WordPress.DB.PreparedSQL.InterpolatedNotPrepared
Interpolated SQL is not prepared
Variables are interpolated into a SQL string before the query is prepared.
Why It Shows Up
The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.
Why It Matters
Preparing a query after unsafe interpolation does not reliably protect the dynamic value.
How to Fix
- Replace interpolated variables with placeholders.
- Pass each dynamic value as a separate `$wpdb->prepare()` argument.
- Use allowlists for SQL identifiers and directions that cannot be represented as normal values.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1301 | Better User Search | 39 | 24 | 44 | 700 | SQL query is not prepared | ||
| #1302 | Billplz for WooCommerce | 39 | 289 | 65 | 6k+ | Text Domain Mismatch | ||
| #1303 | Bogo | 39 | 30 | 139 | 10k+ | Request data is not unslashed | ||
| #1304 | BuddyPress Notification Widget | 39 | 54 | 31 | 600 | Output is not escaped | ||
| #1305 | Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) | 39 | 16 | 47 | 10k+ | Request data is not unslashed | ||
| #1306 | Calculator Builder – Create an Online Calculator | 39 | 16 | 221 | 1k+ | Non-prefixed global variable | ||
| #1307 | CatFolders Document Gallery & PDF Library | 39 | 66 | 32 | 3k+ | Output is not escaped | ||
| #1308 | Content Visibility for Divi Builder | 39 | 184 | 59 | 2k+ | Non Singular String Literal Domain | ||
| #1309 | Datalogics Ecommerce Delivery – Datalogics | 39 | 13 | 115 | 500 | Nonce verification recommended | ||
| #1310 | Duplicate Killer – Prevent Duplicate Form Submissions | 39 | 57 | 103 | 1k+ | Non-prefixed global variable | ||
| #1311 | Caldera Forms styler for Elementor Page Builder | 39 | 173 | 12 | 700 | Text Domain Mismatch | ||
| #1312 | Email Marketing by EmailOctopus | 39 | 43 | 62 | 3k+ | Non-prefixed global variable | ||
| #1313 | Fix Duplicates | 39 | 76 | 73 | 800 | Output is not escaped | ||
| #1314 | Gallery Widget | 39 | 122 | 11 | 500 | Output is not escaped | ||
| #1315 | Maintenance Mode | 39 | 86 | 109 | 7k+ | Output is not escaped | ||
| #1316 | Improved Save Button | 39 | 44 | 52 | 4k+ | Missing Translators Comment | ||
| #1317 | Insert Html Snippet | 39 | 159 | 205 | 20k+ | Output is not escaped | ||
| #1318 | Markup by Attribute for WooCommerce | 39 | 46 | 102 | 2k+ | Direct Query | ||
| #1319 | Social Proof Popups & Real-Time Notifications – Herd Effects | 39 | 5 | 181 | 1k+ | Non-prefixed global variable | ||
| #1320 | Paystack Add-On for Gravity Forms | 39 | 96 | 31 | 400 | Text Domain Mismatch | ||
| #1321 | Query Multiple Taxonomies | 39 | 55 | 41 | 500 | Output is not escaped | ||
| #1322 | Quform Mailchimp | 39 | 65 | 147 | 800 | Nonce verification recommended | ||
| #1323 | Quform Zapier | 39 | 60 | 123 | 1k+ | Nonce verification recommended | ||
| #1324 | Redirect 404 Error Page to Homepage or Custom Page with Logs | 39 | 27 | 53 | 10k+ | Nonce verification recommended | ||
| #1325 | Re Gallery – Responsive Image & Photo Gallery | 39 | 16 | 121 | 700 | Missing nonce verification | ||
| #1326 | REST API Helper | 39 | 108 | 85 | 500 | Unsafe printing function | ||
| #1327 | Taxonomy Thumbnail | 39 | 27 | 58 | 3k+ | Non-prefixed function | ||
| #1328 | Show All Comments | 39 | 108 | 92 | 400 | Nonce verification recommended | ||
| #1329 | Smart Archives Reloaded | 39 | 78 | 36 | 1k+ | Non Singular String Literal Domain | ||
| #1330 | Traffic Monitor | 39 | 6 | 143 | 1k+ | Direct Query | ||
| #1331 | Accessibility by UserWay | 39 | 22 | 35 | 80k+ | Direct Query | ||
| #1332 | Smart Variation Swatches and Attribute Filters for WooCommerce | 39 | 39 | 50 | 3k+ | Output is not escaped | ||
| #1333 | Virtuaria Correios – Frete, Etiqueta, Rastreio e Declaração | 39 | 18 | 81 | 500 | Nonce verification recommended | ||
| #1334 | Website LLMs.txt | 39 | 13 | 149 | 40k+ | Non-prefixed global variable | ||
| #1335 | WP Limit Login Attempts | 39 | 26 | 67 | 10k+ | Direct Query | ||
| #1336 | WP Most Popular | 39 | 50 | 35 | 2k+ | Output is not escaped | ||
| #1337 | AidWP – Donation & Payment Forms (Stripe Powered) | 39 | 193 | 800 | Non-prefixed global variable | |||
| #1338 | 404 Notifier | 40 | 39 | 41 | 700 | Output is not escaped | ||
| #1339 | ACF to Custom Database Tables | 40 | 36 | 64 | 600 | Nonce verification recommended | ||
| #1340 | Add & Replace Affiliate Links for Amazon | 40 | 39 | 52 | 600 | Output is not escaped | ||
| #1341 | Admin Search | 40 | 31 | 47 | 1k+ | Output is not escaped | ||
| #1342 | Advanced Admin Search | 40 | 79 | 48 | 600 | Non Singular String Literal Text | ||
| #1343 | Advanced Country Blocker | 40 | 23 | 77 | 2k+ | Exception output is not escaped | ||
| #1344 | Advanced IP Blocker | 40 | 94 | 49 | 2k+ | Exception output is not escaped | ||
| #1345 | Atomic Edge Security – Firewall, Malware Scan and Login Security | 40 | 12 | 184 | 600 | Non-prefixed global variable | ||
| #1346 | Broken Link Notifier | 40 | 11 | 193 | 1k+ | Non-prefixed global variable | ||
| #1347 | Bubble Menu – Floating Button Menu with Sticky Navigation | 40 | 2 | 216 | 1k+ | Nonce verification recommended | ||
| #1348 | BuddyPress Profile Completion | 40 | 28 | 30 | 500 | Output is not escaped | ||
| #1349 | Copyscape Premium | 40 | 148 | 133 | 800 | SQL query is not prepared | ||
| #1350 | Country State City Dropdown CF7 | 40 | 35 | 54 | 5k+ | Direct Query |