WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

  • Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
  • Pass the values as separate arguments to `$wpdb->prepare()`.
  • For table names, column names, and sort directions, use strict allowlists instead of raw user input.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1801Ultimate Member – Terms & Conditions571994k+Output is not escaped
#1802Filter Orders by Product for WooCommerce579214k+Nonce verification recommended
#1803BCM Duplicate Menu588114k+Nonce verification recommended
#1804HAL5810624500Text Domain Mismatch
#1805Custom API for WP59173161k+wp function not compatible with requires wp
#1806Hide Posts5997020k+Direct Query
#1807Ultimate Gift Cards for WooCommerce5934487k+Non-prefixed global variable
#1808Accesibilidad Web con el Widget de AccedeMe6022231k+Text Domain Mismatch
#1809WPB Popup for Contact Form 7 – Showing Contact Form 7 Popup on Button Click602196k+Output is not escaped
#1810WPSSO Schema Product Metadata for WooCommerce603323500Missing Translators Comment
#1811PW WooCommerce Copy Coupon6115171k+Text Domain Mismatch
#1812AAM Protected Media Files621310600Direct Query
#1813Add Meta Tag Keywords626151k+Missing nonce verification
#1814Contact Form 7 – Blacklist Unwanted Email621611400Missing direct file access protection
#1815Import entries for Gravity Forms62626500Input is not validated
#1816Woo Product Remover6223141k+SQL query is not prepared
#1817WP Category Sort621522500Text Domain Mismatch
#1818Automatic Featured Images from Videos6314137k+Missing direct file access protection
#1819IndexNow Plugin631491100k+error log error log
#1820MooWoodle – WordPress Moodle LMS Integration, Sell Moodle Courses via WooCommerce631045800No Caching
#1821Collapsing Archives643693k+date date
#1822JTL-Connector for WooCommerce6471661k+Direct Query
#1823Email Tracker65254800SQL query is not prepared
#1824Bitrix24652810500Text Domain Mismatch
#1825License For Envato659289k+Non-prefixed global variable
#1826SQL Buddy – Database Management Made Easy6512165k+SQL query is not prepared
#1827Return Refund and Exchange For WooCommerce65216534k+Non-prefixed global variable
#1828Missed Schedule Post Publisher6711107k+Output is not escaped
#1829Multilingual Forms for Fluent Forms with WPML6752161k+Text Domain Mismatch
#1830WebToffee WooCommerce Product Feeds – Google Shopping, Pinterest, TikTok Ads, & More671782,8992k+Non-prefixed hook name
#1831Member Swipe for BuddyPress68913600Missing direct file access protection
#1832Collapsing Categories682984k+Missing direct file access protection
#1833Export media with selected content (by DKZR)68101440k+Direct Query
#1834Free Assets Library – Openverse/Pixabay 600+ Million Images6844364k+Text Domain Mismatch
#1835Hreflang Manager – Hreflang Implementation for International SEO6821158k+wp function not compatible with requires wp
#1836News Magazine X Core6863305k+Missing Translators Comment
#1837Thank You Page for WooCommerce – Custom Thank You Page & Redirect6862710k+Non-prefixed global variable
#1838WP Sanitize Accented Uploads681516800Quoted Simple Placeholder
#1839Search by SKU for Woocommerce69131010k+Direct Query
#1840Points and Rewards for WooCommerce706147k+Nonce verification recommended
#1841Portfolio Post Type7071150k+Nonce verification recommended
#1842Search and Replace707910k+Input is not sanitized
#1843Simple Login Captcha70201910k+date date
#1844Export Users With Meta7013132k+Direct Query
#1845Starter Templates & Sites Pack by ThemeGrill72285170k+Non-prefixed hook name
#1846Permalinks Moved Permanently7377700Database parameter is not escaped
#1847Comment Edit Core – Simple Comment Editing7327852k+Non-prefixed hook name
#1848Bing URL Submissions Plugin74103840k+error log error log
#1849Duplicate Taxonomy Term74952k+Nonce verification recommended
#1850Cognito Forms751342k+wp function not compatible with requires wp