WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #801 | Login Security Solution | 27 | 216 | 154 | 4k+ | Output is not escaped | ||
| #802 | MakeCommerce for WooCommerce | 27 | 826 | 452 | 3k+ | Text Domain Mismatch | ||
| #803 | MaxGalleria | 27 | 278 | 567 | 2k+ | Non-prefixed global variable | ||
| #804 | Memberful – Membership Plugin | 27 | 351 | 336 | 1k+ | Text Domain Mismatch | ||
| #805 | MLSImport – Download and synchronize real estate data from various MLS (Multiple Listing Services) | 27 | 154 | 551 | 5k+ | Non-prefixed global variable | ||
| #806 | Nextend Social Login and Register | 27 | 1,668 | 243 | 200k+ | Output is not escaped | ||
| #807 | Online Lesson Booking | 27 | 978 | 281 | 500 | Non Singular String Literal Domain | ||
| #808 | Rate My Post – Star Rating Plugin by FeedbackWP | 27 | 222 | 360 | 20k+ | Output is not escaped | ||
| #809 | Shipit | 27 | 371 | 209 | 400 | Text Domain Mismatch | ||
| #810 | Sign-up Sheets | 27 | 325 | 363 | 1k+ | Output is not escaped | ||
| #811 | Simple Download Monitor | 27 | 218 | 273 | 20k+ | Output is not escaped | ||
| #812 | Social Web Suite – Social Media Auto Post, Social Media Auto Publish | 27 | 74 | 164 | 500 | Non-prefixed global variable | ||
| #813 | Terms & Conditions Per Product | 27 | 533 | 1,336 | 800 | Non-prefixed global variable | ||
| #814 | Theme One Click Demo Importer | 27 | 210 | 157 | 500 | Text Domain Mismatch | ||
| #815 | Transbank Webpay | 27 | 198 | 211 | 10k+ | Non-prefixed global variable | ||
| #816 | Ultimate Watermark – Image Watermark, Image Protection & Bulk Watermarking | 27 | 164 | 303 | 1k+ | Nonce verification recommended | ||
| #817 | VOD Infomaniak | 27 | 797 | 385 | 20k+ | Output is not escaped | ||
| #818 | Watu Quiz | 27 | 1,089 | 1,014 | 3k+ | Output is not escaped | ||
| #819 | Mihdan: Ajax Edit Comments | 27 | 1,300 | 523 | 500 | Text Domain Mismatch | ||
| #820 | Content Pilot – Autoblogging & Affiliate Marketing Suite | 27 | 299 | 269 | 900 | Output is not escaped | ||
| #821 | WP-DBManager | 27 | 386 | 304 | 60k+ | Non-prefixed global variable | ||
| #822 | Email Marketing Plugin – WP Email Capture | 27 | 383 | 262 | 1k+ | Output is not escaped | ||
| #823 | WP Events Manager | 27 | 294 | 415 | 30k+ | Output is not escaped | ||
| #824 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | Input is not sanitized | ||
| #825 | wp-mpdf | 27 | 123 | 382 | 1k+ | Non-prefixed global variable | ||
| #826 | WPBase Cache | 27 | 189 | 113 | 2k+ | Text Domain Mismatch | ||
| #827 | YARPP – Yet Another Related Posts Plugin | 27 | 191 | 331 | 100k+ | Non-prefixed global variable | ||
| #828 | Zibal Payment Gateway for Gravity Forms | 27 | 828 | 248 | 400 | Text Domain Mismatch | ||
| #829 | AForms — Form Builder for Price Calculator & Cost Estimation | 28 | 564 | 95 | 3k+ | Text Domain Mismatch | ||
| #830 | Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 632 | 351 | 800 | Text Domain Mismatch | ||
| #831 | Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 649 | 357 | 9k+ | Text Domain Mismatch | ||
| #832 | WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms | 28 | 659 | 359 | 400 | Text Domain Mismatch | ||
| #833 | Code Engine – PHP Snippets, AI Functions & Automation for WordPress | 28 | 124 | 96 | 700 | Non Singular String Literal Domain | ||
| #834 | Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress | 28 | 465 | 338 | 30k+ | Text Domain Mismatch | ||
| #835 | Maspik – Ultimate Spam Protection | 28 | 212 | 862 | 30k+ | Missing nonce verification | ||
| #836 | Database Cleaner | 28 | 137 | 297 | 10k+ | Direct Query | ||
| #837 | Deposits & Partial Payments for WooCommerce – Bayna | 28 | 593 | 336 | 1k+ | Output is not escaped | ||
| #838 | Dynamic User Directory | 28 | 403 | 256 | 1k+ | Output is not escaped | ||
| #839 | Discount Rules and Dynamic Pricing for WooCommerce | 28 | 182 | 334 | 10k+ | Output is not escaped | ||
| #840 | easy.jobs – AI powered Job Listing, Job Board, Career Page, Recruitment & Hiring Solution | 28 | 405 | 924 | 4k+ | Missing nonce verification | ||
| #841 | Educare – Students & Result Management System | 28 | 1,114 | 1,043 | 800 | Missing nonce verification | ||
| #842 | Event Tickets Manager for WooCommerce | 28 | 181 | 648 | 1k+ | Non-prefixed global variable | ||
| #843 | FAPI Member | 28 | 279 | 153 | 500 | Exception output is not escaped | ||
| #844 | گیتلند | درگاه پرداخت هوشمند گیتلند | 28 | 327 | 235 | 2k+ | Output is not escaped | ||
| #845 | Geo Mashup | 28 | 775 | 232 | 1k+ | Text Domain Mismatch | ||
| #846 | GS Books Showcase – Display Books in Grid, Slider & More | Library for WordPress | 28 | 55 | 437 | 500 | Non-prefixed global variable | ||
| #847 | Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms | 28 | 641 | 348 | 1k+ | Text Domain Mismatch | ||
| #848 | Kadence Starter Templates — Predesigned Website Templates | 28 | 312 | 215 | 300k+ | Missing Arg Domain | ||
| #849 | WP to LinkedIn Auto Publish | 28 | 734 | 250 | 900 | Unsafe printing function | ||
| #850 | Maven Algolia | 28 | 148 | 89 | 6k+ | Non Singular String Literal Domain |