WordPress.DB.PreparedSQL.InterpolatedNotPrepared

Interpolated SQL is not prepared

Variables are interpolated into a SQL string before the query is prepared.

critical weight

Why It Shows Up

The scan found dynamic values placed directly inside SQL, often through string interpolation, before `$wpdb->prepare()` can safely bind them.

Why It Matters

Preparing a query after unsafe interpolation does not reliably protect the dynamic value.

How to Fix

  • Replace interpolated variables with placeholders.
  • Pass each dynamic value as a separate `$wpdb->prepare()` argument.
  • Use allowlists for SQL identifiers and directions that cannot be represented as normal values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1551SurveyX Builder – Easy Feedback, Poll, Quiz & Survey81222k+Interpolated SQL is not prepared
#1552WebP Conversion821333k+Non-prefixed global variable
#1553Advanced Appointment Booking & Scheduling8311133k+Text Domain Mismatch
#1554Username Changer84371340k+wp function not compatible with requires wp
#1555Salt Shaker8515136k+Interpolated SQL is not prepared
#1556Save and Continue Link Recovery for Gravity Forms85165400Text Domain Mismatch
#1557Notifima – WooCommerce Stock Manager, Inventory Management, Waitlist85130403k+Text Domain Mismatch
#1558Counters Block – Animated Number Counters, Stats & Dynamic KPIs865143k+Missing direct file access protection
#1559ParcelWILL (Formerly ParcelPanel) – Shipment Tracking, Tracking & Order Tracking for WooCommerce876817k+Non-prefixed global variable
#1560Hindi-To-Lat88314400Direct Query
#1561Skydropx88491k+Non-prefixed global variable
#1562Ukr-To-Lat883136k+Direct Query
#1563Record of Consent Extension for Complianz899400Database parameter is not escaped
#1564Taxonomy Metadata89494k+Direct Query
#1565WP-Memory-Usage894910k+Interpolated SQL is not prepared
#1566Hide Related Video Youtube90381k+Direct Query
#1567HivePress Reviews905117k+Non-prefixed global variable
#1568Outrank90141k+Database parameter is not escaped
#1569Autoload Optimizer9213500Direct Query
#1570PhotoSwipe92491k+Not In Footer
#1571Custom Post Type Sticky93106900Text Domain Mismatch
#1572Seamless Sticky Custom Post Types94851k+Missing Arg Domain