WordPress.DB.PreparedSQLPlaceholders.MissingReplacements
Missing Replacements
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Why It Shows Up
The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.
Why It Matters
Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.
How to Fix
- Keep placeholders in the SQL string and pass dynamic values as separate arguments.
- Use the placeholder that matches the value type.
- Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1 | Feeds for YouTube (YouTube video, channel, and gallery plugin) | 21 | 558 | 978 | 100k+ | Output is not escaped | ||
| #2 | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | 22 | 3,653 | 5,078 | 8k+ | Non-prefixed global variable | ||
| #3 | Testimonial Slider | 34 | 448 | 262 | 3k+ | Unsafe printing function | ||
| #4 | Events Manager and WPML Compatibility | 36 | 101 | 177 | 1k+ | Direct Query |