WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
Pass the values as separate arguments to `$wpdb->prepare()`.
For table names, column names, and sort directions, use strict allowlists instead of raw user input.

References

WordPress database access

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Added	Updated	Top Issue
#351	WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel	23	1,119	3,516	20k+	14 years ago	12 days ago	Interpolated SQL is not prepared
#352	WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress	23	4,376	890	20k+	7 years ago	2 months ago	Output is not escaped
#353	WPMobile.App	23	2,983	1,527	3k+	11 years ago	6 days ago	Output is not escaped
#354	WPCal.io – Easy Meeting Scheduler	23	694	595	900	6 years ago	7 months ago	Direct Query
#355	Comments – wpDiscuz	23	620	1,180	70k+	12 years ago	20 days ago	Non-prefixed global variable
#356	Photo Engine (Media Organizer & Lightroom)	23	252	650	2k+	12 years ago	2 months ago	Direct Query
#357	Yatra – Travel Booking & Tour Operator Software	23	2,211	3,994	600	7 years ago	4 days ago	Non-prefixed global variable
#358	YITH WooCommerce Ajax Product Filter	23	463	1,527	80k+	13 years ago	12 days ago	Non-prefixed global variable
#359	Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress	23	2,317	1,714	5k+	5 years ago	4 months ago	Output is not escaped
#360	Zephyr Project Manager	23	667	2,454	1k+	8 years ago	5 months ago	Non-prefixed global variable
#361	404 Solution	24	486	1,338	10k+	9 years ago	4 days ago	Non-prefixed class
#362	A2 Optimized WP – Turbocharge and secure your WordPress site	24	271	231	60k+	11 years ago	1 year ago	Missing Arg Domain
#363	Academy LMS – WordPress LMS Plugin for Complete eLearning Solution	24	162	787	2k+	5 years ago	15 days ago	Non-prefixed global variable
#364	Anti Spam and list cleaner – AcyChecker	24	462	88	400	5 years ago	4 months ago	Output is not escaped
#365	AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress	24	5,230	1,464	7k+	8 years ago	18 days ago	Output is not escaped
#366	Ad Inserter – Ad Manager & AdSense Ads	24	4,241	811	300k+	16 years ago	1 month ago	Output is not escaped
#367	Ivory Search – WordPress Search Plugin	24	1,173	1,688	100k+	9 years ago	7 days ago	Non-prefixed global variable
#368	Affiliates Manager	24	1,268	653	9k+	12 years ago	21 days ago	Unsafe printing function
#369	All-In-One Security (AIOS) – Security and Firewall	24	552	1,228	1m+	13 years ago	25 days ago	Non-prefixed global variable
#370	Starter Templates – AI-Powered Templates for Elementor & Gutenberg	24	125	394	1m+	9 years ago	6 days ago	Non-prefixed hook name
#371	TermsFeed AutoTerms: Privacy Policy Generator, Cookie Consent, GDPR, CCPA, Terms & Conditions, Disclaimers, Cookies Policy, EULA	24	939	161	70k+	14 years ago	5 months ago	Non Singular String Literal Domain
#372	AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress	24	1,705	1,393	7k+	6 years ago	14 days ago	Text Domain Mismatch
#373	Popup Box – Create Countdown, Coupon, Video, Contact Form Popups	24	482	1,253	50k+	8 years ago	12 days ago	Non-prefixed global variable
#374	Backuply – Backup, Restore, Migrate and Clone	24	704	551	700k+	4 years ago	1 month ago	Non-prefixed global variable
#375	Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale)	24	1,837	1,063	1k+	5 years ago	6 days ago	Text Domain Mismatch
#376	Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces	24	2,248	3,338	10k+	9 years ago	19 days ago	slow db query meta key
#377	Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More	24	342	930	6k+	5 years ago	12 days ago	Non-prefixed global variable
#378	Arigato Autoresponder and Newsletter	24	1,318	769	500	16 years ago	11 months ago	Text Domain Mismatch
#379	BlockMeister – Block Pattern Builder	24	580	1,405	1k+	6 years ago	1 year ago	Non-prefixed global variable
#380	Bookit — Booking & Appointment Calendar	24	566	1,456	4k+	7 years ago	1 month ago	Non-prefixed global variable
#381	Branda – White Label & Branding, Free Login Page Customizer	24	3,174	820	20k+	6 years ago	19 days ago	Text Domain Mismatch
#382	BrikPanel — WooCommerce Dashboard, Sales Report, Google Sheets Sync, Inventory Management & Bulk Editor	24	3,950	1,265	400	1 year ago	yesterday	Text Domain Mismatch
#383	Bulk Edit Categories and Tags – Create Thousands Quickly on the Editor	24	1,025	984	4k+	7 years ago	5 months ago	Text Domain Mismatch
#384	Bulk Edit and Create User Profiles – WP Sheet Editor	24	979	969	1k+	8 years ago	5 months ago	Text Domain Mismatch
#385	WOLF – WordPress Posts Bulk Editor and Manager Professional	24	485	623	4k+	7 years ago	1 month ago	Output is not escaped
#386	Calculated Fields Form	24	283	599	40k+	13 years ago	6 days ago	Non-prefixed global variable
#387	Event Calendar – Calendar	24	1,111	1,262	2k+	10 years ago	12 months ago	Text Domain Mismatch
#388	Categorify – WordPress Media Library Category & File Manager	24	573	1,385	1k+	5 years ago	2 years ago	Non-prefixed global variable
#389	Message Filter for Contact Form 7	24	1,057	1,594	1k+	8 years ago	8 days ago	Non-prefixed global variable
#390	Kognetiks Chatbot for WordPress	24	651	1,486	600	3 years ago	5 months ago	Non-prefixed global variable
#391	CleanTalk Anti-Spam. Spam Firewall & Bot protection	24	825	1,079	200k+	14 years ago	yesterday	Missing nonce verification
#392	Smart Online Order for Clover	24	1,746	1,246	1k+	10 years ago	2 months ago	Text Domain Mismatch
#393	CM Pop-Up – Create engaging popups to capture attention and boost interaction	24	466	408	8k+	11 years ago	1 month ago	Output is not escaped
#394	Complianz – GDPR/CCPA Cookie Consent	24	487	403	1m+	8 years ago	13 days ago	Missing Arg Domain
#395	RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress	24	828	3,665	500	10 years ago	1 month ago	Request data is not unslashed
#396	CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7	24	1,034	1,396	300k+	15 years ago	21 days ago	Non-prefixed global variable
#397	Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress	24	529	357	1k+	13 years ago	4 months ago	Text Domain Mismatch
#398	WPBot – ChatBot Conversational Forms	24	1,254	1,226	2k+	7 years ago	8 days ago	Text Domain Mismatch
#399	CRM Perks Forms – WordPress Form Builder	24	819	577	1k+	8 years ago	16 days ago	Output is not escaped
#400	Custom CSS	24	703	657	1k+	11 years ago	9 years ago	Output is not escaped