WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #751 | OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) | 26 | 272 | 576 | 6k+ | Request data is not unslashed | ||
| #752 | Open User Map – Interactive Leaflet Maps | 26 | 893 | 986 | 10k+ | Non-prefixed global variable | ||
| #753 | Paytium: Mollie payment forms & donations | 26 | 506 | 551 | 3k+ | Unsafe printing function | ||
| #754 | PDF for WPForms + Drag and Drop Template Builder | 26 | 674 | 113 | 1k+ | wp function not compatible with requires wp | ||
| #755 | LoginWP (Formerly Peter's Login Redirect) | 26 | 401 | 278 | 90k+ | Output is not escaped | ||
| #756 | Polylang | 26 | 36 | 564 | 800k+ | Non-prefixed hook name | ||
| #757 | Portfolio by BestWebSoft – Work and Projects Presentation Plugin for WordPress | 26 | 525 | 240 | 600 | Text Domain Mismatch | ||
| #758 | Product Table For WooCommerce | 26 | 191 | 858 | 600 | Non-prefixed global variable | ||
| #759 | Profile Extra Fields by BestWebSoft | 26 | 514 | 532 | 2k+ | Text Domain Mismatch | ||
| #760 | Related Posts Thumbnails Plugin for WordPress | 26 | 382 | 198 | 20k+ | Output is not escaped | ||
| #761 | RestaurantPress | 26 | 265 | 518 | 600 | Output is not escaped | ||
| #762 | Send Users Email – Email Subscribers, Email Marketing Newsletter | 26 | 188 | 415 | 5k+ | Non-prefixed global variable | ||
| #763 | SP Move Login | 26 | 881 | 215 | 6k+ | Text Domain Mismatch | ||
| #764 | Sliced Invoices – WordPress Invoice Plugin | 26 | 684 | 455 | 5k+ | Output is not escaped | ||
| #765 | Video Gallery – Vimeo and YouTube Gallery | 26 | 561 | 794 | 6k+ | Non-prefixed global variable | ||
| #766 | StoreGrowth: Smart Sales Booster for WooCommerce | BOGO, Upsells, Direct Checkout, Quick View, Side Cart | 26 | 125 | 420 | 2k+ | Non-prefixed global variable | ||
| #767 | Subscriber by BestWebSoft | 26 | 550 | 376 | 900 | Text Domain Mismatch | ||
| #768 | Ultimate Reviews | 26 | 515 | 345 | 400 | Output is not escaped | ||
| #769 | UpdraftCentral Dashboard | 26 | 267 | 180 | 6k+ | Missing Translators Comment | ||
| #770 | URL Image Importer | 26 | 142 | 239 | 700 | Missing nonce verification | ||
| #771 | User Submitted Posts – Enable Users to Submit Posts from the Front End | 26 | 699 | 396 | 10k+ | Text Domain Mismatch | ||
| #772 | Visitors Online by BestWebSoft | 26 | 512 | 269 | 1k+ | Text Domain Mismatch | ||
| #773 | XL NMI Gateway for WooCommerce | 26 | 695 | 436 | 1k+ | Text Domain Mismatch | ||
| #774 | WP Flashy Marketing Automation | 26 | 432 | 186 | 2k+ | Text Domain Mismatch | ||
| #775 | WPCOM Member | 26 | 432 | 638 | 1k+ | Non Singular String Literal Domain | ||
| #776 | Divi Torque Lite – Divi Modules for the Divi Builder & Theme | 27 | 144 | 265 | 50k+ | Non-prefixed global variable | ||
| #777 | Amazon Product in a Post Plugin | 27 | 362 | 416 | 800 | Output is not escaped | ||
| #778 | Apollo13 Framework Extensions | 27 | 171 | 273 | 20k+ | Non-prefixed global variable | ||
| #779 | Arconix FAQ | 27 | 552 | 201 | 6k+ | Text Domain Mismatch | ||
| #780 | BackUpWordPress | 27 | 245 | 271 | 90k+ | Non-prefixed global variable | ||
| #781 | Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms | 27 | 720 | 367 | 5k+ | Text Domain Mismatch | ||
| #782 | WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin | 27 | 692 | 381 | 3k+ | Text Domain Mismatch | ||
| #783 | Comment Link Remove and Other Comment Tools | 27 | 691 | 132 | 7k+ | Text Domain Mismatch | ||
| #784 | Contact Form Generator : Creative form builder for WordPress | 27 | 1,076 | 1,510 | 800 | Output is not escaped | ||
| #785 | Duplicate Post | 27 | 447 | 274 | 300k+ | Unsafe printing function | ||
| #786 | Polls CP | 27 | 399 | 500 | 400 | Output is not escaped | ||
| #787 | Cyrlitera – Transliteration of Links and File Names | 27 | 453 | 204 | 40k+ | Output is not escaped | ||
| #788 | Echo Knowledge Base – Documentation, FAQs, Chat & Smart Search | 27 | 289 | 751 | 10k+ | Output is not escaped | ||
| #789 | EZ SQL Reports Shortcode Widget and DB Backup | 27 | 165 | 158 | 500 | Output is not escaped | ||
| #790 | CM Tooltip Glossary | 27 | 611 | 188 | 7k+ | Output is not escaped | ||
| #791 | Events Calendar for GeoDirectory | 27 | 1,229 | 462 | 2k+ | Text Domain Mismatch | ||
| #792 | FG Joomla to WordPress | 27 | 278 | 101 | 7k+ | Unsafe printing function | ||
| #793 | Foxtool All-in-One: Contact chat button, Custom login, Media optimize images | 27 | 1,629 | 360 | 7k+ | Unsafe printing function | ||
| #794 | StylePress for Elementor | 27 | 767 | 283 | 600 | Text Domain Mismatch | ||
| #795 | Gravity Forms + Stripe | 27 | 368 | 210 | 600 | Output is not escaped | ||
| #796 | GSpeech TTS – WordPress Text To Speech Plugin | 27 | 842 | 333 | 3k+ | Output is not escaped | ||
| #797 | ImageRecycle pdf & image compression | 27 | 329 | 204 | 1k+ | Text Domain Mismatch | ||
| #798 | Import Eventbrite Events | 27 | 156 | 575 | 3k+ | Non-prefixed global variable | ||
| #799 | iQ Block Country | 27 | 164 | 245 | 20k+ | Request data is not unslashed | ||
| #800 | Login Security Solution | 27 | 216 | 154 | 4k+ | Output is not escaped |