WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

  • Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
  • Pass the values as separate arguments to `$wpdb->prepare()`.
  • For table names, column names, and sort directions, use strict allowlists instead of raw user input.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#901Everest Toolkit291451411k+Missing Translators Comment
#902Advanced Shipping Rates for WooCommerce: Flexible Table Rate Shipping Rules291855042k+Non-prefixed global variable
#903reCaptcha by BestWebSoft29474272100k+Text Domain Mismatch
#904Easy HTTPS Redirection (SSL)29266152100k+Unsafe printing function
#905Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms296253511k+Text Domain Mismatch
#906Wishlist for WooCommerce29610296600Output is not escaped
#907Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress2986233500Nonce verification recommended
#908Meow Gallery2911318210k+Direct Query
#909Offload Media – Cloud Storage29126801k+unlink unlink
#910Page Restrict for WooCommerce29579374700Text Domain Mismatch
#911Page View Count2910824710k+Dynamic hook name
#912Post Timeline2991200800Missing nonce verification
#913Post Views Counter29179398200k+Non-prefixed hook name
#914Recipe Card Blocks Lite2915140810k+Non-prefixed global variable
#915Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft29487262800Text Domain Mismatch
#916SamedayCourier Shipping293362694k+Non Singular String Literal Domain
#917Security Ninja – WordPress Security & Firewall291493477k+Direct Query
#918Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce291482465k+Unsafe printing function
#919Slider by BestWebSoft29478336400Text Domain Mismatch
#920Social Engine2913390600Exception output is not escaped
#921ووسلام – همگام سازی ووکامرس و باسلام291926114k+Non-prefixed global variable
#922Themify – WooCommerce Product Filter2964314520k+Output is not escaped
#923User Verification by PickPlugins29413145k+Request data is not unslashed
#924weMail – Email Marketing, Newsletter Builder & Email Automations for WooCommerce292766810k+Missing direct file access protection
#925WP-PostRatings2942538430k+Output is not escaped
#926WPComplete293833331k+Output is not escaped
#927Xpro Addons — 140+ Widgets for Elementor292782630k+Non-prefixed global variable
#928Dynamic Pricing With Discount Rules for WooCommerce301361315k+Output is not escaped
#929Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance30164439100k+Interpolated SQL is not prepared
#930PublishPress Blocks – Block Controls, Block Visibility, Block Permissions3025134020k+Unsafe printing function
#931AI Product Tools – Bulk Product Content Generator & AI Toolkit for WooCommerce30502560400SQL query is not prepared
#932ApplyOnline – Application Form Builder and Manager303452442k+Output is not escaped
#933aThemes Starter Sites3026219540k+Text Domain Mismatch
#934AutoWP – AI Content Writer & Rewriter305483701k+Text Domain Mismatch
#935Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster3030643430k+Non-prefixed global variable
#936Cryptocurrency Donation Box – Bitcoin & Crypto Donations30334284500Output is not escaped
#937Custom Search by BestWebSoft – WordPress Custom Search Plugin30454228900Text Domain Mismatch
#938Easy Affiliate Links301861987k+Missing direct file access protection
#939Epeken All Kurir for Woocommerce305901,246500Missing nonce verification
#940Eway Payment Gateway3050992800Missing Translators Comment
#941PiWeb Export Customers Users & Guest customer to CSV for WooCommerce30173751k+Text Domain Mismatch
#942FormLift for Keap (Legacy) Web Forms30162315400Request data is not unslashed
#943Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant302642214k+Non Singular String Literal Text
#944Import WooCommerce Suite for Products, Orders, Coupons, Reviews, and Customers | WP Ultimate CSV Importer30804344k+Interpolated SQL is not prepared
#945core plugin for kitestudio themes30244415500Nonce verification recommended
#946Naver webmaster syndication v23089129500Output is not escaped
#947PayU CommercePro Plugin30952707k+Text Domain Mismatch
#948گرویتی فرم فارسی3020515720k+Text Domain Mismatch
#949Pixelgrade Assistant301,3501532k+Text Domain Mismatch
#950Sync Master Sheet – Product Sync with Google Sheet for WooCommerce30136300400Non-prefixed global variable