WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Interpolated SQL is not prepared

Variables are interpolated into a SQL string before the query is prepared.

critical weight

Why It Shows Up

The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.

Why It Matters

Preparing a query after unsafe interpolation does not reliably protect the dynamic value.

How to Fix

  • Replace interpolated variables with placeholders.
  • Pass each dynamic value as a separate `$wpdb->prepare()` argument.
  • Use allowlists for SQL identifiers and directions that cannot be represented as normal values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1151Google Webfont Optimizer364549700Output is not escaped
#1152Header Footer Code Manager3681180600k+Non-prefixed global variable
#1153HTML Forms – Simple WordPress Forms Plugin3623116610k+Output is not escaped
#1154HTTP Requests Manager3698901k+Output is not escaped
#1155Libro de Reclamaciones y Quejas362661244k+Text Domain Mismatch
#1156LONG URL MAKER3639711k+Direct Query
#1157LocalWeb All In One36342975k+Non-prefixed global variable
#1158Microsoft Clarity3648163200k+Nonce verification recommended
#1159NextGEN Custom Fields362151311k+SQL query is not prepared
#1160Peter’s Post Notes362241023k+Output is not escaped
#1161Photoswipe Masonry Gallery3657476k+Non Singular String Literal Text
#1162Post Views Stats Counter36142241700Non-prefixed global variable
#1163ActiveCampaign Postmark for WordPress36477550k+Text Domain Mismatch
#1164WowStore – Store Builder & Product Blocks for WooCommerce36564374k+Non-prefixed global variable
#1165افزونه رسمی ترب36428630k+Exception output is not escaped
#1166Better Find and Replace – AI-Powered Suggestions366712940k+Missing direct file access protection
#1167Optimize Database after Deleting Revisions3664412760k+Output is not escaped
#1168Search & Replace365053100k+Missing nonce verification
#1169SMTP for SendGrid – YaySMTP3627961k+Non-prefixed global variable
#1170StaticPress368879500Output is not escaped
#1171Subscribe to Comments3612916310k+Output is not escaped
#1172Supplier Order Email3654105400Output is not escaped
#1173SureContact – Newsletters, Email Marketing, Automation, Revenue Tracking & CRM363141327k+Text Domain Mismatch
#1174SurveyJS: Drag & Drop Form Builder3612134500Missing Version
#1175Sync QCloud COS3663109600Non-prefixed function
#1176Bulk Product Editor plugin allows you to create and edit your WooCommerce products and categories with Google Sheets.3650105400Direct Query
#1177Advance Side Cart, Ajax Cart & Floating Cart for WooCommerce36371216k+Non-prefixed global variable
#1178Plugin Name: Traffic Counter Widget Plugin3671107600Output is not escaped
#1179Zoho ZeptoMail36321105k+Request data is not unslashed
#1180Ubigeo de Perú para Woocommerce y WordPress361912354k+Non-prefixed function
#1181Uji Countdown36284984k+Text Domain Mismatch
#1182PDF Flipbook, WPBakery Addon – Unreal FlipBook36400921k+Non Singular String Literal Domain
#1183Widget Indicadores Económicos (Chile)365320500Output is not escaped
#1184CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce36165695k+Text Domain Mismatch
#1185WP Coder – Insert & Manage Code Snippets365328010k+Nonce verification recommended
#1186WP Counter368643800Output is not escaped
#1187WP Custom Cursors | WordPress Cursor Plugin366913909k+Text Domain Mismatch
#1188WP-EMail36340951k+Unsafe printing function
#1189WP Super Edit36351852k+Nonce verification recommended
#1190WPLMS H5P361111061k+Text Domain Mismatch
#1191Database Snapshots – WPvivid36661081k+Direct Query
#1192YayExtra – WooCommerce Extra Product Options36114721k+Non-prefixed global variable
#1193Zeno – AI-Powered Chatbot36311131400Text Domain Mismatch
#1194Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs37393610k+Missing direct file access protection
#1195avalex – Automatisch sichere Rechtstexte3725851k+Direct Query
#1196Random Posts and Pages Widget37322151k+Output is not escaped
#1197Contact Zalo Report SW374439900Missing Arg Domain
#1198ClickRank – Ai SEO Automation37102261k+Direct Query
#1199CookieAdmin – Cookie Consent Banner374386400k+Nonce verification recommended
#1200CorvusPay WooCommerce Payment Gateway37291411k+Missing nonce verification