WordPress.DB.PreparedSQL.InterpolatedNotPrepared
Interpolated SQL is not prepared
Variables are interpolated into a SQL string before the query is prepared.
Why It Shows Up
The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.
Why It Matters
Preparing a query after unsafe interpolation does not reliably protect the dynamic value.
How to Fix
- Replace interpolated variables with placeholders.
- Pass each dynamic value as a separate `$wpdb->prepare()` argument.
- Use allowlists for SQL identifiers and directions that cannot be represented as normal values.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1451 | Delete Duplicate Posts | 47 | 9 | 50 | 10k+ | Direct Query | ||
| #1452 | DPO Pay for WooCommerce | 47 | 28 | 41 | 1k+ | Non Singular String Literal Text | ||
| #1453 | EasyFonts – Host Google Fonts Locally, Fast & Auto-Optimize, GDPR Compliant | 47 | 5 | 58 | 1k+ | Interpolated SQL is not prepared | ||
| #1454 | Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator | 47 | 44 | 83 | 10k+ | Missing direct file access protection | ||
| #1455 | Security Ninja For MainWP | 47 | 246 | 71 | 500 | Text Domain Mismatch | ||
| #1456 | Simple Custom Post Order | 47 | 9 | 76 | 300k+ | Direct Query | ||
| #1457 | Easy Share Solution For WordPress | 48 | 15 | 33 | 900 | Output is not escaped | ||
| #1458 | Seznam Webmaster | 48 | 47 | 8 | 700 | Output is not escaped | ||
| #1459 | FlexStock – Product Stock Sync with Google Sheets for WooCommerce | 48 | 241 | 700 | Direct Query | |||
| #1460 | Tako Movable Comments | 48 | 18 | 39 | 1k+ | Input is not sanitized | ||
| #1461 | Taxonomy Switcher | 48 | 22 | 36 | 2k+ | Nonce verification recommended | ||
| #1462 | WS Action Scheduler Cleaner | 48 | 13 | 80 | 2k+ | error log error log | ||
| #1463 | Anti-Spam Protection – No API Key, GDPR Friendly | 49 | 2 | 106 | 1k+ | Direct Query | ||
| #1464 | GamiPress – Multimedia Content | 49 | 11 | 25 | 500 | Nonce verification recommended | ||
| #1465 | ReCrawler | 49 | 10 | 40 | 4k+ | Direct Query | ||
| #1466 | Simple MyISAM to InnoDB | 49 | 11 | 22 | 1k+ | Output is not escaped | ||
| #1467 | WP Smart Import : Import any XML File to WordPress | 49 | 28 | 302 | 1k+ | Non-prefixed global variable | ||
| #1468 | User Activity Tracking and Log | 50 | 30 | 263 | 2k+ | Non-prefixed global variable | ||
| #1469 | WPML Multilingual for BuddyPress and BuddyBoss | 51 | 18 | 21 | 6k+ | SQL query is not prepared | ||
| #1470 | Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress | 51 | 3 | 116 | 1k+ | Missing nonce verification | ||
| #1471 | Firelight Lightbox | 51 | 78 | 97 | 200k+ | Non-prefixed global variable | ||
| #1472 | GamiPress – Reset User | 51 | 14 | 27 | 400 | Interpolated SQL is not prepared | ||
| #1473 | The Cache Purger | 51 | 16 | 16 | 1k+ | Non Singular String Literal Text | ||
| #1474 | REST API Log | 51 | 44 | 95 | 5k+ | Non-prefixed hook name | ||
| #1475 | Check Pincode For WooCommerce | 52 | 55 | 400 | Direct Query | |||
| #1476 | Fullscreen Galleria | 52 | 37 | 10 | 800 | Output is not escaped | ||
| #1477 | WPVibe – MCP Server for WordPress. Connect Claude, ChatGPT, Gemini & Cursor | 52 | 19 | 58 | 3k+ | Interpolated SQL is not prepared | ||
| #1478 | Wenprise Pinyin Slug | 52 | 30 | 34 | 4k+ | Text Domain Mismatch | ||
| #1479 | Disable Comments – Remove Comments & Stop Spam [Multi-Site Support] | 53 | 15 | 46 | 1m+ | Non-prefixed global variable | ||
| #1480 | File Manager | 53 | 41 | 68 | 10k+ | Missing direct file access protection | ||
| #1481 | LearnPress – bbPress Integration | 53 | 19 | 14 | 2k+ | Output is not escaped | ||
| #1482 | Booking Calendar | 54 | 28 | 85 | 50k+ | Mixed line endings | ||
| #1483 | Customizable Post Listings | 54 | 42 | 13 | 700 | Deprecated parameter: the_author parameter 1 | ||
| #1484 | MSN Partner Hub | 54 | 21 | 25 | 1k+ | Missing direct file access protection | ||
| #1485 | Accordions | 55 | 1 | 101 | 20k+ | slow db query meta query | ||
| #1486 | Easy Quotes | 55 | 11 | 31 | 700 | Direct Query | ||
| #1487 | Enhanced Category Pages | 55 | 23 | 25 | 2k+ | Direct Query | ||
| #1488 | Fast Page & Post Duplicator | 55 | 12 | 25 | 60k+ | Direct Query | ||
| #1489 | Page Tagger | 55 | 30 | 10 | 2k+ | Output is not escaped | ||
| #1490 | ProductFrame – Curated products from affiliate feeds | 55 | 3 | 85 | 400 | Direct Query | ||
| #1491 | Fluent Connect – Connect ThriveCart with your WordPress and FluentCRM | 56 | 37 | 54 | 600 | curl curl setopt | ||
| #1492 | Internal Link Juicer: SEO Auto Linker for WordPress | 57 | 12 | 61 | 90k+ | Database parameter is not escaped | ||
| #1493 | iZooto – Web Push Notifications | 57 | 26 | 25 | 1k+ | wp function not compatible with requires wp | ||
| #1494 | Sequential Order Numbers for WooCommerce | 57 | 9 | 24 | 10k+ | Interpolated SQL is not prepared | ||
| #1495 | WP Table Builder – Drag & Drop Table Builder | 57 | 63 | 39 | 50k+ | Not Allowed | ||
| #1496 | Contact Form DB for Enfold | 58 | 21 | 14 | 700 | Output is not escaped | ||
| #1497 | License For Envato | 58 | 12 | 31 | 9k+ | Non-prefixed global variable | ||
| #1498 | FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses | 59 | 41 | 14 | 8k+ | Exception output is not escaped | ||
| #1499 | UltraPress – AI Assistant, Chatbot & SEO | 59 | 12 | 38 | 800 | Non-prefixed global variable | ||
| #1500 | Hide Posts | 59 | 9 | 70 | 20k+ | Direct Query |