WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

  • Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
  • Pass the values as separate arguments to `$wpdb->prepare()`.
  • For table names, column names, and sort directions, use strict allowlists instead of raw user input.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1101Molongui Post Contributors: Multi-Role Contributor Attribution33240162400Output is not escaped
#1102News Announcement Scroll332372592k+Non-prefixed global variable
#1103Notification Master – Real-Time WordPress Notifications With Email, SMS, Webhooks & More332932151k+Text Domain Mismatch
#1104Pixelgrade Assistant336651412k+Text Domain Mismatch
#1105Post Lists View Custom334621502k+Missing Arg Domain
#1106PW WooCommerce Gift Cards3323818620k+Output is not escaped
#1107Quick Restaurant Reservations33654179500Text Domain Mismatch
#1108Rename wp-login.php to anything you want33251117500Output is not escaped
#1109Review Slider for WooCommerce33160422400Non-prefixed global variable
#1110Live Sales Notification (Recent Sales Popups)33114120400SQL query is not prepared
#1111Sessions33196103900Output is not escaped
#1112Social Rocket – Social Sharing Plugin331,0162551k+Unsafe printing function
#1113Spiffy Calendar334732433k+Output is not escaped
#1114Spin Wheel – Interactive spinning wheel that offers coupons33680313500Unsafe printing function
#1115Simple Sticky Add To Cart For WooCommerce3340170900Text Domain Mismatch
#1116Sublanguage33266287700Output is not escaped
#1117Telegram Bot & Channel33182113600Unsafe printing function
#1118WP Twitter Auto Publish334421714k+Output is not escaped
#1119Display Posts As List, Grid, Thumbs33442241900Output is not escaped
#1120Variation Swatches for WooCommerce3346911650k+Text Domain Mismatch
#1121Website Monetization by MageNet33608720k+Output is not escaped
#1122Rich Showcase for Google Reviews33212265100k+Output is not escaped
#1123Product Addons for Woocommerce – Product Options with Custom Fields3312411430k+Output is not escaped
#1124Hyyan WooCommerce Polylang Integration331412208k+Nonce verification recommended
#1125CartBounty – Save and recover abandoned carts for WooCommerce3337039910k+Output is not escaped
#1126CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce332291055k+Text Domain Mismatch
#1127Pay. Payment Methods for WooCommerce333161043k+Non Singular String Literal Domain
#1128WOW Slider331761013k+Output is not escaped
#1129Books Gallery – Book Showcase, Library & Affiliate Plugin331,7531782k+Output is not escaped
#1130WP Edit3333713740k+Unsafe printing function
#1131WP Social AutoConnect33290144500Output is not escaped
#1132Connector for Gravity Forms and Google Sheets336921553k+Text Domain Mismatch
#1133WP Multilang – Translation and Multilingual Plugin335111810k+Database parameter is not escaped
#1134WPReplace内容字符替换插件33209195800Non Singular String Literal Domain
#1135XML Sitemaps3365622k+Output is not escaped
#1136Zita Site Library for Elementor331071351k+Text Domain Mismatch
#1137AI WP Writer – SEO content generator, chatGPT, Gemini345815093k+Text Domain Mismatch
#1138All-in-One WP Migration and Backup3447695m+Missing nonce verification
#1139Assistant – Every Day Productivity Apps34124974k+Exception output is not escaped
#1140Audit Trail349010710k+Unsafe printing function
#1141AyeCode Connect3417825310k+Nonce verification recommended
#1142Beeketing for WooCommerce – Marketing Automation to Boost Sales34113123600SQL query is not prepared
#1143Blog-in-Blog346493800Non-prefixed function
#1144BuddyPress & BuddyBoss Member Profile Forms34154121400Text Domain Mismatch
#1145Campi Moduli Italiani3472363500Unquoted Complex Placeholder
#1146SMS Abandoned Cart Recovery ✦ CartBoss346772400SQL query is not prepared
#1147Cornerstone3416117430k+Nonce verification recommended
#1148CSS JS Manager, Async JavaScript, Defer Render Blocking CSS34761061k+Input is not validated
#1149Custom Post Type Attachment3415349800wp function not compatible with requires wp
#1150Custom Sidebars – Dynamic Sidebar Classic Widget Area Manager3432307100k+Non-prefixed global variable