WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

  • Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
  • Pass the values as separate arguments to `$wpdb->prepare()`.
  • For table names, column names, and sort directions, use strict allowlists instead of raw user input.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1401Guaranteed Reviews Company (Société des Avis Garantis)363691971k+Output is not escaped
#1402Viva Payments – Viva Wallet WooCommerce Payment Gateway3697321k+Non Singular String Literal Domain
#1403Extended Coupon Features for WooCommerce FREE362196310k+Text Domain Mismatch
#1404CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce36165695k+Text Domain Mismatch
#1405Hide admin notices – Admin Notification Center36114678k+Output is not escaped
#1406WP Better Permalinks36110591k+Output is not escaped
#1407WP-Cleanup367929400Output is not escaped
#1408WP Coder – Insert & Manage Code Snippets365328010k+Nonce verification recommended
#1409WP Counter368643800Output is not escaped
#1410WP Custom Cursors | WordPress Cursor Plugin366913909k+Text Domain Mismatch
#1411WP-EMail36340951k+Unsafe printing function
#1412WP Header Images361741336k+Unsafe printing function
#1413WP Mail36202201500Output is not escaped
#1414WP Sort Order361342116k+Direct Query
#1415WP Super Edit36351852k+Nonce verification recommended
#1416WPAvatar3642545700Unsafe printing function
#1417WP fail2ban Blocklist3661633k+SQL query is not prepared
#1418WPLMS H5P361111061k+Text Domain Mismatch
#1419Wppao Sitemap36128219k+Output is not escaped
#1420wpShopGermany IT-RECHT KANZLEI363747500Input is not sanitized
#1421Database Snapshots – WPvivid36661081k+Direct Query
#1422YayExtra – WooCommerce Extra Product Options36114721k+Non-prefixed global variable
#1423Visual CSS Style Editor3628323340k+Output is not escaped
#1424Zeno – AI-Powered Chatbot36311131500Text Domain Mismatch
#1425Redirectioner372344101k+Output is not escaped
#1426AJAX Hits Counter + Popular Posts Widget37247441k+Output is not escaped
#1427Anything Popup371641852k+Non-prefixed global variable
#1428Random Posts and Pages Widget37322151k+Output is not escaped
#1429Banhammer – Monitor Site Traffic, Block Bad Users and Bots371041741k+Output is not escaped
#1430bunny.net – WordPress CDN Plugin3716515910k+Output is not escaped
#1431Contact Zalo Report SW374439900Missing Arg Domain
#1432ClickRank – Ai SEO Automation37102261k+Direct Query
#1433Lightweight Subscribe To Comments37105701k+Unsafe printing function
#1434CookieAdmin – Cookie Consent Banner374386400k+Nonce verification recommended
#1435Simple Custom CSS and JS3716869600k+Output is not escaped
#1436Disclaimer Popup37313531k+Text Domain Mismatch
#1437Donation Block For PayPal3723106600Input is not validated
#1438Pricing Table WordPress Plugin – Easy Pricing Tables3733216110k+Output is not escaped
#1439Eazy CF Captcha379354500Text Domain Mismatch
#1440Encyclopedia / Glossary / Wiki37263481k+Output is not escaped
#1441Get Custom Field Values3740441k+Output is not escaped
#1442果果推送3731561k+Nonce verification recommended
#1443GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM3759269600Direct Query
#1444XML Sitemap Generator for Google3743791m+Input is not validated
#1445GoPay for WooCommerce37661031k+Non-prefixed global variable
#1446Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder378311320k+SQL query is not prepared
#1447Horizontal scrolling announcements372151408k+Output is not escaped
#1448Humans TXT3715986400Output is not escaped
#1449Injection Guard3786451k+Unsafe printing function
#1450JS Help Desk – AI-Powered Support & Ticketing System37174067k+Missing nonce verification