WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1801 | Ultimate Member – Terms & Conditions | 57 | 19 | 9 | 4k+ | Output is not escaped | ||
| #1802 | Filter Orders by Product for WooCommerce | 57 | 9 | 21 | 4k+ | Nonce verification recommended | ||
| #1803 | BCM Duplicate Menu | 58 | 8 | 11 | 4k+ | Nonce verification recommended | ||
| #1804 | HAL | 58 | 106 | 24 | 500 | Text Domain Mismatch | ||
| #1805 | Custom API for WP | 59 | 173 | 16 | 1k+ | wp function not compatible with requires wp | ||
| #1806 | Hide Posts | 59 | 9 | 70 | 20k+ | Direct Query | ||
| #1807 | Ultimate Gift Cards for WooCommerce | 59 | 3 | 448 | 7k+ | Non-prefixed global variable | ||
| #1808 | Accesibilidad Web con el Widget de AccedeMe | 60 | 22 | 23 | 1k+ | Text Domain Mismatch | ||
| #1809 | WPB Popup for Contact Form 7 – Showing Contact Form 7 Popup on Button Click | 60 | 21 | 9 | 6k+ | Output is not escaped | ||
| #1810 | WPSSO Schema Product Metadata for WooCommerce | 60 | 33 | 23 | 500 | Missing Translators Comment | ||
| #1811 | PW WooCommerce Copy Coupon | 61 | 15 | 17 | 1k+ | Text Domain Mismatch | ||
| #1812 | AAM Protected Media Files | 62 | 13 | 10 | 600 | Direct Query | ||
| #1813 | Add Meta Tag Keywords | 62 | 6 | 15 | 1k+ | Missing nonce verification | ||
| #1814 | Contact Form 7 – Blacklist Unwanted Email | 62 | 16 | 11 | 400 | Missing direct file access protection | ||
| #1815 | Import entries for Gravity Forms | 62 | 6 | 26 | 500 | Input is not validated | ||
| #1816 | Woo Product Remover | 62 | 23 | 14 | 1k+ | SQL query is not prepared | ||
| #1817 | WP Category Sort | 62 | 15 | 22 | 500 | Text Domain Mismatch | ||
| #1818 | Automatic Featured Images from Videos | 63 | 14 | 13 | 7k+ | Missing direct file access protection | ||
| #1819 | IndexNow Plugin | 63 | 14 | 91 | 100k+ | error log error log | ||
| #1820 | MooWoodle – WordPress Moodle LMS Integration, Sell Moodle Courses via WooCommerce | 63 | 10 | 45 | 800 | No Caching | ||
| #1821 | Collapsing Archives | 64 | 36 | 9 | 3k+ | date date | ||
| #1822 | JTL-Connector for WooCommerce | 64 | 7 | 166 | 1k+ | Direct Query | ||
| #1823 | Email Tracker | 65 | 25 | 4 | 800 | SQL query is not prepared | ||
| #1824 | Bitrix24 | 65 | 28 | 10 | 500 | Text Domain Mismatch | ||
| #1825 | License For Envato | 65 | 9 | 28 | 9k+ | Non-prefixed global variable | ||
| #1826 | SQL Buddy – Database Management Made Easy | 65 | 12 | 16 | 5k+ | SQL query is not prepared | ||
| #1827 | Return Refund and Exchange For WooCommerce | 65 | 21 | 653 | 4k+ | Non-prefixed global variable | ||
| #1828 | Missed Schedule Post Publisher | 67 | 11 | 10 | 7k+ | Output is not escaped | ||
| #1829 | Multilingual Forms for Fluent Forms with WPML | 67 | 52 | 16 | 1k+ | Text Domain Mismatch | ||
| #1830 | WebToffee WooCommerce Product Feeds – Google Shopping, Pinterest, TikTok Ads, & More | 67 | 178 | 2,899 | 2k+ | Non-prefixed hook name | ||
| #1831 | Member Swipe for BuddyPress | 68 | 9 | 13 | 600 | Missing direct file access protection | ||
| #1832 | Collapsing Categories | 68 | 29 | 8 | 4k+ | Missing direct file access protection | ||
| #1833 | Export media with selected content (by DKZR) | 68 | 10 | 14 | 40k+ | Direct Query | ||
| #1834 | Free Assets Library – Openverse/Pixabay 600+ Million Images | 68 | 44 | 36 | 4k+ | Text Domain Mismatch | ||
| #1835 | Hreflang Manager – Hreflang Implementation for International SEO | 68 | 21 | 15 | 8k+ | wp function not compatible with requires wp | ||
| #1836 | News Magazine X Core | 68 | 63 | 30 | 5k+ | Missing Translators Comment | ||
| #1837 | Thank You Page for WooCommerce – Custom Thank You Page & Redirect | 68 | 6 | 27 | 10k+ | Non-prefixed global variable | ||
| #1838 | WP Sanitize Accented Uploads | 68 | 15 | 16 | 800 | Quoted Simple Placeholder | ||
| #1839 | Search by SKU for Woocommerce | 69 | 13 | 10 | 10k+ | Direct Query | ||
| #1840 | Points and Rewards for WooCommerce | 70 | 6 | 14 | 7k+ | Nonce verification recommended | ||
| #1841 | Portfolio Post Type | 70 | 7 | 11 | 50k+ | Nonce verification recommended | ||
| #1842 | Search and Replace | 70 | 7 | 9 | 10k+ | Input is not sanitized | ||
| #1843 | Simple Login Captcha | 70 | 20 | 19 | 10k+ | date date | ||
| #1844 | Export Users With Meta | 70 | 13 | 13 | 2k+ | Direct Query | ||
| #1845 | Starter Templates & Sites Pack by ThemeGrill | 72 | 28 | 51 | 70k+ | Non-prefixed hook name | ||
| #1846 | Permalinks Moved Permanently | 73 | 7 | 7 | 700 | Database parameter is not escaped | ||
| #1847 | Comment Edit Core – Simple Comment Editing | 73 | 27 | 85 | 2k+ | Non-prefixed hook name | ||
| #1848 | Bing URL Submissions Plugin | 74 | 10 | 38 | 40k+ | error log error log | ||
| #1849 | Duplicate Taxonomy Term | 74 | 9 | 5 | 2k+ | Nonce verification recommended | ||
| #1850 | Cognito Forms | 75 | 13 | 4 | 2k+ | wp function not compatible with requires wp |