WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

  • Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
  • Pass the values as separate arguments to `$wpdb->prepare()`.
  • For table names, column names, and sort directions, use strict allowlists instead of raw user input.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1051Organization chart321873345k+SQL query is not prepared
#1052DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce321661195k+Output is not escaped
#1053گرویتی فرم فارسی3219017420k+Text Domain Mismatch
#1054PilotPress32150285900Output is not escaped
#1055Plugin Organizer3232625710k+Output is not escaped
#1056TS Poll – Survey, Versus Poll, Image Poll, Video Poll325701714k+Text Domain Mismatch
#1057Volunteer Sign Up Sheets329674011k+Output is not escaped
#1058Quick Featured Images3243632350k+Non-prefixed global variable
#1059Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio324361631k+Output is not escaped
#1060Restrict Usernames Emails Characters323273671k+Output is not escaped
#1061Revolut Gateway for WooCommerce32851576k+Input is not sanitized
#1062RSS for Yandex Turbo3268730720k+Unsafe printing function
#1063Simple Ajax Chat – Add a Fast, Secure Chat Box321082662k+Output is not escaped
#1064Sky Addons for Elementor32853512k+Non-prefixed namespace
#1065Split Test For Elementor32981323k+Non-prefixed global variable
#1066Spoki – Chat Buttons and WooCommerce Notifications321,074260700Unsafe printing function
#1067Stock Locations for WooCommerce325483601k+Output is not escaped
#1068Stock Sync for WooCommerce323622321k+Text Domain Mismatch
#1069System Dashboard32912051k+Request data is not unslashed
#1070Thrive Automator32848410k+SQL query is not prepared
#1071Tumult Hype Animations32561171k+Output is not escaped
#1072UiCore Blocks – Free WordPress Gutenberg Blocks3259387500Non-prefixed global variable
#1073Unbounce Landing Pages321698610k+Output is not escaped
#1074Multi Currency For WooCommerce3287701k+Non-prefixed global variable
#1075WebwinkelKeur: Webshop keurmerk & reviews for WordPress32200474k+Short PHP open tag found
#1076WP Bannerize Pro32281216800Text Domain Mismatch
#1077wp-jalali322196610k+Text Domain Mismatch
#1078SEOPress – AI SEO Plugin & On-site SEO32138429300k+Non-prefixed global variable
#1079WP-Stats322371262k+Output is not escaped
#1080Privacy Policy Generator – WPLP Legal Pages322640910k+Non-prefixed global variable
#1081Yoo Slider – Image Slider & Video Slider32744209600Output is not escaped
#1082Extra Product Options Builder for WooCommerce331011552k+Non-prefixed hook name
#1083Archive Posts Sort Customize3333897600Output is not escaped
#1084Premium Portfolio Features for Phlox theme3320413740k+Output is not escaped
#1085Chartify – WordPress Chart Plugin33764113k+Non-prefixed global variable
#1086Companion Sitemap Generator – Simple, Smart, and SEO-Ready33118577k+Missing Translators Comment
#1087Contact List – Online Staff Directory & Address Book331183421k+Nonce verification recommended
#1088Chatbot with IBM watsonx Assistant3332483400Non Singular String Literal Domain
#1089Device Detector33209112600Output is not escaped
#1090Gallery Custom Links33646230k+Non Singular String Literal Domain
#1091GetResponse Forms by Optin Cat33681381k+Missing direct file access protection
#1092Ultimate Addons for Elementor33812912m+Non-prefixed class
#1093Flipbox – Awesomes Flip Boxes Image Overlay334007,27910k+Input is not validated
#1094ImageLinks – Interactive Image Builder with Hotspots33517901k+Text Domain Mismatch
#1095Inactive User Deleter33453170800Output is not escaped
#1096InPost Gallery33105245800Non-prefixed global variable
#1097Intagrate Lite33941524k+date date
#1098Forms for Mailchimp by Optin Cat – Grow Your MailChimp List33711332k+Missing direct file access protection
#1099MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics33262797k+Non-prefixed global variable
#1100Membership For WooCommerce3340659800Non-prefixed global variable