WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Interpolated SQL is not prepared

Variables are interpolated into a SQL string before the query is prepared.

critical weight

Why It Shows Up

The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.

Why It Matters

Preparing a query after unsafe interpolation does not reliably protect the dynamic value.

How to Fix

  • Replace interpolated variables with placeholders.
  • Pass each dynamic value as a separate `$wpdb->prepare()` argument.
  • Use allowlists for SQL identifiers and directions that cannot be represented as normal values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1301Better User Search392444700SQL query is not prepared
#1302Billplz for WooCommerce39289656k+Text Domain Mismatch
#1303Bogo393013910k+Request data is not unslashed
#1304BuddyPress Notification Widget395431600Output is not escaped
#1305Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)39164710k+Request data is not unslashed
#1306Calculator Builder – Create an Online Calculator39162211k+Non-prefixed global variable
#1307CatFolders Document Gallery & PDF Library3966323k+Output is not escaped
#1308Content Visibility for Divi Builder39184592k+Non Singular String Literal Domain
#1309Datalogics Ecommerce Delivery – Datalogics3913115500Nonce verification recommended
#1310Duplicate Killer – Prevent Duplicate Form Submissions39571031k+Non-prefixed global variable
#1311Caldera Forms styler for Elementor Page Builder3917312700Text Domain Mismatch
#1312Email Marketing by EmailOctopus3943623k+Non-prefixed global variable
#1313Fix Duplicates397673800Output is not escaped
#1314Gallery Widget3912211500Output is not escaped
#1315Maintenance Mode39861097k+Output is not escaped
#1316Improved Save Button3944524k+Missing Translators Comment
#1317Insert Html Snippet3915920520k+Output is not escaped
#1318Markup by Attribute for WooCommerce39461022k+Direct Query
#1319Social Proof Popups & Real-Time Notifications – Herd Effects3951811k+Non-prefixed global variable
#1320Paystack Add-On for Gravity Forms399631400Text Domain Mismatch
#1321Query Multiple Taxonomies395541500Output is not escaped
#1322Quform Mailchimp3965147800Nonce verification recommended
#1323Quform Zapier39601231k+Nonce verification recommended
#1324Redirect 404 Error Page to Homepage or Custom Page with Logs39275310k+Nonce verification recommended
#1325Re Gallery – Responsive Image & Photo Gallery3916121700Missing nonce verification
#1326REST API Helper3910885500Unsafe printing function
#1327Taxonomy Thumbnail3927583k+Non-prefixed function
#1328Show All Comments3910892400Nonce verification recommended
#1329Smart Archives Reloaded3978361k+Non Singular String Literal Domain
#1330Traffic Monitor3961431k+Direct Query
#1331Accessibility by UserWay39223580k+Direct Query
#1332Smart Variation Swatches and Attribute Filters for WooCommerce3939503k+Output is not escaped
#1333Virtuaria Correios – Frete, Etiqueta, Rastreio e Declaração391881500Nonce verification recommended
#1334Website LLMs.txt391314940k+Non-prefixed global variable
#1335WP Limit Login Attempts39266710k+Direct Query
#1336WP Most Popular3950352k+Output is not escaped
#1337AidWP – Donation & Payment Forms (Stripe Powered)39193800Non-prefixed global variable
#1338404 Notifier403941700Output is not escaped
#1339ACF to Custom Database Tables403664600Nonce verification recommended
#1340Add & Replace Affiliate Links for Amazon403952600Output is not escaped
#1341Admin Search4031471k+Output is not escaped
#1342Advanced Admin Search407948600Non Singular String Literal Text
#1343Advanced Country Blocker4023772k+Exception output is not escaped
#1344Advanced IP Blocker4094492k+Exception output is not escaped
#1345Atomic Edge Security – Firewall, Malware Scan and Login Security4012184600Non-prefixed global variable
#1346Broken Link Notifier40111931k+Non-prefixed global variable
#1347Bubble Menu – Floating Button Menu with Sticky Navigation4022161k+Nonce verification recommended
#1348BuddyPress Profile Completion402830500Output is not escaped
#1349Copyscape Premium40148133800SQL query is not prepared
#1350Country State City Dropdown CF74035545k+Direct Query