WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #651 | WP ADA Compliance Check Basic | 28 | 785 | 177 | 3k+ | Text Domain Mismatch | |
| #652 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output Not Escaped | |
| #653 | WP Synchro – The Ultimate WordPress Migration Tool | 28 | 243 | 244 | 2k+ | Missing Translators Comment | |
| #654 | Accordion Slider | 29 | 391 | 444 | 2k+ | Unsafe Printing Function | |
| #655 | AL Pack | 29 | 13 | 816 | 2k+ | Non Prefixed Variable Found | |
| #656 | Attribute Stock for WooCommerce – Shared Stock & Variable Quantities (Lite Version) | 29 | 481 | 313 | 2k+ | Text Domain Mismatch | |
| #657 | Better Google Analytics | 29 | 376 | 869 | 2k+ | Non Prefixed Variable Found | |
| #658 | Bitcoin Payments – Blockonomics | 29 | 208 | 227 | 3k+ | Output Not Escaped | |
| #659 | Plugin BlueX for WooCommerce | 29 | 431 | 216 | 2k+ | Text Domain Mismatch | |
| #660 | Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | 29 | 236 | 369 | 2k+ | Non Prefixed Variable Found | |
| #661 | Chained Quiz | 29 | 1,132 | 721 | 1k+ | Text Domain Mismatch | |
| #662 | CloudSecure WP Security | 29 | 74 | 350 | 100k+ | Missing Unslash | |
| #663 | Countdown, Coming Soon, Maintenance – Countdown & Clock | 29 | 1,735 | 143 | 10k+ | Non Singular String Literal Domain | |
| #664 | Database Cleaner | 29 | 135 | 297 | 10k+ | Direct Query | |
| #665 | Document Gallery | 29 | 183 | 98 | 8k+ | Output Not Escaped | |
| #666 | DoLogin Security | 29 | 312 | 305 | 7k+ | Output Not Escaped | |
| #667 | Interactive Image Map Plugin – Draw Attention | 29 | 620 | 227 | 20k+ | Output Not Escaped | |
| #668 | Everest Toolkit | 29 | 145 | 141 | 1k+ | Missing Translators Comment | |
| #669 | Advanced Shipping Rates for WooCommerce: Flexible Table Rate Shipping Rules | 29 | 185 | 504 | 2k+ | Non Prefixed Variable Found | |
| #670 | reCaptcha by BestWebSoft | 29 | 474 | 272 | 100k+ | Text Domain Mismatch | |
| #671 | Page View Count | 29 | 108 | 247 | 10k+ | Dynamic Hookname Found | |
| #672 | Post Views Counter | 29 | 179 | 398 | 200k+ | Non Prefixed Hookname Found | |
| #673 | Recipe Card Blocks Lite | 29 | 151 | 408 | 10k+ | Non Prefixed Variable Found | |
| #674 | SamedayCourier Shipping | 29 | 336 | 269 | 4k+ | Non Singular String Literal Domain | |
| #675 | Security Ninja – WordPress Security & Firewall | 29 | 149 | 347 | 7k+ | Direct Query | |
| #676 | Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce | 29 | 146 | 246 | 5k+ | Unsafe Printing Function | |
| #677 | ووسلام – همگام سازی ووکامرس و باسلام | 29 | 192 | 611 | 4k+ | Non Prefixed Variable Found | |
| #678 | Themify – WooCommerce Product Filter | 29 | 643 | 145 | 20k+ | Output Not Escaped | |
| #679 | User Verification by PickPlugins | 29 | 41 | 314 | 5k+ | Missing Unslash | |
| #680 | weMail – Email Marketing, Newsletter Builder & Email Automations for WooCommerce | 29 | 276 | 68 | 10k+ | missing direct file access protection | |
| #681 | WP-PostRatings | 29 | 425 | 384 | 30k+ | Output Not Escaped | |
| #682 | Xpro Addons — 140+ Widgets for Elementor | 29 | 27 | 826 | 30k+ | Non Prefixed Variable Found | |
| #683 | Dynamic Pricing With Discount Rules for WooCommerce | 30 | 136 | 131 | 5k+ | Output Not Escaped | |
| #684 | Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance | 30 | 164 | 439 | 100k+ | Interpolated Not Prepared | |
| #685 | PublishPress Blocks – Block Controls, Block Visibility, Block Permissions | 30 | 251 | 340 | 20k+ | Unsafe Printing Function | |
| #686 | ApplyOnline – Application Form Builder and Manager | 30 | 354 | 260 | 2k+ | Output Not Escaped | |
| #687 | aThemes Starter Sites | 30 | 259 | 195 | 40k+ | Text Domain Mismatch | |
| #688 | Buy Me a Coffee – Button and Widget Plugin | 30 | 139 | 140 | 6k+ | Output Not Escaped | |
| #689 | Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster | 30 | 306 | 434 | 30k+ | Non Prefixed Variable Found | |
| #690 | Custom Field Template | 30 | 521 | 618 | 30k+ | Recommended | |
| #691 | Easy Affiliate Links | 30 | 186 | 198 | 7k+ | missing direct file access protection | |
| #692 | Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant | 30 | 264 | 221 | 4k+ | Missing Unslash | |
| #693 | Import WooCommerce Suite | 30 | 80 | 434 | 4k+ | Interpolated Not Prepared | |
| #694 | Meow Gallery | 30 | 111 | 182 | 10k+ | Direct Query | |
| #695 | PayU CommercePro Plugin | 30 | 95 | 270 | 7k+ | Text Domain Mismatch | |
| #696 | SMTP for Amazon SES – YaySMTP | 30 | 197 | 122 | 3k+ | Exception Not Escaped | |
| #697 | User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress | 30 | 484 | 280 | 3k+ | Text Domain Mismatch | |
| #698 | Waitlist Woocommerce ( Back in stock notifier ) | 30 | 272 | 311 | 4k+ | Output Not Escaped | |
| #699 | Checkout with Cash App on WooCommerce | 30 | 122 | 308 | 2k+ | Non Prefixed Variable Found | |
| #700 | Dropify | 30 | 130 | 252 | 2k+ | Recommended |
