WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
Pass the values as separate arguments to `$wpdb->prepare()`.
For table names, column names, and sort directions, use strict allowlists instead of raw user input.

References

WordPress database access

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Updated	Top Issue
#551	WP Yelp Review Slider	25	429	645	1k+	27 days ago	Non-prefixed global variable
#552	WPCargo Track & Trace	25	239	557	10k+	7 days ago	Non-prefixed global variable
#553	Team Members Showcase	25	591	1,494	4k+	1 month ago	Non-prefixed global variable
#554	WPvivid Backup for MainWP	25	818	1,794	10k+	22 days ago	Missing nonce verification
#555	WPvivid — Backup, Migration & Staging	25	899	1,461	900k+	22 days ago	Non-prefixed namespace
#556	Video Gallery – YouTube Gallery, Playlist & Video Grid	25	275	1,070	2k+	3 days ago	Non-prefixed hook name
#557	YT Player – Embed and Customize Video Players	25	3,163	261	1k+	2 months ago	Output is not escaped
#558	Blog Floating Button	26	705	240	9k+	9 months ago	Output is not escaped
#559	Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar	26	526	263	5k+	2 months ago	Output is not escaped
#560	Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty	26	113	671	400k+	12 days ago	Non-prefixed global variable
#561	Database for Contact Form 7, WPforms, Elementor forms	26	317	489	60k+	4 days ago	Non-prefixed global variable
#562	Ditty – Responsive News Tickers, Sliders, and Lists	26	561	484	30k+	1 month ago	Output is not escaped
#563	Easy Appointments	26	135	569	10k+	5 days ago	Alternative PHP tag found
#564	ezCache	26	127	269	10k+	22 days ago	Direct Query
#565	Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager	26	113	597	90k+	12 days ago	Non-prefixed global variable
#566	FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)	26	591	416	2k+	19 days ago	Exception output is not escaped
#567	Photo Gallery by Ays – Responsive Image Gallery	26	463	818	1k+	5 days ago	Output is not escaped
#568	Kadence Central – Site Management, Backups, Security, and Reporting	26	462	213	30k+	12 days ago	Text Domain Mismatch
#569	Loco Translate	26	454	242	1m+	22 days ago	Output is not escaped
#570	Media File Renamer: Rename for better SEO (AI-Powered)	26	148	170	40k+	24 days ago	Direct Query
#571	Hotel Booking	26	690	940	4k+	1 year ago	Unsafe printing function
#572	Open User Map – Interactive Leaflet Maps	26	893	986	10k+	14 days ago	Non-prefixed global variable
#573	Paytium: Mollie payment forms & donations	26	506	551	3k+	6 days ago	Unsafe printing function
#574	LoginWP (Formerly Peter's Login Redirect)	26	401	278	90k+	28 days ago	Output is not escaped
#575	Polylang	26	36	564	800k+	7 days ago	Non-prefixed hook name
#576	Profile Extra Fields by BestWebSoft	26	514	532	2k+	3 months ago	Text Domain Mismatch
#577	Related Posts Thumbnails Plugin for WordPress	26	382	198	20k+	3 months ago	Output is not escaped
#578	Send Users Email – Email Subscribers, Email Marketing Newsletter	26	188	415	5k+	5 days ago	Non-prefixed global variable
#579	SP Move Login	26	881	215	6k+	7 months ago	Text Domain Mismatch
#580	Sliced Invoices – WordPress Invoice Plugin	26	684	455	5k+	6 months ago	Output is not escaped
#581	Video Gallery – Vimeo and YouTube Gallery	26	561	794	6k+	5 years ago	Non-prefixed global variable
#582	UpdraftCentral Dashboard	26	267	180	6k+	18 days ago	Missing Translators Comment
#583	User Submitted Posts – Enable Users to Submit Posts from the Front End	26	699	396	10k+	15 days ago	Text Domain Mismatch
#584	Visitors Online by BestWebSoft	26	512	269	1k+	1 year ago	Text Domain Mismatch
#585	XL NMI Gateway for WooCommerce	26	695	436	1k+	1 month ago	Text Domain Mismatch
#586	WP Flashy Marketing Automation	26	432	186	2k+	4 days ago	Text Domain Mismatch
#587	WPCOM Member	26	432	638	1k+	6 days ago	Non Singular String Literal Domain
#588	Apollo13 Framework Extensions	27	171	273	20k+	7 months ago	Non-prefixed global variable
#589	Arconix FAQ	27	552	201	6k+	1 year ago	Text Domain Mismatch
#590	BackUpWordPress	27	245	271	90k+	2 years ago	Non-prefixed global variable
#591	Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms	27	720	367	5k+	1 month ago	Text Domain Mismatch
#592	WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin	27	692	381	3k+	4 months ago	Text Domain Mismatch
#593	Comment Link Remove and Other Comment Tools	27	691	132	7k+	2 months ago	Text Domain Mismatch
#594	Duplicate Post	27	447	274	300k+	2 months ago	Unsafe printing function
#595	Cyrlitera – Transliteration of Links and File Names	27	453	204	40k+	1 month ago	Output is not escaped
#596	Echo Knowledge Base – Documentation, FAQs, Chat & Smart Search	27	289	751	10k+	13 days ago	Output is not escaped
#597	CM Tooltip Glossary	27	611	188	8k+	1 month ago	Output is not escaped
#598	Events Calendar for GeoDirectory	27	1,229	462	2k+	19 days ago	Text Domain Mismatch
#599	FG Joomla to WordPress	27	278	101	7k+	3 months ago	Unsafe printing function
#600	Foxtool All-in-One: Contact chat button, Custom login, Media optimize images	27	1,629	360	7k+	7 months ago	Unsafe printing function