WordPress.DB.PreparedSQL.InterpolatedNotPrepared
Interpolated SQL is not prepared
Variables are interpolated into a SQL string before the query is prepared.
Why It Shows Up
The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.
Why It Matters
Preparing a query after unsafe interpolation does not reliably protect the dynamic value.
How to Fix
- Replace interpolated variables with placeholders.
- Pass each dynamic value as a separate `$wpdb->prepare()` argument.
- Use allowlists for SQL identifiers and directions that cannot be represented as normal values.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1051 | Advanced Appointment Booking & Scheduling | 83 | 11 | 13 | 3k+ | Text Domain Mismatch | ||
| #1052 | Username Changer | 84 | 37 | 13 | 40k+ | wp function not compatible with requires wp | ||
| #1053 | Salt Shaker | 85 | 15 | 13 | 6k+ | Interpolated SQL is not prepared | ||
| #1054 | Notifima – WooCommerce Stock Manager, Inventory Management, Waitlist | 85 | 130 | 40 | 3k+ | Text Domain Mismatch | ||
| #1055 | Counters Block – Animated Number Counters, Stats & Dynamic KPIs | 86 | 5 | 14 | 3k+ | Missing direct file access protection | ||
| #1056 | ParcelWILL (Formerly ParcelPanel) – Shipment Tracking, Tracking & Order Tracking for WooCommerce | 87 | 6 | 81 | 8k+ | Non-prefixed global variable | ||
| #1057 | Skydropx | 88 | 4 | 9 | 1k+ | Non-prefixed global variable | ||
| #1058 | Ukr-To-Lat | 88 | 3 | 13 | 6k+ | Direct Query | ||
| #1059 | Taxonomy Metadata | 89 | 4 | 9 | 4k+ | Direct Query | ||
| #1060 | WP-Memory-Usage | 89 | 4 | 9 | 10k+ | Interpolated SQL is not prepared | ||
| #1061 | HivePress Reviews | 90 | 5 | 11 | 7k+ | Non-prefixed global variable | ||
| #1062 | Outrank | 90 | 1 | 4 | 1k+ | Database parameter is not escaped | ||
| #1063 | Seamless Sticky Custom Post Types | 94 | 8 | 5 | 1k+ | Missing Arg Domain |
