WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1251 | Category Order and Taxonomy Terms Order | 76 | 35 | 10 | 500k+ | wp function not compatible with requires wp | ||
| #1252 | Index WP Users For Speed | 77 | 10 | 35 | 1k+ | Non-prefixed global variable | ||
| #1253 | Posts List | 77 | 11 | 15 | 7k+ | Non-prefixed hook name | ||
| #1254 | Table Of Contents Block | 77 | 15 | 8 | 10k+ | wp function not compatible with requires wp | ||
| #1255 | Flipbox | 80 | 14 | 17 | 2k+ | wp function not compatible with requires wp | ||
| #1256 | Media Library File Size | 80 | 3 | 15 | 6k+ | Nonce verification recommended | ||
| #1257 | WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets | 80 | 26 | 18 | 30k+ | Missing direct file access protection | ||
| #1258 | Countdown Block | 81 | 14 | 10 | 4k+ | wp function not compatible with requires wp | ||
| #1259 | Accordion Toggle | 82 | 17 | 11 | 2k+ | Non-prefixed class | ||
| #1260 | Image Gallery Block | 82 | 13 | 10 | 3k+ | wp function not compatible with requires wp | ||
| #1261 | Image Slider Block | 82 | 13 | 14 | 3k+ | wp function not compatible with requires wp | ||
| #1262 | Events Calendar Modules for Divi | 84 | 1 | 12 | 2k+ | Nonce verification recommended | ||
| #1263 | Floating Button – Easily Create Sticky, Fixed & Floating Buttons | 84 | 6 | 184 | 4k+ | Non-prefixed global variable | ||
| #1264 | Timeline Module for Divi | 84 | 16 | 11 | 3k+ | Text Domain Mismatch | ||
| #1265 | GazChap's WooCommerce Auto Category Product Thumbnails | 85 | 4 | 8 | 1k+ | trademarked term | ||
| #1266 | Vanilla PDF Embed | 85 | 8 | 3 | 3k+ | parse url parse url | ||
| #1267 | WP Missed Schedule Posts | 87 | 7 | 9 | 10k+ | trademarked term | ||
| #1268 | Featured Image Admin Thumb | 90 | 7 | 10 | 20k+ | Non-prefixed hook name | ||
| #1269 | HivePress Messages | 90 | 7 | 10 | 7k+ | Direct Query | ||
| #1270 | MWW Scheduled Post Trigger | 92 | 4 | 2 | 60k+ | Direct Query |
