WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #951 | Sync Master Sheet – Product Sync with Google Sheet for WooCommerce | 30 | 136 | 300 | 400 | Non-prefixed global variable | ||
| #952 | Pubjet | پابجت | 30 | 91 | 172 | 1k+ | Output is not escaped | ||
| #953 | Rublon Multi-Factor Authentication (MFA) | 30 | 216 | 160 | 500 | Output is not escaped | ||
| #954 | SMTP for Amazon SES – YaySMTP | 30 | 197 | 122 | 3k+ | Exception output is not escaped | ||
| #955 | User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress | 30 | 484 | 280 | 3k+ | Text Domain Mismatch | ||
| #956 | Waitlist Woocommerce ( Back in stock notifier ) | 30 | 272 | 311 | 4k+ | Output is not escaped | ||
| #957 | Checkout with Cash App on WooCommerce | 30 | 122 | 308 | 2k+ | Non-prefixed global variable | ||
| #958 | Dropify | 30 | 130 | 252 | 2k+ | Nonce verification recommended | ||
| #959 | Webling | 30 | 147 | 313 | 500 | Input is not validated | ||
| #960 | WP 2FA – Two-factor authentication for WordPress | 30 | 269 | 380 | 100k+ | Exception output is not escaped | ||
| #961 | WP Docs | 30 | 268 | 271 | 1k+ | Output is not escaped | ||
| #962 | WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar | 30 | 113 | 419 | 1k+ | Non-prefixed global variable | ||
| #963 | remarketable | 30 | 281 | 93 | 600 | Output is not escaped | ||
| #964 | WP Inventory Manager | 30 | 856 | 233 | 1k+ | Output is not escaped | ||
| #965 | Photo Gallery Slideshow & Masonry Tiled Gallery | 30 | 806 | 352 | 1k+ | Output is not escaped | ||
| #966 | WP Restaurant Price List | 30 | 295 | 95 | 500 | Text Domain Mismatch | ||
| #967 | WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA | 30 | 484 | 222 | 2k+ | Unsafe printing function | ||
| #968 | WPS Cleaner | 30 | 430 | 491 | 20k+ | Output is not escaped | ||
| #969 | YayPricing – WooCommerce Dynamic Pricing & Discounts | 30 | 174 | 186 | 3k+ | Non-prefixed global variable | ||
| #970 | YASR – Yet Another Star Rating Plugin for WordPress | 30 | 252 | 378 | 10k+ | Output is not escaped | ||
| #971 | Zoho CRM Lead Magnet | 30 | 101 | 1,025 | 3k+ | Request data is not unslashed | ||
| #972 | Extra Product Options Builder for WooCommerce | 31 | 113 | 194 | 2k+ | Non-prefixed global variable | ||
| #973 | Advanced Category Excluder | 31 | 349 | 160 | 700 | Output is not escaped | ||
| #974 | Advanced Woo Search – Product Search for WooCommerce | 31 | 228 | 377 | 70k+ | Nonce verification recommended | ||
| #975 | AI Copilot – Content Generator | 31 | 159 | 163 | 1k+ | wp function not compatible with requires wp | ||
| #976 | All-in-one contact buttons – WPSHARE247 | 31 | 108 | 113 | 4k+ | Non-prefixed global variable | ||
| #977 | Asgaros Forum | 31 | 167 | 412 | 10k+ | Output is not escaped | ||
| #978 | AI ChatBot with ChatGPT and Content Generator by AYS | 31 | 170 | 378 | 400 | Non-prefixed global variable | ||
| #979 | SEO合集(支持百度/Google/Bing/头条推送) | 31 | 13 | 1,407 | 800 | Direct Query | ||
| #980 | Яндекс Доставка (Boxberry) | 31 | 46 | 150 | 600 | Missing nonce verification | ||
| #981 | Buy Me a Coffee – Button and Widget Plugin | 31 | 138 | 140 | 6k+ | Output is not escaped | ||
| #982 | České služby pro WordPress | 31 | 95 | 139 | 1k+ | Output is not escaped | ||
| #983 | CleverReach® WP | 31 | 103 | 93 | 4k+ | Non-prefixed global variable | ||
| #984 | Copy Anything to Clipboard for WordPress – Copy Button, Copy Text & Copy Code | 31 | 525 | 131 | 10k+ | Text Domain Mismatch | ||
| #985 | MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions | 31 | 664 | 273 | 2k+ | Text Domain Mismatch | ||
| #986 | DirectoryPress Frontend | 31 | 402 | 563 | 800 | Non-prefixed global variable | ||
| #987 | Domain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional) | 31 | 113 | 233 | 2k+ | Non-prefixed namespace | ||
| #988 | Easy Upload Files During Checkout | 31 | 220 | 208 | 500 | Unsafe printing function | ||
| #989 | افزونه پیامک حرفه ای فراز اس ام اس | 31 | 89 | 180 | 2k+ | wp function not compatible with requires wp | ||
| #990 | FastDup – Fastest WordPress Migration & Duplicator | 31 | 83 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #991 | Form Vibes – Database Manager for Forms | 31 | 176 | 284 | 10k+ | Text Domain Mismatch | ||
| #992 | FraudLabs Pro for WooCommerce | 31 | 169 | 213 | 1k+ | Request data is not unslashed | ||
| #993 | WP Gravity Forms Constant Contact Plugin | 31 | 684 | 164 | 600 | Text Domain Mismatch | ||
| #994 | GS Pinterest Portfolio – Pins Grid, Masonry, User Profile, Popup & Board Widgets | 31 | 402 | 156 | 1k+ | Text Domain Mismatch | ||
| #995 | Image Hotspot – Map Image Annotation | 31 | 95 | 287 | 3k+ | Non-prefixed global variable | ||
| #996 | Interactive Image Map Builder | 31 | 160 | 381 | 1k+ | Non-prefixed global variable | ||
| #997 | Linguise – AI Automatic Multilingual Translation | 31 | 61 | 282 | 1k+ | Non-prefixed global variable | ||
| #998 | Keywords to Links Converter | 31 | 288 | 144 | 700 | Text Domain Mismatch | ||
| #999 | Login rebuilder | 31 | 406 | 226 | 20k+ | Non Singular String Literal Domain | ||
| #1000 | LWS Tools | 31 | 104 | 134 | 10k+ | Request data is not unslashed |