448 | 262 | 3k+ | Unsafe printing function | ||
| #1018 | Throws SPAM Away | 34 | 327 | 123 | 10k+ | Missing Arg Domain | ||
| #1019 | Tools for Twitter | 34 | 135 | 87 | 1k+ | Output is not escaped | ||
| #1020 | Visual Form Builder | 34 | 82 | 329 | 20k+ | Direct Query | ||
| #1021 | Abandoned Cart Reports For WooCommerce | 34 | 133 | 163 | 2k+ | Output is not escaped | ||
| #1022 | Simple Discount Rules for Woocommerce | 34 | 175 | 214 | 5k+ | Nonce verification recommended | ||
| #1023 | Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin | 34 | 230 | 154 | 2k+ | Output is not escaped | ||
| #1024 | Digital Signature Add-on for WooCommerce | 34 | 168 | 75 | 1k+ | Text Domain Mismatch | ||
| #1025 | Easy Booking – WooCommerce Booking & Reservation Plugin | 34 | 138 | 172 | 4k+ | Output is not escaped | ||
| #1026 | WP-Cron Status Checker | 34 | 277 | 111 | 5k+ | Text Domain Mismatch | ||
| #1027 | WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters | 34 | 219 | 453 | 60k+ | wp function not compatible with requires wp | ||
| #1028 | WP Mail Logging | 34 | 76 | 258 | 300k+ | Nonce verification recommended | ||
| #1029 | WP Popup Builder – Popup Forms and Marketing Lead Generation | 34 | 357 | 143 | 3k+ | Text Domain Mismatch | ||
| #1030 | Thumbnail Slider With Lightbox | 34 | 244 | 141 | 700 | Output is not escaped | ||
| #1031 | WP SendFox | 34 | 296 | 118 | 1k+ | Text Domain Mismatch | ||
| #1032 | WP Subscription Forms – Subscription Form Plugin for WordPress | 34 | 131 | 220 | 400 | Non-prefixed global variable | ||
| #1033 | Live Visitor Counter | 34 | 108 | 114 | 4k+ | Interpolated SQL is not prepared | ||
| #1034 | WPLMS MyCred AddOn | 34 | 383 | 73 | 800 | Text Domain Mismatch | ||
| #1035 | Xml Sitemap Generator | 34 | 72 | 47 | 400 | SQL query is not prepared | ||
| #1036 | Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades | 34 | 571 | 195 | 100k+ | Output is not escaped | ||
| #1037 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #1038 | zipMoney(Zip Co) Payments Plugin for WooCommerce | 34 | 147 | 70 | 2k+ | Text Domain Mismatch | ||
| #1039 | Abandoned Checkout Recovery & Order Notifications for WooCommerce | 35 | 108 | 77 | 800 | Text Domain Mismatch | ||
| #1040 | AfterSalesPro Plugin | 35 | 24 | 111 | 400 | Nonce verification recommended | ||
| #1041 | SOOZ – AI for SEO – Bulk Generate Focus Keyphrases, Metadata, Alt Text (SEO Autopilot) | 35 | 44 | 394 | 2k+ | Nonce verification recommended | ||
| #1042 | Tuskcode Map Pro for Bing Maps | 35 | 59 | 359 | 600 | Direct Query | ||
| #1043 | Automatic Internal Links for SEO by Pagup | 35 | 34 | 215 | 1k+ | error log error log | ||
| #1044 | Automatic YouTube Gallery | 35 | 83 | 59 | 9k+ | Output is not escaped | ||
| #1045 | BORICA Payments by BORICA AD | 35 | 537 | 196 | 500 | Text Domain Mismatch | ||
| #1046 | BotWriter – AI Writer & SEO Content Generator | 35 | 16 | 503 | 3k+ | Direct Query | ||
| #1047 | Registration Options for BuddyPress | 35 | 47 | 132 | 1k+ | Non-prefixed function | ||
| #1048 | Brozzme DB Prefix & Tools Addons | 35 | 24 | 42 | 10k+ | Request data is not unslashed | ||
| #1049 | BSK Forms Blacklist | 35 | 831 | 550 | 1k+ | Output is not escaped | ||
| #1050 | CatFolders – WordPress Media Library Folders & Categories | 35 | 35 | 76 | 6k+ | Direct Query |
