WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #701 | Send Users Email – Email Subscribers, Email Marketing Newsletter | 26 | 188 | 415 | 5k+ | Non-prefixed global variable | ||
| #702 | SP Move Login | 26 | 881 | 215 | 6k+ | Text Domain Mismatch | ||
| #703 | Sliced Invoices – WordPress Invoice Plugin | 26 | 684 | 455 | 5k+ | Output is not escaped | ||
| #704 | Video Gallery – Vimeo and YouTube Gallery | 26 | 561 | 794 | 6k+ | Non-prefixed global variable | ||
| #705 | StoreGrowth: Smart Sales Booster for WooCommerce | BOGO, Upsells, Direct Checkout, Quick View, Side Cart | 26 | 125 | 420 | 2k+ | Non-prefixed global variable | ||
| #706 | Subscriber by BestWebSoft | 26 | 550 | 376 | 1k+ | Text Domain Mismatch | ||
| #707 | UpdraftCentral Dashboard | 26 | 267 | 180 | 6k+ | Missing Translators Comment | ||
| #708 | URL Image Importer | 26 | 142 | 239 | 700 | Missing nonce verification | ||
| #709 | User Submitted Posts – Enable Users to Submit Posts from the Front End | 26 | 699 | 396 | 10k+ | Text Domain Mismatch | ||
| #710 | Visitors Online by BestWebSoft | 26 | 512 | 269 | 1k+ | Text Domain Mismatch | ||
| #711 | XL NMI Gateway for WooCommerce | 26 | 695 | 436 | 1k+ | Text Domain Mismatch | ||
| #712 | WP Flashy Marketing Automation | 26 | 432 | 186 | 2k+ | Text Domain Mismatch | ||
| #713 | WPCOM Member | 26 | 432 | 638 | 1k+ | Non Singular String Literal Domain | ||
| #714 | Amazon Product in a Post Plugin | 27 | 362 | 416 | 800 | Output is not escaped | ||
| #715 | Apollo13 Framework Extensions | 27 | 171 | 273 | 20k+ | Non-prefixed global variable | ||
| #716 | Arconix FAQ | 27 | 552 | 201 | 6k+ | Text Domain Mismatch | ||
| #717 | BackUpWordPress | 27 | 245 | 271 | 90k+ | Non-prefixed global variable | ||
| #718 | Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms | 27 | 720 | 367 | 5k+ | Text Domain Mismatch | ||
| #719 | WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin | 27 | 692 | 381 | 3k+ | Text Domain Mismatch | ||
| #720 | Comment Link Remove and Other Comment Tools | 27 | 691 | 132 | 7k+ | Text Domain Mismatch | ||
| #721 | Contact Form Generator : Creative form builder for WordPress | 27 | 1,076 | 1,510 | 800 | Output is not escaped | ||
| #722 | Duplicate Post | 27 | 447 | 274 | 300k+ | Unsafe printing function | ||
| #723 | Cyrlitera – Transliteration of Links and File Names | 27 | 453 | 204 | 40k+ | Output is not escaped | ||
| #724 | Echo Knowledge Base – Documentation, FAQs, Chat & Smart Search | 27 | 289 | 751 | 10k+ | Output is not escaped | ||
| #725 | CM Tooltip Glossary | 27 | 611 | 188 | 8k+ | Output is not escaped | ||
| #726 | Events Calendar for GeoDirectory | 27 | 1,229 | 462 | 2k+ | Text Domain Mismatch | ||
| #727 | FG Joomla to WordPress | 27 | 278 | 101 | 7k+ | Unsafe printing function | ||
| #728 | Foxtool All-in-One: Contact chat button, Custom login, Media optimize images | 27 | 1,629 | 360 | 7k+ | Unsafe printing function | ||
| #729 | StylePress for Elementor | 27 | 767 | 283 | 600 | Text Domain Mismatch | ||
| #730 | Gravity Forms + Stripe | 27 | 368 | 210 | 600 | Output is not escaped | ||
| #731 | GSpeech TTS – WordPress Text To Speech Plugin | 27 | 842 | 332 | 3k+ | Output is not escaped | ||
| #732 | ImageRecycle pdf & image compression | 27 | 329 | 204 | 1k+ | Text Domain Mismatch | ||
| #733 | Import Eventbrite Events | 27 | 156 | 575 | 3k+ | Non-prefixed global variable | ||
| #734 | iQ Block Country | 27 | 164 | 245 | 20k+ | Request data is not unslashed | ||
| #735 | Login Security Solution | 27 | 216 | 154 | 4k+ | Output is not escaped | ||
| #736 | MakeCommerce for WooCommerce | 27 | 826 | 452 | 3k+ | Text Domain Mismatch | ||
| #737 | MaxGalleria | 27 | 278 | 567 | 2k+ | Non-prefixed global variable | ||
| #738 | Memberful – Membership Plugin | 27 | 351 | 336 | 1k+ | Text Domain Mismatch | ||
| #739 | MLSImport – Download and synchronize real estate data from various MLS (Multiple Listing Services) | 27 | 154 | 551 | 5k+ | Non-prefixed global variable | ||
| #740 | Nextend Social Login and Register | 27 | 1,668 | 243 | 200k+ | Output is not escaped | ||
| #741 | OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) | 27 | 271 | 568 | 6k+ | Request data is not unslashed | ||
| #742 | Rate My Post – Star Rating Plugin by FeedbackWP | 27 | 222 | 360 | 20k+ | Output is not escaped | ||
| #743 | Sign-up Sheets | 27 | 325 | 363 | 1k+ | Output is not escaped | ||
| #744 | Simple Download Monitor | 27 | 218 | 273 | 20k+ | Output is not escaped | ||
| #745 | Terms & Conditions Per Product | 27 | 533 | 1,336 | 800 | Non-prefixed global variable | ||
| #746 | Transbank Webpay | 27 | 198 | 211 | 10k+ | Non-prefixed global variable | ||
| #747 | Ultimate Watermark – Image Watermark, Image Protection & Bulk Watermarking | 27 | 164 | 303 | 1k+ | Nonce verification recommended | ||
| #748 | VOD Infomaniak | 27 | 797 | 385 | 20k+ | Output is not escaped | ||
| #749 | Watu Quiz | 27 | 1,089 | 1,014 | 3k+ | Output is not escaped | ||
| #750 | Data Exchange for WooCommerce and 1C:Enterprise/1С:Предприятие | 27 | 92 | 250 | 1k+ | Non-prefixed global variable |
