WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1751 | Compress, Resize & Lazy Load Images – WPvivid Image Optimization | 47 | 107 | 58 | 10k+ | Missing direct file access protection | ||
| #1752 | Comment Notifier | 48 | 10 | 55 | 400 | Non-prefixed global variable | ||
| #1753 | Maps Plugin using Google Maps for WordPress – WP Google Map | 48 | 289 | 38 | 10k+ | wp function not compatible with requires wp | ||
| #1754 | Simple Custom Post Order | 48 | 10 | 77 | 300k+ | Direct Query | ||
| #1755 | Easy Updates Manager | 48 | 13 | 182 | 300k+ | Non-prefixed global variable | ||
| #1756 | WS Action Scheduler Cleaner | 48 | 13 | 80 | 2k+ | error log error log | ||
| #1757 | SiteEase Bulk Delete Manager | 49 | 50 | 72 | 800 | Direct Query | ||
| #1758 | CIO Custom Fields Importer | 49 | 23 | 8 | 500 | Output is not escaped | ||
| #1759 | Import into Easy Property Listings | 49 | 335 | 24 | 1k+ | Text Domain Mismatch | ||
| #1760 | Anti-Spam Protection – No API Key, GDPR Friendly | 49 | 2 | 106 | 1k+ | Direct Query | ||
| #1761 | Plugins Last Updated Column | 49 | 21 | 14 | 700 | Output is not escaped | ||
| #1762 | ReCrawler | 49 | 10 | 40 | 4k+ | Direct Query | ||
| #1763 | Search in Place | 49 | 74 | 57 | 3k+ | wp function not compatible with requires wp | ||
| #1764 | SKT Themes Demo Import | 49 | 218 | 104 | 4k+ | Text Domain Mismatch | ||
| #1765 | WP Sitemap Page | 49 | 43 | 14 | 200k+ | Missing Translators Comment | ||
| #1766 | Server Info – System Health & Diagnostics Suite | 50 | 15 | 46 | 3k+ | Input is not sanitized | ||
| #1767 | Theme Demo Import | 50 | 101 | 95 | 5k+ | Non-prefixed hook name | ||
| #1768 | WPML Multilingual for BuddyPress and BuddyBoss | 51 | 18 | 21 | 6k+ | SQL query is not prepared | ||
| #1769 | Lite Video Embed | 51 | 35 | 7 | 1k+ | Output is not escaped | ||
| #1770 | OnSale Page for WooCommerce | 51 | 30 | 44 | 2k+ | Text Domain Mismatch | ||
| #1771 | Popular Brand Icons – Simple Icons | 51 | 20 | 12 | 3k+ | Output is not escaped | ||
| #1772 | REST API Log | 51 | 44 | 95 | 5k+ | Non-prefixed hook name | ||
| #1773 | YayMail – WooCommerce Email Customizer | 51 | 163 | 788 | 50k+ | Non-prefixed global variable | ||
| #1774 | MB Custom Post Types & Custom Taxonomies | 52 | 9 | 49 | 10k+ | Nonce verification recommended | ||
| #1775 | Post Notification by Email | 52 | 36 | 13 | 2k+ | Output is not escaped | ||
| #1776 | SKU Generator for WooCommerce | 52 | 29 | 12 | 2k+ | Output is not escaped | ||
| #1777 | Stealth Publish | 52 | 7 | 22 | 900 | Missing nonce verification | ||
| #1778 | Connect Contact Form 7 and Mailchimp | 53 | 236 | 52 | 40k+ | Text Domain Mismatch | ||
| #1779 | Disable Comments – Remove Comments & Stop Spam [Multi-Site Support] | 53 | 15 | 46 | 1m+ | Non-prefixed global variable | ||
| #1780 | LearnPress – bbPress Integration | 53 | 19 | 14 | 2k+ | Output is not escaped | ||
| #1781 | MOBILOOK — Mobile View & Mobile‑Friendly Test | 53 | 10 | 20 | 1k+ | Missing nonce verification | ||
| #1782 | Customizable Post Listings | 54 | 42 | 13 | 700 | Deprecated parameter: the_author parameter 1 | ||
| #1783 | Cyr-To-Lat | 54 | 16 | 48 | 300k+ | Dynamic hook name | ||
| #1784 | Expanding Archives | 54 | 37 | 9 | 3k+ | Output is not escaped | ||
| #1785 | Extended User Search In WP-Admin | 54 | 14 | 17 | 1k+ | SQL query is not prepared | ||
| #1786 | Helpie FAQ — Accordion, Docs & Knowledge Base | 54 | 96 | 89 | 9k+ | Nonce verification recommended | ||
| #1787 | AI Agent by SiteGround | 54 | 28 | 6 | 1m+ | Exception output is not escaped | ||
| #1788 | Easy Quotes | 55 | 11 | 31 | 700 | Direct Query | ||
| #1789 | Enhanced Category Pages | 55 | 23 | 25 | 2k+ | Direct Query | ||
| #1790 | Go Live Update Urls | 55 | 11 | 49 | 80k+ | Non-prefixed hook name | ||
| #1791 | Fast Page & Post Duplicator | 55 | 12 | 25 | 60k+ | Direct Query | ||
| #1792 | AI Copilot – ChatGPT Chatbot & AI Engine for Post Automation | 56 | 65 | 20 | 1k+ | Text Domain Mismatch | ||
| #1793 | Replace Protected Password | 56 | 6 | 18 | 600 | Input is not sanitized | ||
| #1794 | Internal Link Juicer: SEO Auto Linker for WordPress | 57 | 12 | 61 | 90k+ | Database parameter is not escaped | ||
| #1795 | iZooto – Web Push Notifications | 57 | 26 | 25 | 1k+ | wp function not compatible with requires wp | ||
| #1796 | Longer Permalinks | 57 | 27 | 21 | 8k+ | Missing Arg Domain | ||
| #1797 | Ultimate Member – Terms & Conditions | 57 | 19 | 9 | 4k+ | Output is not escaped | ||
| #1798 | Filter Orders by Product for WooCommerce | 57 | 9 | 21 | 4k+ | Nonce verification recommended | ||
| #1799 | BCM Duplicate Menu | 58 | 8 | 11 | 4k+ | Nonce verification recommended | ||
| #1800 | HAL | 58 | 106 | 24 | 500 | Text Domain Mismatch |
