WordPress.DB.PreparedSQL.InterpolatedNotPrepared
Interpolated SQL is not prepared
Variables are interpolated into a SQL string before the query is prepared.
Why It Shows Up
The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.
Why It Matters
Preparing a query after unsafe interpolation does not reliably protect the dynamic value.
How to Fix
- Replace interpolated variables with placeholders.
- Pass each dynamic value as a separate `$wpdb->prepare()` argument.
- Use allowlists for SQL identifiers and directions that cannot be represented as normal values.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1501 | IndexNow Plugin | 63 | 14 | 91 | 100k+ | error log error log | ||
| #1502 | MooWoodle – WordPress Moodle LMS Integration, Sell Moodle Courses via WooCommerce | 63 | 10 | 45 | 800 | No Caching | ||
| #1503 | Collapsing Archives | 64 | 36 | 9 | 3k+ | date date | ||
| #1504 | DataFeedWatch Connector for WooCommerce | 64 | 16 | 112 | 600 | Non-prefixed hook name | ||
| #1505 | DoFollow Case by Case | 64 | 4 | 60 | 1k+ | Direct Query | ||
| #1506 | Pageviews | 64 | 15 | 12 | 1k+ | Missing Translators Comment | ||
| #1507 | Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini | 64 | 6 | 33 | 6k+ | Interpolated SQL is not prepared | ||
| #1508 | JTL-Connector for WooCommerce | 64 | 7 | 166 | 1k+ | Direct Query | ||
| #1509 | AdSimple Cookie Consent Banner | 65 | 55 | 109 | 600 | wp function not compatible with requires wp | ||
| #1510 | License For Envato | 65 | 9 | 28 | 9k+ | Non-prefixed global variable | ||
| #1511 | Notibar – Notification Bar for WordPress | 65 | 43 | 62 | 8k+ | wp function not compatible with requires wp | ||
| #1512 | SQL Buddy – Database Management Made Easy | 65 | 12 | 16 | 5k+ | SQL query is not prepared | ||
| #1513 | AI Product Gallery Slider for WooCommerce, Slider, Zoom, Video & Variation Images – WPBean | 65 | 264 | 16 | 2k+ | Text Domain Mismatch | ||
| #1514 | WP Redis | 66 | 11 | 25 | 9k+ | Interpolated SQL is not prepared | ||
| #1515 | Editoria11y Accessibility Checker | 67 | 69 | 55 | 1k+ | Text Domain Mismatch | ||
| #1516 | Multilingual Forms for Fluent Forms with WPML | 67 | 52 | 16 | 1k+ | Text Domain Mismatch | ||
| #1517 | Vibe AI – MCP Server for WordPress. Connect Claude, ChatGPT & Cursor | 67 | 10 | 27 | 2k+ | Non-prefixed global variable | ||
| #1518 | Booter – Bots & Crawlers Manager | 68 | 81 | 7k+ | Non-prefixed global variable | |||
| #1519 | Member Swipe for BuddyPress | 68 | 9 | 13 | 600 | Missing direct file access protection | ||
| #1520 | Faire for WooCommerce | 68 | 4 | 86 | 800 | Direct Query | ||
| #1521 | Thank You Page for WooCommerce – Custom Thank You Page & Redirect | 68 | 6 | 27 | 10k+ | Non-prefixed global variable | ||
| #1522 | AdOpt | Easy Multi-Regulations Cookie Banner. | 69 | 22 | 27 | 7k+ | Missing direct file access protection | ||
| #1523 | Ambrosite Next/Previous Post Link Plus | 69 | 12 | 24 | 5k+ | Interpolated SQL is not prepared | ||
| #1524 | DOKU Payment | 69 | 53 | 46 | 400 | wp function not compatible with requires wp | ||
| #1525 | WP Bulk Delete | 69 | 7 | 44 | 100k+ | Non-prefixed hook name | ||
| #1526 | Ambrosite Next/Previous Page Link Plus | 70 | 11 | 21 | 900 | Interpolated SQL is not prepared | ||
| #1527 | FAZ Cookie Manager | 70 | 1 | 311 | 600 | Non-prefixed hook name | ||
| #1528 | BuddyPress Default Data | 71 | 8 | 21 | 400 | Interpolated SQL is not prepared | ||
| #1529 | Privyr CRM – Instant Lead Alerts for Contact Forms | 71 | 2 | 25 | 4k+ | Non-prefixed function | ||
| #1530 | Shipping Rate By Cities | 72 | 4 | 21 | 700 | Direct Query | ||
| #1531 | Templ Optimizer | 72 | 6 | 63 | 1k+ | Direct Query | ||
| #1532 | Contact Forms by Cimatti | 73 | 88 | 26 | 600 | wp function not compatible with requires wp | ||
| #1533 | BP xProfile Location | 74 | 7 | 24 | 600 | Missing nonce verification | ||
| #1534 | Fast Speed Index | 74 | 9 | 12 | 500 | Direct Query | ||
| #1535 | Product Layouts for WooCommerce | 74 | 5 | 75 | 1k+ | Direct Query | ||
| #1536 | FlowForms – Conversational Form Builder | 75 | 17 | 400 | Nonce verification recommended | |||
| #1537 | Media Search Enhanced | 75 | 4 | 23 | 4k+ | Non-prefixed hook name | ||
| #1538 | PopupAlly | 75 | 40 | 10 | 2k+ | Missing direct file access protection | ||
| #1539 | UTM Event Tracker and Analytics, UTM Grabber | 76 | 2 | 19 | 900 | Interpolated SQL is not prepared | ||
| #1540 | WP AdCenter – Ad Manager & Adsense Ads | 76 | 5 | 71 | 1k+ | Direct Query | ||
| #1541 | Dual Currency Display | 77 | 1 | 24 | 900 | Direct Query | ||
| #1542 | Claspo – Popups, Spin the Wheel & Email Capture | 78 | 107 | 16 | 1k+ | wp function not compatible with requires wp | ||
| #1543 | PatternsWP – Gutenberg Block Patterns & Page Templates Library | 78 | 1 | 25 | 500 | Non-prefixed constant | ||
| #1544 | Bricksable for Bricks Builder | 80 | 1 | 76 | 10k+ | Post Not In exclude | ||
| #1545 | Check for Broken Links | 80 | 7 | 41 | 500 | Non-prefixed global variable | ||
| #1546 | Ailo – AI Slug Translator | 80 | 8 | 14 | 1k+ | wp function not compatible with requires wp | ||
| #1547 | WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets | 80 | 26 | 18 | 30k+ | Missing direct file access protection | ||
| #1548 | Bulky – Bulk Edit Products for WooCommerce | 81 | 3 | 21 | 10k+ | Non-prefixed hook name | ||
| #1549 | HivePress Geolocation | 81 | 2 | 25 | 7k+ | Nonce verification recommended | ||
| #1550 | LoftLoader | 81 | 17 | 19 | 70k+ | Missing direct file access protection |
