WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

  • Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
  • Pass the values as separate arguments to `$wpdb->prepare()`.
  • For table names, column names, and sort directions, use strict allowlists instead of raw user input.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#951Sync Master Sheet – Product Sync with Google Sheet for WooCommerce30136300400Non-prefixed global variable
#952Pubjet | پاب‌جت30911721k+Output is not escaped
#953Rublon Multi-Factor Authentication (MFA)30216160500Output is not escaped
#954SMTP for Amazon SES – YaySMTP301971223k+Exception output is not escaped
#955User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress304842803k+Text Domain Mismatch
#956Waitlist Woocommerce ( Back in stock notifier )302723114k+Output is not escaped
#957Checkout with Cash App on WooCommerce301223082k+Non-prefixed global variable
#958Dropify301302522k+Nonce verification recommended
#959Webling30147313500Input is not validated
#960WP 2FA – Two-factor authentication for WordPress30269380100k+Exception output is not escaped
#961WP Docs302682711k+Output is not escaped
#962WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar301134191k+Non-prefixed global variable
#963remarketable3028193600Output is not escaped
#964WP Inventory Manager308562331k+Output is not escaped
#965Photo Gallery Slideshow & Masonry Tiled Gallery308063521k+Output is not escaped
#966WP Restaurant Price List3029595500Text Domain Mismatch
#967WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA304842222k+Unsafe printing function
#968WPS Cleaner3043049120k+Output is not escaped
#969YayPricing – WooCommerce Dynamic Pricing & Discounts301741863k+Non-prefixed global variable
#970YASR – Yet Another Star Rating Plugin for WordPress3025237810k+Output is not escaped
#971Zoho CRM Lead Magnet301011,0253k+Request data is not unslashed
#972Extra Product Options Builder for WooCommerce311131942k+Non-prefixed global variable
#973Advanced Category Excluder31349160700Output is not escaped
#974Advanced Woo Search – Product Search for WooCommerce3122837770k+Nonce verification recommended
#975AI Copilot – Content Generator311591631k+wp function not compatible with requires wp
#976All-in-one contact buttons – WPSHARE247311081134k+Non-prefixed global variable
#977Asgaros Forum3116741210k+Output is not escaped
#978AI ChatBot with ChatGPT and Content Generator by AYS31170378400Non-prefixed global variable
#979SEO合集(支持百度/Google/Bing/头条推送)31131,407800Direct Query
#980Яндекс Доставка (Boxberry)3146150600Missing nonce verification
#981Buy Me a Coffee – Button and Widget Plugin311381406k+Output is not escaped
#982České služby pro WordPress31951391k+Output is not escaped
#983CleverReach® WP31103934k+Non-prefixed global variable
#984Copy Anything to Clipboard for WordPress – Copy Button, Copy Text & Copy Code3152513110k+Text Domain Mismatch
#985MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions316642732k+Text Domain Mismatch
#986DirectoryPress Frontend31402563800Non-prefixed global variable
#987Domain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional)311132332k+Non-prefixed namespace
#988Easy Upload Files During Checkout31220208500Unsafe printing function
#989افزونه پیامک حرفه ای فراز اس ام اس31891802k+wp function not compatible with requires wp
#990FastDup – Fastest WordPress Migration & Duplicator3183665k+wp function not compatible with requires wp
#991Form Vibes – Database Manager for Forms3117628410k+Text Domain Mismatch
#992FraudLabs Pro for WooCommerce311692131k+Request data is not unslashed
#993WP Gravity Forms Constant Contact Plugin31684164600Text Domain Mismatch
#994GS Pinterest Portfolio – Pins Grid, Masonry, User Profile, Popup & Board Widgets314021561k+Text Domain Mismatch
#995Image Hotspot – Map Image Annotation31952873k+Non-prefixed global variable
#996Interactive Image Map Builder311603811k+Non-prefixed global variable
#997Linguise – AI Automatic Multilingual Translation31612821k+Non-prefixed global variable
#998Keywords to Links Converter31288144700Text Domain Mismatch
#999Login rebuilder3140622620k+Non Singular String Literal Domain
#1000LWS Tools3110413410k+Request data is not unslashed