WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Interpolated SQL is not prepared

Variables are interpolated into a SQL string before the query is prepared.

critical weight

Why It Shows Up

The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.

Why It Matters

Preparing a query after unsafe interpolation does not reliably protect the dynamic value.

How to Fix

  • Replace interpolated variables with placeholders.
  • Pass each dynamic value as a separate `$wpdb->prepare()` argument.
  • Use allowlists for SQL identifiers and directions that cannot be represented as normal values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1251Database for Contact Form 738341287k+Missing nonce verification
#1252CRUDLab Disable Comments382054700Missing nonce verification
#1253Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included)3838183600Non-prefixed global variable
#1254Datafeedr Comparison Sets38450533k+Output is not escaped
#1255Datafeedr WooCommerce Importer38112565k+Text Domain Mismatch
#1256Decent Comments3893282k+Output is not escaped
#1257Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster38371025k+Interpolated SQL is not prepared
#1258Front-end Editor387862500Output is not escaped
#1259GoDaddy Payments for WooCommerce3858652k+Output is not escaped
#1260Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration38160821k+Unsafe printing function
#1261Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs38361062k+Non-prefixed global variable
#1262ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More38218830k+Direct Query
#1263Coding Chicken – JetEngine Importer385529400Missing direct file access protection
#1264Insert PHP Code Snippet3816422790k+Output is not escaped
#12653D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery383537780k+Non Singular String Literal Domain
#1266Maintenance Redirect3824413210k+Missing Arg Domain
#1267Jock On Air Now (JOAN)38121224500Output is not escaped
#1268Log Deprecated Notices389273900Text Domain Mismatch
#1269LWS Cleaner388112920k+Direct Query
#1270MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites383136700k+Non-prefixed hook name
#1271Migrate Store: Export and Import WooCommerce Settings3837331k+Non-prefixed global variable
#1272MX Time Zone Clocks38219411k+Output is not escaped
#1273Name Directory385203093k+Output is not escaped
#1274Contact Form Widget38541071k+Request data is not unslashed
#1275Popular Widget386130700Unsafe printing function
#1276Post views Stats3837511k+Non-prefixed global variable
#1277qTranslate X Cleanup and WPML Import38167102800Text Domain Mismatch
#1278Quick Download Button38341232k+Non-prefixed global variable
#1279Invoice1233813988400Text Domain Mismatch
#1280Author Image3851331k+Output is not escaped
#1281LinkBoss – Semantic AI Internal Linking3828572k+Missing Arg Domain
#1282Simple Visitor Counter384127700Output is not escaped
#1283Social Snap — Social Share Buttons & Click to Tweet38616910k+Direct Query
#1284SRS Simple Hits Counter3843988k+Output is not escaped
#1285Tag Manager – Header, Body And Footer389731920k+Non-prefixed global variable
#1286Accessibility Tools & Alt Text Finder3836563k+Text Domain Mismatch
#1287Plugin Name: Traffic Stats Widget Plugin3869107600Output is not escaped
#1288Unconfirmed3820791k+Nonce verification recommended
#1289VidShop – Shoppable Videos for WooCommerce38541531k+Database parameter is not escaped
#1290WishSuite – Wishlist for WooCommerce38761331k+Output is not escaped
#1291Connect WooCommerce Shop to ERP/CRM, Verifactu and EU/VAT Compliance38231041k+Direct Query
#1292WP-DraftsForFriends38141711k+Output is not escaped
#1293Real-Time Post Statistics for WordPress3863681k+SQL query is not prepared
#1294ZeroBounce Email Verification & Validation38299162900Text Domain Mismatch
#1295Zoho Campaigns3831293k+Non-prefixed global variable
#1296Ad Invalid Click Protector (AICP)39785710k+Text Domain Mismatch
#1297Add-on Gravity Forms – MailPoet 3393133600Output is not escaped
#1298Additional Order Filters for WooCommerce39792552k+Nonce verification recommended
#1299Advanced Woo Labels – Product Labels & Badges for WooCommerce3917112510k+Output is not escaped
#1300Affiliate Links – Link Cloaking and Management39231133k+Non-prefixed global variable