WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards

Like Without Wildcards

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical weight

Why It Shows Up

The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.

Why It Matters

Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.

How to Fix

  • Keep placeholders in the SQL string and pass dynamic values as separate arguments.
  • Use the placeholder that matches the value type.
  • Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1LearnPress – WordPress LMS Plugin for Create and Sell Online Courses222,3463,34170k+Non-prefixed global variable
#2Swift Performance Lite222,3461,3257k+Text Domain Mismatch
#3Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light23386999400Non-prefixed global variable
#4FV Flowplayer Video Player231,3111,45420k+Output is not escaped
#5FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce239412,17920k+SQL query is not prepared
#6WP Hotel Booking241,2321,5337k+Non-prefixed global variable
#7FunnelKit – Funnel Builder for WooCommerce Checkout253,1642,62430k+Text Domain Mismatch
#8TrackShip for WooCommerce254219576k+Non-prefixed global variable
#9Transliterator – Multilingual and Multi-script Text Conversion283053203k+Output is not escaped
#10WP GPX Maps35271004k+Non-prefixed global variable
#11Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories4863273100k+Non-prefixed global variable
#12wp-Monalisa485694700Direct Query