WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1051 | Organization chart | 32 | 187 | 334 | 5k+ | SQL query is not prepared | ||
| #1052 | DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce | 32 | 166 | 119 | 5k+ | Output is not escaped | ||
| #1053 | گرویتی فرم فارسی | 32 | 190 | 174 | 20k+ | Text Domain Mismatch | ||
| #1054 | PilotPress | 32 | 150 | 285 | 900 | Output is not escaped | ||
| #1055 | Plugin Organizer | 32 | 326 | 257 | 10k+ | Output is not escaped | ||
| #1056 | TS Poll – Survey, Versus Poll, Image Poll, Video Poll | 32 | 570 | 171 | 4k+ | Text Domain Mismatch | ||
| #1057 | Volunteer Sign Up Sheets | 32 | 967 | 401 | 1k+ | Output is not escaped | ||
| #1058 | Quick Featured Images | 32 | 436 | 323 | 50k+ | Non-prefixed global variable | ||
| #1059 | Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio | 32 | 436 | 163 | 1k+ | Output is not escaped | ||
| #1060 | Restrict Usernames Emails Characters | 32 | 327 | 367 | 1k+ | Output is not escaped | ||
| #1061 | Revolut Gateway for WooCommerce | 32 | 85 | 157 | 6k+ | Input is not sanitized | ||
| #1062 | RSS for Yandex Turbo | 32 | 687 | 307 | 20k+ | Unsafe printing function | ||
| #1063 | Simple Ajax Chat – Add a Fast, Secure Chat Box | 32 | 108 | 266 | 2k+ | Output is not escaped | ||
| #1064 | Sky Addons for Elementor | 32 | 85 | 351 | 2k+ | Non-prefixed namespace | ||
| #1065 | Split Test For Elementor | 32 | 98 | 132 | 3k+ | Non-prefixed global variable | ||
| #1066 | Spoki – Chat Buttons and WooCommerce Notifications | 32 | 1,074 | 260 | 700 | Unsafe printing function | ||
| #1067 | Stock Locations for WooCommerce | 32 | 548 | 360 | 1k+ | Output is not escaped | ||
| #1068 | Stock Sync for WooCommerce | 32 | 362 | 232 | 1k+ | Text Domain Mismatch | ||
| #1069 | System Dashboard | 32 | 91 | 205 | 1k+ | Request data is not unslashed | ||
| #1070 | Thrive Automator | 32 | 84 | 84 | 10k+ | SQL query is not prepared | ||
| #1071 | Tumult Hype Animations | 32 | 56 | 117 | 1k+ | Output is not escaped | ||
| #1072 | UiCore Blocks – Free WordPress Gutenberg Blocks | 32 | 59 | 387 | 500 | Non-prefixed global variable | ||
| #1073 | Unbounce Landing Pages | 32 | 169 | 86 | 10k+ | Output is not escaped | ||
| #1074 | Multi Currency For WooCommerce | 32 | 87 | 70 | 1k+ | Non-prefixed global variable | ||
| #1075 | WebwinkelKeur: Webshop keurmerk & reviews for WordPress | 32 | 200 | 47 | 4k+ | Short PHP open tag found | ||
| #1076 | WP Bannerize Pro | 32 | 281 | 216 | 800 | Text Domain Mismatch | ||
| #1077 | wp-jalali | 32 | 219 | 66 | 10k+ | Text Domain Mismatch | ||
| #1078 | SEOPress – AI SEO Plugin & On-site SEO | 32 | 138 | 429 | 300k+ | Non-prefixed global variable | ||
| #1079 | WP-Stats | 32 | 237 | 126 | 2k+ | Output is not escaped | ||
| #1080 | Privacy Policy Generator – WPLP Legal Pages | 32 | 26 | 409 | 10k+ | Non-prefixed global variable | ||
| #1081 | Yoo Slider – Image Slider & Video Slider | 32 | 744 | 209 | 600 | Output is not escaped | ||
| #1082 | Extra Product Options Builder for WooCommerce | 33 | 101 | 155 | 2k+ | Non-prefixed hook name | ||
| #1083 | Archive Posts Sort Customize | 33 | 338 | 97 | 600 | Output is not escaped | ||
| #1084 | Premium Portfolio Features for Phlox theme | 33 | 204 | 137 | 40k+ | Output is not escaped | ||
| #1085 | Chartify – WordPress Chart Plugin | 33 | 76 | 411 | 3k+ | Non-prefixed global variable | ||
| #1086 | Companion Sitemap Generator – Simple, Smart, and SEO-Ready | 33 | 118 | 57 | 7k+ | Missing Translators Comment | ||
| #1087 | Contact List – Online Staff Directory & Address Book | 33 | 118 | 342 | 1k+ | Nonce verification recommended | ||
| #1088 | Chatbot with IBM watsonx Assistant | 33 | 324 | 83 | 400 | Non Singular String Literal Domain | ||
| #1089 | Device Detector | 33 | 209 | 112 | 600 | Output is not escaped | ||
| #1090 | Gallery Custom Links | 33 | 64 | 62 | 30k+ | Non Singular String Literal Domain | ||
| #1091 | GetResponse Forms by Optin Cat | 33 | 68 | 138 | 1k+ | Missing direct file access protection | ||
| #1092 | Ultimate Addons for Elementor | 33 | 81 | 291 | 2m+ | Non-prefixed class | ||
| #1093 | Flipbox – Awesomes Flip Boxes Image Overlay | 33 | 400 | 7,279 | 10k+ | Input is not validated | ||
| #1094 | ImageLinks – Interactive Image Builder with Hotspots | 33 | 517 | 90 | 1k+ | Text Domain Mismatch | ||
| #1095 | Inactive User Deleter | 33 | 453 | 170 | 800 | Output is not escaped | ||
| #1096 | InPost Gallery | 33 | 105 | 245 | 800 | Non-prefixed global variable | ||
| #1097 | Intagrate Lite | 33 | 94 | 152 | 4k+ | date date | ||
| #1098 | Forms for Mailchimp by Optin Cat – Grow Your MailChimp List | 33 | 71 | 133 | 2k+ | Missing direct file access protection | ||
| #1099 | MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics | 33 | 26 | 279 | 7k+ | Non-prefixed global variable | ||
| #1100 | Membership For WooCommerce | 33 | 40 | 659 | 800 | Non-prefixed global variable |