WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
Pass the values as separate arguments to `$wpdb->prepare()`.
For table names, column names, and sort directions, use strict allowlists instead of raw user input.

References

WordPress database access

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Updated	Top Issue
#601	Foxtool All-in-One: Contact chat button, Custom login, Media optimize images	27	1,629	360	7k+	6 months ago	Unsafe Printing Function
#602	GSpeech TTS – WordPress Text To Speech Plugin	27	842	332	3k+	3 days ago	Output Not Escaped
#603	Import Eventbrite Events	27	156	575	3k+	1 month ago	Non Prefixed Variable Found
#604	iQ Block Country	27	164	245	20k+	5 days ago	Missing Unslash
#605	Login Security Solution	27	216	154	4k+	9 years ago	Output Not Escaped
#606	MakeCommerce for WooCommerce	27	826	452	3k+	18 days ago	Text Domain Mismatch
#607	MaxGalleria	27	278	567	2k+	1 month ago	Non Prefixed Variable Found
#608	MLSImport – Download and synchronize real estate data from various MLS (Multiple Listing Services)	27	154	551	5k+	6 days ago	Non Prefixed Variable Found
#609	Nextend Social Login and Register	27	1,668	243	200k+	2 months ago	Output Not Escaped
#610	OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA)	27	272	531	6k+	yesterday	Missing Unslash
#611	Presto Player	27	131	124	100k+	18 days ago	Missing Arg Domain
#612	Rate My Post – Star Rating Plugin by FeedbackWP	27	222	360	20k+	4 days ago	Output Not Escaped
#613	Simple Download Monitor	27	218	273	20k+	4 days ago	Output Not Escaped
#614	StoreGrowth: Smart Sales Booster for WooCommerce \| BOGO, Upsells, Direct Checkout, Quick View, Side Cart	27	89	377	2k+	1 month ago	Non Prefixed Variable Found
#615	Transbank Webpay	27	198	211	10k+	2 months ago	Non Prefixed Variable Found
#616	VOD Infomaniak	27	797	385	20k+	3 months ago	Output Not Escaped
#617	Watu Quiz	27	1,089	1,014	3k+	25 days ago	Output Not Escaped
#618	WP-DBManager	27	386	304	60k+	2 years ago	Non Prefixed Variable Found
#619	Email Marketing Plugin – WP Email Capture	27	383	262	1k+	2 months ago	Output Not Escaped
#620	WP Events Manager	27	294	415	30k+	8 months ago	Output Not Escaped
#621	WP Hide & Security Enhancer	27	124	375	50k+	14 days ago	Input Not Sanitized
#622	WPBase Cache	27	189	113	2k+	1 year ago	Text Domain Mismatch
#623	YARPP – Yet Another Related Posts Plugin	27	191	331	100k+	2 years ago	Non Prefixed Variable Found
#624	Divi Torque Lite – Divi Modules for the Divi Builder & Theme	28	132	256	50k+	8 days ago	Non Prefixed Variable Found
#625	AForms — Form Builder for Price Calculator & Cost Estimation	28	564	95	3k+	1 year ago	Text Domain Mismatch
#626	Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms	28	649	357	9k+	3 months ago	Text Domain Mismatch
#627	Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress	28	465	338	30k+	1 month ago	Text Domain Mismatch
#628	Maspik – Ultimate Spam Protection	28	212	864	30k+	28 days ago	Missing
#629	Deposits & Partial Payments for WooCommerce – Bayna	28	593	336	1k+	3 months ago	Output Not Escaped
#630	Dynamic User Directory	28	403	256	1k+	7 months ago	Output Not Escaped
#631	Discount Rules and Dynamic Pricing for WooCommerce	28	182	334	10k+	21 days ago	Output Not Escaped
#632	easy.jobs – AI powered Job Listing, Job Board, Career Page, Recruitment & Hiring Solution	28	405	810	5k+	5 days ago	Missing
#633	گیت‌لند \| درگاه پرداخت هوشمند گیت‌لند	28	327	235	2k+	4 days ago	Output Not Escaped
#634	Geo Mashup	28	775	232	1k+	2 months ago	Text Domain Mismatch
#635	Kadence Starter Templates — Predesigned Website Templates	28	312	215	300k+	27 days ago	Missing Arg Domain
#636	Maven Algolia	28	148	89	6k+	12 years ago	Non Singular String Literal Domain
#637	Media Hygiene: Remove or Delete Unused Images and More!	28	654	309	5k+	28 days ago	Non Singular String Literal Domain
#638	My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu)	28	161	400	100k+	11 days ago	Non Prefixed Variable Found
#639	Store Hours for WooCommerce	28	525	60	2k+	8 months ago	Output Not Escaped
#640	Order Tracking – WordPress Status Tracking Plugin	28	619	772	3k+	24 days ago	Unsafe Printing Function
#641	ووکامرس فارسی	28	157	215	90k+	10 days ago	Output Not Escaped
#642	افزونه حمل و نقل ووکامرس \| پست پیشتاز، تیپاکس و پیک موتوری	28	131	190	20k+	1 month ago	Missing
#643	Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery	28	143	258	5k+	12 days ago	Post Not In exclude
#644	Podcast Importer SecondLine	28	356	169	4k+	4 months ago	Text Domain Mismatch
#645	Responsive Lightbox & Gallery	28	139	513	100k+	3 days ago	Non Prefixed Hookname Found
#646	Transliterator – Multilingual and Multi-script Text Conversion	28	305	320	3k+	26 days ago	Output Not Escaped
#647	Slider Pro	28	583	527	4k+	23 days ago	Unsafe Printing Function
#648	Tab – Accordion, FAQ	28	104	542	1k+	4 years ago	Non Prefixed Variable Found
#649	Themesflat Addons For Elementor	28	714	227	40k+	3 months ago	Output Not Escaped
#650	Jetpack VaultPress	28	71	362	10k+	2 months ago	Missing