WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

  • Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
  • Pass the values as separate arguments to `$wpdb->prepare()`.
  • For table names, column names, and sort directions, use strict allowlists instead of raw user input.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1601Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types398911720k+Unsafe printing function
#1602WooCommerce Product Dependencies3944603k+Missing nonce verification
#1603WP Limit Login Attempts39266710k+Direct Query
#1604WP Most Popular3950352k+Output is not escaped
#1605SEO Auto Linker3997623k+Unsafe printing function
#1606Categories to Tags Converter39863850k+Output is not escaped
#1607YITH Custom Login3986336k+Output is not escaped
#1608404 Notifier403941700Output is not escaped
#1609ACF Theme Code for Advanced Custom Fields404784010k+Output is not escaped
#1610ACF to Custom Database Tables403664600Nonce verification recommended
#1611Add & Replace Affiliate Links for Amazon403952600Output is not escaped
#1612Advanced Admin Search407948600Non Singular String Literal Text
#1613Allow Multiple Accounts40115199k+Non Singular String Literal Domain
#1614Alt Magic: AI Image Alt Text Generator for WP & Image Rename40551181k+Direct Query
#1615Atomic Edge Security – Firewall, Malware Scan and Login Security4012184700Non-prefixed global variable
#1616AutoConvert Greeklish Permalinks401161330k+Text Domain Mismatch
#1617Broken Link Notifier40111931k+Non-prefixed global variable
#1618BuddyPress Profile Completion402830500Output is not escaped
#1619Bulk Delete Comments4016615k+Direct Query
#1620Coming soon Page402418500Text Domain Mismatch
#1621Copyscape Premium40148133800SQL query is not prepared
#1622Country State City Dropdown CF74035545k+Direct Query
#1623Cron Logger4049361k+Output is not escaped
#1624Cryptocurrency Widgets Pack4022252700Unsafe printing function
#1625Delete Me40116177k+Output is not escaped
#1626Easy Image Collage4096184k+Unsafe printing function
#1627Enhanced Custom Permalinks4051821k+Nonce verification recommended
#1628Eventer4061551k+Output is not escaped
#1629Expiring Posts405220900Missing Arg Domain
#1630FAQ Concertina404316700Output is not escaped
#1631GetPaid > Item Inventory4011252400Text Domain Mismatch
#1632iNext Woo Pincode Checker403682700Missing nonce verification
#1633Internal Linking of Related Contents40714471k+Output is not escaped
#1634JSM Show Order Metadata for WooCommerce HPOS401764700Nonce verification recommended
#1635JSM Show Post Metadata40156610k+Nonce verification recommended
#1636JSM Show Term Metadata401464900Nonce verification recommended
#1637JSM Show User Metadata4014643k+Nonce verification recommended
#1638Links shortcode407313900Unsafe printing function
#1639LJ Multi Column Archive4017251k+Output is not escaped
#1640Logbook4033592k+Nonce verification recommended
#1641Mass Email To Users408481800Output is not escaped
#1642Multiple Featured Images4050225k+Output is not escaped
#1643NextGEN Gallery Sidebar Widget405910600Output is not escaped
#1644Paystack MemberPress407176400Output is not escaped
#1645Permalink Manager for WooCommerce40115208k+Short PHP open tag found
#1646Requirements Checklist4020022900Output is not escaped
#1647Private Google Calendars40227371k+Output is not escaped
#1648Quiz Cat – WordPress Quiz Plugin40151694k+Output is not escaped
#1649Redirector4048327k+Output is not escaped
#1650REST API Custom Fields404416800Text Domain Mismatch