WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1451 | LearnPress – Course Review | 37 | 67 | 43 | 20k+ | Output is not escaped | ||
| #1452 | Media Sweep – WordPress Media Cleaner | 37 | 56 | 137 | 1k+ | Interpolated SQL is not prepared | ||
| #1453 | Metorik – Reports & Email Automation for WooCommerce | 37 | 75 | 70 | 10k+ | Output is not escaped | ||
| #1454 | CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor | 37 | 47 | 90 | 40k+ | Dynamic hook name | ||
| #1455 | news ticker benaceur | 37 | 1,097 | 31 | 1k+ | Output is not escaped | ||
| #1456 | NextGEN Scroll Gallery | 37 | 33 | 28 | 1k+ | Output is not escaped | ||
| #1457 | Ninja Van (MY) | 37 | 21 | 258 | 1k+ | Non-prefixed global variable | ||
| #1458 | WP All Export – Order Export for WooCommerce | 37 | 109 | 111 | 3k+ | Text Domain Mismatch | ||
| #1459 | Panda Pods Repeater Field | 37 | 9 | 260 | 600 | Non-prefixed global variable | ||
| #1460 | Phoenix Media Rename | 37 | 180 | 104 | 50k+ | Output is not escaped | ||
| #1461 | Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales | 37 | 59 | 64 | 2k+ | SQL query is not prepared | ||
| #1462 | Product Image Hover Effects WOOC – WPSHARE247 | 37 | 161 | 94 | 800 | Output is not escaped | ||
| #1463 | Publish to Schedule | 37 | 195 | 43 | 4k+ | Text Domain Mismatch | ||
| #1464 | rapidmail: Newsletter & E-Mail Marketing for WooCommerce | 37 | 79 | 47 | 400 | Text Domain Mismatch | ||
| #1465 | Sensei LMS Certificates | 37 | 97 | 362 | 4k+ | Non-prefixed global variable | ||
| #1466 | Snippet Shortcodes | 37 | 359 | 133 | 4k+ | Non Singular String Literal Domain | ||
| #1467 | Simple Image XML Sitemap | 37 | 119 | 16 | 1k+ | Output is not escaped | ||
| #1468 | Lightbox slider – Responsive Lightbox Gallery | 37 | 36 | 173 | 3k+ | Non-prefixed global variable | ||
| #1469 | Tracking Code Manager | 37 | 55 | 42 | 90k+ | Output is not escaped | ||
| #1470 | User Meta Display | 37 | 78 | 74 | 500 | Output is not escaped | ||
| #1471 | UsersWP – Social Login | 37 | 299 | 91 | 2k+ | Text Domain Mismatch | ||
| #1472 | Featured Video for WordPress – VideographyWP | 37 | 287 | 93 | 1k+ | Unsafe printing function | ||
| #1473 | Views for WPForms – Display & Edit WPForms Entries on your site frontend | 37 | 80 | 64 | 1k+ | Output is not escaped | ||
| #1474 | Weather Atlas Widget | 37 | 630 | 111 | 9k+ | Output is not escaped | ||
| #1475 | Conditional Discounts for WooCommerce – A simple yet complete woocommerce dynamic pricing plugin | 37 | 99 | 33 | 9k+ | Text Domain Mismatch | ||
| #1476 | Piraeus Bank WooCommerce Payment Gateway | 37 | 146 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #1477 | Fix Media Library | 37 | 53 | 71 | 1k+ | Output is not escaped | ||
| #1478 | WP-Cron Control | 37 | 54 | 22 | 1k+ | Output is not escaped | ||
| #1479 | WP Export Categories & Taxonomies | 37 | 169 | 35 | 500 | Output is not escaped | ||
| #1480 | WP Flow Plus | 37 | 175 | 146 | 800 | Output is not escaped | ||
| #1481 | Persistent Login | 37 | 338 | 108 | 6k+ | Unsafe printing function | ||
| #1482 | WP Show Stats | 37 | 197 | 103 | 400 | Output is not escaped | ||
| #1483 | Special Text Boxes | 37 | 38 | 42 | 2k+ | Direct Query | ||
| #1484 | TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More | 37 | 878 | 59 | 800 | Output is not escaped | ||
| #1485 | XT Visitor Counter | 37 | 177 | 52 | 7k+ | Output is not escaped | ||
| #1486 | Yada Wiki | 37 | 207 | 45 | 2k+ | Text Domain Mismatch | ||
| #1487 | YOURLS Link Creator | 37 | 196 | 39 | 500 | Text Domain Mismatch | ||
| #1488 | Zoho Marketing Automation | 37 | 24 | 194 | 1k+ | Non-prefixed global variable | ||
| #1489 | Accessibility | 38 | 66 | 61 | 1k+ | Non-prefixed global variable | ||
| #1490 | Action Scheduler | 38 | 92 | 134 | 20k+ | Exception output is not escaped | ||
| #1491 | Advanced 301 and 302 Redirect | 38 | 81 | 339 | 1k+ | Non-prefixed global variable | ||
| #1492 | Advanced Media Offloader | 38 | 57 | 93 | 5k+ | error log error log | ||
| #1493 | Alphabetic Pagination | 38 | 144 | 117 | 500 | Unsafe printing function | ||
| #1494 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #1495 | Ashe Extra | 38 | 109 | 54 | 3k+ | Text Domain Mismatch | ||
| #1496 | Autologin Links | 38 | 73 | 74 | 8k+ | Output is not escaped | ||
| #1497 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #1498 | Blogger Importer | 38 | 44 | 39 | 50k+ | Output is not escaped | ||
| #1499 | Database for Contact Form 7 | 38 | 34 | 128 | 7k+ | Missing nonce verification | ||
| #1500 | Crop-Thumbnails | 38 | 33 | 27 | 40k+ | Missing direct file access protection |