WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

  • Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
  • Pass the values as separate arguments to `$wpdb->prepare()`.
  • For table names, column names, and sort directions, use strict allowlists instead of raw user input.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#301Radio Station by netmix® – Manage and play your Show Schedule in WordPress!239343,6191k+Non-prefixed global variable
#302Redirection23523457100k+Non-prefixed global variable
#303Request a Quote – Quote Forms for Any WordPress Site232401,0991k+Non-prefixed hook name
#304Robo Gallery – Photo & Image Slider231,29153040k+Output is not escaped
#305Schema231,17324540k+Text Domain Mismatch
#306SecuPress with Simple SSL – Simple and Performant Security231,6961,59040k+Non-prefixed global variable
#307SEO Redirection Plugin – 301 Redirect Manager2327272710k+Non-prefixed global variable
#308Seraphinite Post .DOCX Source231,156110900Output is not escaped
#309Seriously Simple Podcasting2354862730k+Non-prefixed hook name
#310Local Google Analytics for WordPress – caches external requests235511993k+Output is not escaped
#311Tag, Category, and Taxonomy Manager – Autotagger Automatically Add Terms2340586950k+Nonce verification recommended
#312Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management232952984k+Non-prefixed global variable
#313Image Optimizer, Resizer and CDN – Sirv236161,0041k+Output is not escaped
#314Site Reviews231,62559860k+Output is not escaped
#315Slider Hero with Video Background, Animation231,5651,2533k+Text Domain Mismatch
#316Slider by 10Web – Responsive Image Slider235,81497610k+Output is not escaped
#317Smart Marketing SMS and Newsletters Forms232,2211,0221k+Text Domain Mismatch
#318Smart Slider 323261268800k+Non-prefixed global variable
#319teachPress237441,5872k+SQL query is not prepared
#320Legal Terms and Conditions Popup for User Login and WooCommerce Checkout23524237700Output is not escaped
#321The Events Calendar233,5113,851700k+Text Domain Mismatch
#322Travelpayouts237691106k+Output is not escaped
#323Tutor LMS – eLearning and online course solution233953,406100k+Non-prefixed global variable
#324Directory Listings WordPress plugin – uListing239471,5731k+Non-prefixed global variable
#325Ultimate Fields23371458700Alternative PHP tag found
#326UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP236942,43920k+Non-prefixed hook name
#327Product Table & List Builder For WooCommerce231,3612,05910k+Non-prefixed global variable
#328Advanced Booking & Appointment System – Webba Booking Calendar231,6133,2952k+Non-prefixed global variable
#329Billingo Plus integráció WooCommerce-hez231,119507800Text Domain Mismatch
#330Predictive Search for WooCommerce23530644700Output is not escaped
#331WP All Import – Product Import for WooCommerce231,47520920k+Non Singular String Literal Domain
#332ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin237,4232,18190k+Text Domain Mismatch
#333WP BackItUp Community Edition232579896k+Non-prefixed global variable
#334Clone2324426240k+Output is not escaped
#335WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses23590876500Non-prefixed function
#336WP-CRM System – Manage Clients and Projects232971,094800Non-prefixed global variable
#337WP Crowdfunding231991,6292k+Non-prefixed global variable
#338WP Editor2350233520k+Unsafe printing function
#339WP Hotelier236931,6352k+Non-prefixed global variable
#340Lead Form Data Collection to CRM232111,698400Non-prefixed global variable
#341WP-Lister Lite for Amazon233,0614,177800Output is not escaped
#342FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce239412,17920k+SQL query is not prepared
#343WP Migrate Lite – Migration Made Easy23369255200k+Exception output is not escaped
#344Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning231,11820240k+Missing Translators Comment
#345WP STAGING – WordPress Backup, Restore, Migration & Clone231,4941,550100k+Non-prefixed global variable
#346Subscribe Forms – Beautiful Email Forms, Embedded Newsletter Forms & MailChimp Form234195422k+Non-prefixed global variable
#347Track, Analyze & Optimize by WP Tao23895756600Output is not escaped
#348Dynamic Team Manager – Team Member Showcase with grid, slider, table Elementor widget & shortcode239332,002900Non-prefixed global variable
#349Customer Support Ticket System & Helpdesk231,7191,464400Text Domain Mismatch
#350WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel231,1583,64220k+Interpolated SQL is not prepared