WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQueryWithPlaceholder
Like Wildcards In Query With Placeholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Why It Shows Up
The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.
Why It Matters
Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.
How to Fix
- Keep placeholders in the SQL string and pass dynamic values as separate arguments.
- Use the placeholder that matches the value type.
- Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1 | SendPress Newsletters | 19 | 2,293 | 1,422 | 2k+ | Output is not escaped | ||
| #2 | Pix por Piggly (para Woocommerce) | 20 | 547 | 195 | 4k+ | Exception output is not escaped | ||
| #3 | WPScan – WordPress Security Scanner | 21 | 527 | 265 | 8k+ | Text Domain Mismatch | ||
| #4 | Knowledge Base documentation & wiki plugin – BasePress Docs | 22 | 671 | 1,767 | 2k+ | Non-prefixed global variable | ||
| #5 | Business Directory Plugin – Easy Listing Directories for WordPress | 23 | 611 | 1,058 | 10k+ | Non-prefixed global variable | ||
| #6 | GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | 23 | 3,662 | 2,971 | 10k+ | Output is not escaped | ||
| #7 | IP Geo Block | 23 | 399 | 589 | 9k+ | Output is not escaped | ||
| #8 | Restaurant Menu and Food Ordering | 23 | 385 | 853 | 2k+ | Non-prefixed global variable | ||
| #9 | Seriously Simple Podcasting | 23 | 548 | 627 | 30k+ | Non-prefixed hook name | ||
| #10 | Media Library Folders | 24 | 889 | 807 | 10k+ | Text Domain Mismatch | ||
| #11 | Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors | 24 | 369 | 820 | 20k+ | Nonce verification recommended | ||
| #12 | Pz-LinkCard | 24 | 951 | 1,581 | 20k+ | Non-prefixed global variable | ||
| #13 | Spotlight Social Feeds – Block, Shortcode, and Widget | 24 | 411 | 147 | 60k+ | Output is not escaped | ||
| #14 | Online Scheduling and Appointment Booking System – Bookly | 25 | 3,528 | 870 | 60k+ | Text Domain Mismatch | ||
| #15 | Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation | 25 | 789 | 313 | 30k+ | Text Domain Mismatch | ||
| #16 | IP Location Block | 25 | 521 | 624 | 10k+ | Output is not escaped | ||
| #17 | SEO Plugin by Squirrly SEO | 25 | 1,130 | 222 | 40k+ | Missing Translators Comment | ||
| #18 | MaxGalleria | 27 | 278 | 567 | 2k+ | Non-prefixed global variable | ||
| #19 | ووکامرس فارسی | 28 | 157 | 215 | 90k+ | Output is not escaped | ||
| #20 | Advanced Shipping Rates for WooCommerce: Flexible Table Rate Shipping Rules | 29 | 185 | 504 | 2k+ | Non-prefixed global variable | ||
| #21 | WP Inventory Manager | 30 | 856 | 233 | 1k+ | Output is not escaped | ||
| #22 | Cooked – Recipe Management | 32 | 462 | 275 | 3k+ | Output is not escaped | ||
| #23 | MapPress Maps for WordPress | 32 | 694 | 133 | 30k+ | Missing Arg Domain | ||
| #24 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output is not escaped | ||
| #25 | Decent Comments | 38 | 93 | 28 | 2k+ | Output is not escaped | ||
| #26 | Zippy | 40 | 43 | 31 | 9k+ | Output is not escaped | ||
| #27 | Gelato Integration for WooCommerce | 42 | 36 | 32 | 5k+ | Output is not escaped | ||
| #28 | Search by SKU for Woocommerce | 69 | 13 | 10 | 10k+ | Direct Query | ||
| #29 | Vanilla PDF Embed | 85 | 8 | 3 | 3k+ | parse url parse url |
