WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1851 | FileBird Document Library | 76 | 23 | 13 | 5k+ | Text Domain Mismatch | ||
| #1852 | FluentPlayer – Video Player With Forms & Lead Capture | 76 | 5 | 40 | 1k+ | Database parameter is not escaped | ||
| #1853 | Category Order and Taxonomy Terms Order | 76 | 35 | 10 | 500k+ | wp function not compatible with requires wp | ||
| #1854 | UTM Event Tracker and Analytics, UTM Grabber | 76 | 2 | 19 | 900 | Interpolated SQL is not prepared | ||
| #1855 | Index WP Users For Speed | 77 | 10 | 35 | 1k+ | Non-prefixed global variable | ||
| #1856 | Posts List | 77 | 11 | 15 | 7k+ | Non-prefixed hook name | ||
| #1857 | Table Of Contents Block | 77 | 15 | 8 | 10k+ | wp function not compatible with requires wp | ||
| #1858 | Recent Posts | 78 | 7 | 2 | 400 | Database parameter is not escaped | ||
| #1859 | Flipbox | 80 | 14 | 17 | 2k+ | wp function not compatible with requires wp | ||
| #1860 | Media Library File Size | 80 | 3 | 15 | 6k+ | Nonce verification recommended | ||
| #1861 | WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets | 80 | 26 | 18 | 30k+ | Missing direct file access protection | ||
| #1862 | Countdown Block | 81 | 14 | 10 | 4k+ | wp function not compatible with requires wp | ||
| #1863 | Price Table Block | 81 | 15 | 16 | 900 | file system operations mkdir | ||
| #1864 | Progress Bars | 81 | 15 | 14 | 500 | file system operations mkdir | ||
| #1865 | Team Member Block | 81 | 15 | 14 | 1k+ | file system operations mkdir | ||
| #1866 | Toggle Content | 81 | 16 | 12 | 800 | file system operations mkdir | ||
| #1867 | Typing Text | 81 | 15 | 16 | 600 | file system operations mkdir | ||
| #1868 | Accordion Toggle | 82 | 17 | 11 | 2k+ | Non-prefixed class | ||
| #1869 | Image Gallery Block | 82 | 13 | 10 | 3k+ | wp function not compatible with requires wp | ||
| #1870 | Infobox | 82 | 15 | 12 | 1k+ | file system operations mkdir | ||
| #1871 | Parallax Slider Block | 82 | 15 | 12 | 1k+ | file system operations mkdir | ||
| #1872 | Image Slider Block | 82 | 13 | 14 | 3k+ | wp function not compatible with requires wp | ||
| #1873 | Testimonial Block | 82 | 13 | 12 | 500 | wp function not compatible with requires wp | ||
| #1874 | Events Calendar Modules for Divi | 84 | 1 | 12 | 2k+ | Nonce verification recommended | ||
| #1875 | Floating Button – Easily Create Sticky, Fixed & Floating Buttons | 84 | 6 | 184 | 4k+ | Non-prefixed global variable | ||
| #1876 | Timeline Module for Divi | 84 | 16 | 11 | 3k+ | Text Domain Mismatch | ||
| #1877 | Auto Subpage Menu | 85 | 5 | 6 | 800 | Database parameter is not escaped | ||
| #1878 | GazChap's WooCommerce Auto Category Product Thumbnails | 85 | 4 | 8 | 1k+ | trademarked term | ||
| #1879 | Vanilla PDF Embed | 85 | 8 | 3 | 3k+ | parse url parse url | ||
| #1880 | WP Missed Schedule Posts | 87 | 7 | 9 | 10k+ | trademarked term | ||
| #1881 | Disable Revisions | 90 | 5 | 5 | 1k+ | Direct Query | ||
| #1882 | Featured Image Admin Thumb | 90 | 7 | 10 | 20k+ | Non-prefixed hook name | ||
| #1883 | HivePress Messages | 90 | 7 | 10 | 7k+ | Direct Query | ||
| #1884 | WPSSO Tune WP Image Editors | 91 | 35 | 10 | 900 | Missing Translators Comment | ||
| #1885 | MWW Scheduled Post Trigger | 92 | 4 | 2 | 60k+ | Direct Query | ||
| #1886 | MediaMan – Where is this Image Used? | 92 | 2 | 12 | 400 | Direct Query |
