WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

  • Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
  • Pass the values as separate arguments to `$wpdb->prepare()`.
  • For table names, column names, and sort directions, use strict allowlists instead of raw user input.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1551WP-DraftsForFriends38141711k+Output is not escaped
#1552WP Media Categories3840103800Nonce verification recommended
#1553Native PHP Sessions38309210k+Direct Query
#1554Real-Time Post Statistics for WordPress3863682k+SQL query is not prepared
#1555Responsive Vertical Icon Menu3818885700Output is not escaped
#1556ZeroBounce Email Verification & Validation382991621k+Text Domain Mismatch
#1557Ad Invalid Click Protector (AICP)39785710k+Text Domain Mismatch
#1558Add-on Gravity Forms – MailPoet 3393133600Output is not escaped
#1559Advanced Woo Labels – Product Labels & Badges for WooCommerce3917312510k+Output is not escaped
#1560bbPress Moderation397515500Non Singular String Literal Domain
#1561Better Random Redirect398840700Text Domain Mismatch
#1562Better User Search392444700SQL query is not prepared
#1563Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)39164710k+Request data is not unslashed
#1564Calculator Builder – Create an Online Calculator39162211k+Non-prefixed global variable
#1565CatFolders Document Gallery & PDF Library3966323k+Output is not escaped
#1566Constant Contact + WooCommerce3927911k+Nonce verification recommended
#1567Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)39284580k+Missing nonce verification
#1568Custom Post Type Auto Menu395433500Text Domain Mismatch
#1569Drip for Gravity Forms394121500Unsafe printing function
#1570Duplicate Killer – Prevent Duplicate Form Submissions39571031k+Non-prefixed global variable
#1571Email Marketing by EmailOctopus3943623k+Non-prefixed global variable
#1572Favorites3918712310k+Unsafe printing function
#1573First Order Discount Woocommerce3955301k+Output is not escaped
#1574Fix Duplicates397673800Output is not escaped
#1575Flamix: Bitrix24 and WooCommerce Orders integration398131500Output is not escaped
#1576Gallery Widget3912211500Output is not escaped
#1577Maintenance Mode39861097k+Output is not escaped
#1578Improved Save Button3944524k+Missing Translators Comment
#1579Insert Html Snippet3915920520k+Output is not escaped
#1580JJ NextGen JQuery Carousel391229400Output is not escaped
#1581JJ NextGen JQuery Slider392217800Output is not escaped
#1582Mail Subscribe List3917943k+Input is not validated
#1583Markup by Attribute for WooCommerce39461022k+Direct Query
#1584Menubar39171461k+Output is not escaped
#1585Paystack Add-On for Gravity Forms399631400Text Domain Mismatch
#1586Quform Mailchimp3965147800Nonce verification recommended
#1587Quform Zapier39601231k+Nonce verification recommended
#1588Redirect 404 Error Page to Homepage or Custom Page with Logs39275310k+Nonce verification recommended
#1589Re Gallery – Responsive Image & Photo Gallery3916121700Missing nonce verification
#1590Reorder by Term3920841k+Request data is not unslashed
#1591Responsify WP399011600Unsafe printing function
#1592Serial Number for Contact Form 739105532k+Non Singular String Literal Domain
#1593Shared Files – File Upload & Download Manager3951844k+Nonce verification recommended
#1594Shipping Simulator for WooCommerce39120395k+Text Domain Mismatch
#1595Simple Membership WP user Import3922464k+Request data is not unslashed
#1596Easy Category Icons395043600Text Domain Mismatch
#1597ThemeKit For WordPress3914949700Output is not escaped
#1598Traffic Monitor3961431k+Direct Query
#1599Accessibility by UserWay39223580k+Direct Query
#1600Smart COD for WooCommerce39502830k+Output is not escaped