WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1151 | EasyIndex | 34 | 74 | 135 | 1k+ | Missing nonce verification | ||
| #1152 | Einsatzverwaltung | 34 | 152 | 128 | 1k+ | Output is not escaped | ||
| #1153 | Empik for Woocommerce | 34 | 70 | 259 | 400 | Missing nonce verification | ||
| #1154 | Reviews Widgets for Google, Yelp & TripAdvisor | 34 | 274 | 212 | 10k+ | Output is not escaped | ||
| #1155 | Featured Video Plus | 34 | 99 | 105 | 10k+ | Non-prefixed global variable | ||
| #1156 | Flash Toolkit | 34 | 159 | 242 | 10k+ | Non-prefixed global variable | ||
| #1157 | FV Gravatar Cache | 34 | 50 | 42 | 700 | Output is not escaped | ||
| #1158 | Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program | 34 | 131 | 352 | 600 | Missing nonce verification | ||
| #1159 | Signature Add-On for Gravity Forms | 34 | 161 | 48 | 1k+ | Text Domain Mismatch | ||
| #1160 | HollerBox — Fast & Effective Popups & Lead-Generation | 34 | 78 | 92 | 2k+ | Output is not escaped | ||
| #1161 | Image Cleanup | 34 | 52 | 94 | 1k+ | Nonce verification recommended | ||
| #1162 | Import XML and RSS Feeds | 34 | 260 | 85 | 2k+ | Unsafe printing function | ||
| #1163 | Inavii Social Feed – Live Social Proof Gallery | 34 | 532 | 180 | 9k+ | Text Domain Mismatch | ||
| #1164 | JS Archive List | 34 | 99 | 31 | 3k+ | Output is not escaped | ||
| #1165 | Lenix Leads Collector | 34 | 414 | 242 | 10k+ | Text Domain Mismatch | ||
| #1166 | Login with Vipps and MobilePay | 34 | 263 | 174 | 900 | Output is not escaped | ||
| #1167 | MailChimp Forms by MailMunch | 34 | 116 | 94 | 10k+ | Output is not escaped | ||
| #1168 | Media Vault | 34 | 115 | 150 | 800 | Output is not escaped | ||
| #1169 | Meow Lightbox | 34 | 75 | 52 | 10k+ | Non Singular String Literal Domain | ||
| #1170 | Montonio for WooCommerce | 34 | 44 | 257 | 10k+ | Non-prefixed global variable | ||
| #1171 | Multi Step Form | 34 | 277 | 136 | 9k+ | Output is not escaped | ||
| #1172 | Ni WooCommerce Custom Order Status | 34 | 256 | 139 | 2k+ | Text Domain Mismatch | ||
| #1173 | One User Avatar | User Profile Picture | 34 | 68 | 190 | 100k+ | Non-prefixed global variable | ||
| #1174 | Optima Express IDX | 34 | 71 | 237 | 10k+ | Non-prefixed class | ||
| #1175 | Child Theme Creator by Orbisius | 34 | 86 | 39 | 10k+ | Output is not escaped | ||
| #1176 | OwnerRez | 34 | 79 | 56 | 700 | Unsafe printing function | ||
| #1177 | PW WooCommerce Bulk Edit | 34 | 219 | 149 | 20k+ | Unsafe printing function | ||
| #1178 | PW WooCommerce Gift Cards | 34 | 238 | 185 | 20k+ | Output is not escaped | ||
| #1179 | Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers | 34 | 261 | 863 | 30k+ | Non-prefixed global variable | ||
| #1180 | Redirection | 34 | 32 | 293 | 2m+ | Non-prefixed class | ||
| #1181 | Responsive Menu – Create Mobile-Friendly Menu | 34 | 68 | 40 | 70k+ | Nonce verification recommended | ||
| #1182 | Event Timeline – Vertical Timeline | 34 | 26 | 684 | 1k+ | Non-prefixed global variable | ||
| #1183 | RTMForm Builder | 34 | 188 | 209 | 30k+ | Text Domain Mismatch | ||
| #1184 | Route ‑ Shipping Protection | 34 | 65 | 150 | 500 | Missing nonce verification | ||
| #1185 | Search Meter | 34 | 191 | 94 | 20k+ | Output is not escaped | ||
| #1186 | Security Safe | 34 | 193 | 164 | 700 | Missing Translators Comment | ||
| #1187 | Seriously Simple Stats | 34 | 99 | 126 | 5k+ | Output is not escaped | ||
| #1188 | Student Result or Employee Database | 34 | 89 | 98 | 1k+ | Direct Query | ||
| #1189 | Software License Manager | 34 | 69 | 289 | 900 | Nonce verification recommended | ||
| #1190 | Subscribe to Download Lite – Email Before Download Plugin | 34 | 106 | 157 | 400 | Non-prefixed global variable | ||
| #1191 | TaxJar – Sales Tax Automation for WooCommerce | 34 | 236 | 170 | 5k+ | Text Domain Mismatch | ||
| #1192 | Testimonial Slider | 34 | 448 | 262 | 3k+ | Unsafe printing function | ||
| #1193 | Throws SPAM Away | 34 | 327 | 123 | 20k+ | Missing Arg Domain | ||
| #1194 | Tools for Twitter | 34 | 135 | 87 | 1k+ | Output is not escaped | ||
| #1195 | Visual Form Builder | 34 | 82 | 329 | 20k+ | Direct Query | ||
| #1196 | Abandoned Cart Reports For WooCommerce | 34 | 133 | 163 | 2k+ | Output is not escaped | ||
| #1197 | Donation Platform for WooCommerce: Fundraising & Donation Management | 34 | 331 | 448 | 7k+ | Non-prefixed global variable | ||
| #1198 | DPD SK for WooCommerce | 34 | 130 | 165 | 700 | Output is not escaped | ||
| #1199 | Simple Discount Rules for Woocommerce | 34 | 175 | 214 | 5k+ | Nonce verification recommended | ||
| #1200 | Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin | 34 | 230 | 154 | 2k+ | Output is not escaped |
