WordPress.DB.PreparedSQL.InterpolatedNotPrepared
Interpolated SQL is not prepared
Variables are interpolated into a SQL string before the query is prepared.
Why It Shows Up
The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.
Why It Matters
Preparing a query after unsafe interpolation does not reliably protect the dynamic value.
How to Fix
- Replace interpolated variables with placeholders.
- Pass each dynamic value as a separate `$wpdb->prepare()` argument.
- Use allowlists for SQL identifiers and directions that cannot be represented as normal values.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1551 | SurveyX Builder – Easy Feedback, Poll, Quiz & Survey | 81 | 22 | 2k+ | Interpolated SQL is not prepared | |||
| #1552 | WebP Conversion | 82 | 1 | 33 | 3k+ | Non-prefixed global variable | ||
| #1553 | Advanced Appointment Booking & Scheduling | 83 | 11 | 13 | 3k+ | Text Domain Mismatch | ||
| #1554 | Username Changer | 84 | 37 | 13 | 40k+ | wp function not compatible with requires wp | ||
| #1555 | Salt Shaker | 85 | 15 | 13 | 6k+ | Interpolated SQL is not prepared | ||
| #1556 | Save and Continue Link Recovery for Gravity Forms | 85 | 16 | 5 | 400 | Text Domain Mismatch | ||
| #1557 | Notifima – WooCommerce Stock Manager, Inventory Management, Waitlist | 85 | 130 | 40 | 3k+ | Text Domain Mismatch | ||
| #1558 | Counters Block – Animated Number Counters, Stats & Dynamic KPIs | 86 | 5 | 14 | 3k+ | Missing direct file access protection | ||
| #1559 | ParcelWILL (Formerly ParcelPanel) – Shipment Tracking, Tracking & Order Tracking for WooCommerce | 87 | 6 | 81 | 7k+ | Non-prefixed global variable | ||
| #1560 | Hindi-To-Lat | 88 | 3 | 14 | 400 | Direct Query | ||
| #1561 | Skydropx | 88 | 4 | 9 | 1k+ | Non-prefixed global variable | ||
| #1562 | Ukr-To-Lat | 88 | 3 | 13 | 6k+ | Direct Query | ||
| #1563 | Record of Consent Extension for Complianz | 89 | 9 | 400 | Database parameter is not escaped | |||
| #1564 | Taxonomy Metadata | 89 | 4 | 9 | 4k+ | Direct Query | ||
| #1565 | WP-Memory-Usage | 89 | 4 | 9 | 10k+ | Interpolated SQL is not prepared | ||
| #1566 | Hide Related Video Youtube | 90 | 3 | 8 | 1k+ | Direct Query | ||
| #1567 | HivePress Reviews | 90 | 5 | 11 | 7k+ | Non-prefixed global variable | ||
| #1568 | Outrank | 90 | 1 | 4 | 1k+ | Database parameter is not escaped | ||
| #1569 | Autoload Optimizer | 92 | 13 | 500 | Direct Query | |||
| #1570 | PhotoSwipe | 92 | 4 | 9 | 1k+ | Not In Footer | ||
| #1571 | Custom Post Type Sticky | 93 | 10 | 6 | 900 | Text Domain Mismatch | ||
| #1572 | Seamless Sticky Custom Post Types | 94 | 8 | 5 | 1k+ | Missing Arg Domain |
