WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1101 | Molongui Post Contributors: Multi-Role Contributor Attribution | 33 | 240 | 162 | 400 | Output is not escaped | ||
| #1102 | News Announcement Scroll | 33 | 237 | 259 | 2k+ | Non-prefixed global variable | ||
| #1103 | Notification Master – Real-Time WordPress Notifications With Email, SMS, Webhooks & More | 33 | 293 | 215 | 1k+ | Text Domain Mismatch | ||
| #1104 | Pixelgrade Assistant | 33 | 665 | 141 | 2k+ | Text Domain Mismatch | ||
| #1105 | Post Lists View Custom | 33 | 462 | 150 | 2k+ | Missing Arg Domain | ||
| #1106 | PW WooCommerce Gift Cards | 33 | 238 | 186 | 20k+ | Output is not escaped | ||
| #1107 | Quick Restaurant Reservations | 33 | 654 | 179 | 500 | Text Domain Mismatch | ||
| #1108 | Rename wp-login.php to anything you want | 33 | 251 | 117 | 500 | Output is not escaped | ||
| #1109 | Review Slider for WooCommerce | 33 | 160 | 422 | 400 | Non-prefixed global variable | ||
| #1110 | Live Sales Notification (Recent Sales Popups) | 33 | 114 | 120 | 400 | SQL query is not prepared | ||
| #1111 | Sessions | 33 | 196 | 103 | 900 | Output is not escaped | ||
| #1112 | Social Rocket – Social Sharing Plugin | 33 | 1,016 | 255 | 1k+ | Unsafe printing function | ||
| #1113 | Spiffy Calendar | 33 | 473 | 243 | 3k+ | Output is not escaped | ||
| #1114 | Spin Wheel – Interactive spinning wheel that offers coupons | 33 | 680 | 313 | 500 | Unsafe printing function | ||
| #1115 | Simple Sticky Add To Cart For WooCommerce | 33 | 401 | 70 | 900 | Text Domain Mismatch | ||
| #1116 | Sublanguage | 33 | 266 | 287 | 700 | Output is not escaped | ||
| #1117 | Telegram Bot & Channel | 33 | 182 | 113 | 600 | Unsafe printing function | ||
| #1118 | WP Twitter Auto Publish | 33 | 442 | 171 | 4k+ | Output is not escaped | ||
| #1119 | Display Posts As List, Grid, Thumbs | 33 | 442 | 241 | 900 | Output is not escaped | ||
| #1120 | Variation Swatches for WooCommerce | 33 | 469 | 116 | 50k+ | Text Domain Mismatch | ||
| #1121 | Website Monetization by MageNet | 33 | 60 | 87 | 20k+ | Output is not escaped | ||
| #1122 | Rich Showcase for Google Reviews | 33 | 212 | 265 | 100k+ | Output is not escaped | ||
| #1123 | Product Addons for Woocommerce – Product Options with Custom Fields | 33 | 124 | 114 | 30k+ | Output is not escaped | ||
| #1124 | Hyyan WooCommerce Polylang Integration | 33 | 141 | 220 | 8k+ | Nonce verification recommended | ||
| #1125 | CartBounty – Save and recover abandoned carts for WooCommerce | 33 | 370 | 399 | 10k+ | Output is not escaped | ||
| #1126 | CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce | 33 | 229 | 105 | 5k+ | Text Domain Mismatch | ||
| #1127 | Pay. Payment Methods for WooCommerce | 33 | 316 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #1128 | WOW Slider | 33 | 176 | 101 | 3k+ | Output is not escaped | ||
| #1129 | Books Gallery – Book Showcase, Library & Affiliate Plugin | 33 | 1,753 | 178 | 2k+ | Output is not escaped | ||
| #1130 | WP Edit | 33 | 337 | 137 | 40k+ | Unsafe printing function | ||
| #1131 | WP Social AutoConnect | 33 | 290 | 144 | 500 | Output is not escaped | ||
| #1132 | Connector for Gravity Forms and Google Sheets | 33 | 692 | 155 | 3k+ | Text Domain Mismatch | ||
| #1133 | WP Multilang – Translation and Multilingual Plugin | 33 | 51 | 118 | 10k+ | Database parameter is not escaped | ||
| #1134 | WPReplace内容字符替换插件 | 33 | 209 | 195 | 800 | Non Singular String Literal Domain | ||
| #1135 | XML Sitemaps | 33 | 65 | 62 | 2k+ | Output is not escaped | ||
| #1136 | Zita Site Library for Elementor | 33 | 107 | 135 | 1k+ | Text Domain Mismatch | ||
| #1137 | AI WP Writer – SEO content generator, chatGPT, Gemini | 34 | 581 | 509 | 3k+ | Text Domain Mismatch | ||
| #1138 | All-in-One WP Migration and Backup | 34 | 47 | 69 | 5m+ | Missing nonce verification | ||
| #1139 | Assistant – Every Day Productivity Apps | 34 | 124 | 97 | 4k+ | Exception output is not escaped | ||
| #1140 | Audit Trail | 34 | 90 | 107 | 10k+ | Unsafe printing function | ||
| #1141 | AyeCode Connect | 34 | 178 | 253 | 10k+ | Nonce verification recommended | ||
| #1142 | Beeketing for WooCommerce – Marketing Automation to Boost Sales | 34 | 113 | 123 | 600 | SQL query is not prepared | ||
| #1143 | Blog-in-Blog | 34 | 64 | 93 | 800 | Non-prefixed function | ||
| #1144 | BuddyPress & BuddyBoss Member Profile Forms | 34 | 154 | 121 | 400 | Text Domain Mismatch | ||
| #1145 | Campi Moduli Italiani | 34 | 72 | 363 | 500 | Unquoted Complex Placeholder | ||
| #1146 | SMS Abandoned Cart Recovery ✦ CartBoss | 34 | 67 | 72 | 400 | SQL query is not prepared | ||
| #1147 | Cornerstone | 34 | 161 | 174 | 30k+ | Nonce verification recommended | ||
| #1148 | CSS JS Manager, Async JavaScript, Defer Render Blocking CSS | 34 | 76 | 106 | 1k+ | Input is not validated | ||
| #1149 | Custom Post Type Attachment | 34 | 153 | 49 | 800 | wp function not compatible with requires wp | ||
| #1150 | Custom Sidebars – Dynamic Sidebar Classic Widget Area Manager | 34 | 32 | 307 | 100k+ | Non-prefixed global variable |