WordPress.DB.PreparedSQL.InterpolatedNotPrepared
Interpolated SQL is not prepared
Variables are interpolated into a SQL string before the query is prepared.
Why It Shows Up
The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.
Why It Matters
Preparing a query after unsafe interpolation does not reliably protect the dynamic value.
How to Fix
- Replace interpolated variables with placeholders.
- Pass each dynamic value as a separate `$wpdb->prepare()` argument.
- Use allowlists for SQL identifiers and directions that cannot be represented as normal values.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1201 | Disclaimer Popup | 37 | 313 | 53 | 1k+ | Text Domain Mismatch | ||
| #1202 | Donation Block For PayPal | 37 | 23 | 106 | 600 | Input is not validated | ||
| #1203 | Easy Testimonial Slider and Form | 37 | 14 | 144 | 700 | Request data is not unslashed | ||
| #1204 | Excerpt Editor | 37 | 170 | 142 | 500 | Unsafe printing function | ||
| #1205 | Exploit Scanner | 37 | 25 | 130 | 8k+ | Non-prefixed global variable | ||
| #1206 | GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM | 37 | 59 | 269 | 600 | Direct Query | ||
| #1207 | GoPay for WooCommerce | 37 | 66 | 103 | 1k+ | Non-prefixed global variable | ||
| #1208 | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder | 37 | 83 | 113 | 20k+ | SQL query is not prepared | ||
| #1209 | HandL UTM Grabber / Tracker | 37 | 31 | 146 | 10k+ | Missing nonce verification | ||
| #1210 | Language Switcher | 37 | 81 | 105 | 1k+ | Missing Translators Comment | ||
| #1211 | LearnPress – Course Review | 37 | 67 | 43 | 20k+ | Output is not escaped | ||
| #1212 | List category posts | 37 | 161 | 17 | 80k+ | Output is not escaped | ||
| #1213 | Media Sweep – WordPress Media Cleaner | 37 | 56 | 137 | 1k+ | Interpolated SQL is not prepared | ||
| #1214 | CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor | 37 | 47 | 90 | 40k+ | Dynamic hook name | ||
| #1215 | My Post Order | 37 | 100 | 114 | 400 | Output is not escaped | ||
| #1216 | NextGEN Scroll Gallery | 37 | 33 | 28 | 1k+ | Output is not escaped | ||
| #1217 | Ninja Van (MY) | 37 | 21 | 258 | 1k+ | Non-prefixed global variable | ||
| #1218 | Sendle Shipping Plugin | 37 | 91 | 64 | 800 | wp function not compatible with requires wp | ||
| #1219 | Oliver POS – WooCommerce POS for iPhone, iPad & Android | 37 | 15 | 242 | 800 | Interpolated SQL is not prepared | ||
| #1220 | WP All Export – Order Export for WooCommerce | 37 | 109 | 111 | 4k+ | Text Domain Mismatch | ||
| #1221 | PayU CommercePro Plugin | 37 | 218 | 7k+ | error log error log | |||
| #1222 | Phoenix Media Rename | 37 | 180 | 104 | 50k+ | Output is not escaped | ||
| #1223 | PNG to JPG | 37 | 130 | 173 | 10k+ | Interpolated SQL is not prepared | ||
| #1224 | Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales | 37 | 59 | 64 | 2k+ | SQL query is not prepared | ||
| #1225 | Quentn WP | 37 | 4 | 251 | 500 | Nonce verification recommended | ||
| #1226 | Ryviu – Review Importer & Product Reviews | 37 | 72 | 95 | 1k+ | Output is not escaped | ||
| #1227 | Lightbox slider – Responsive Lightbox Gallery | 37 | 36 | 173 | 3k+ | Non-prefixed global variable | ||
| #1228 | Tracking Script Manager | 37 | 82 | 57 | 2k+ | Non Singular String Literal Domain | ||
| #1229 | UsersWP – Social Login | 37 | 299 | 91 | 2k+ | Text Domain Mismatch | ||
| #1230 | ValidateCertify Free | 37 | 123 | 97 | 1k+ | Text Domain Mismatch | ||
| #1231 | Conditional Discounts for WooCommerce – A simple yet complete woocommerce dynamic pricing plugin | 37 | 99 | 33 | 9k+ | Text Domain Mismatch | ||
| #1232 | Wordable – Export Google Docs to WordPress | 37 | 47 | 63 | 2k+ | Output is not escaped | ||
| #1233 | Fix Media Library | 37 | 53 | 71 | 1k+ | Output is not escaped | ||
| #1234 | WP Flow Plus | 37 | 175 | 146 | 800 | Output is not escaped | ||
| #1235 | Persistent Login | 37 | 338 | 108 | 6k+ | Unsafe printing function | ||
| #1236 | Special Text Boxes | 37 | 38 | 42 | 2k+ | Direct Query | ||
| #1237 | TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More | 37 | 878 | 59 | 800 | Output is not escaped | ||
| #1238 | XT Visitor Counter | 37 | 177 | 52 | 7k+ | Output is not escaped | ||
| #1239 | Zoho Marketing Automation | 37 | 24 | 194 | 1k+ | Non-prefixed global variable | ||
| #1240 | Action Scheduler | 38 | 92 | 134 | 20k+ | Exception output is not escaped | ||
| #1241 | Advanced 301 and 302 Redirect | 38 | 81 | 339 | 1k+ | Non-prefixed global variable | ||
| #1242 | Advanced Media Offloader | 38 | 57 | 93 | 5k+ | error log error log | ||
| #1243 | Alphabetic Pagination | 38 | 144 | 117 | 500 | Unsafe printing function | ||
| #1244 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #1245 | Bot Block – Stop Spam Referrals in Google Analytics | 38 | 28 | 42 | 600 | Output is not escaped | ||
| #1246 | BuddyPress Follow | 38 | 114 | 67 | 1k+ | Text Domain Mismatch | ||
| #1247 | Cache Warmer | 38 | 32 | 219 | 1k+ | Interpolated SQL is not prepared | ||
| #1248 | CC Child Pages | 38 | 63 | 152 | 9k+ | Non-prefixed global variable | ||
| #1249 | Certificate Verification | 38 | 33 | 40 | 1k+ | Output is not escaped | ||
| #1250 | Database for Contact Form 7 | 38 | 34 | 128 | 7k+ | Missing nonce verification |