WordPress.DB.PreparedSQLPlaceholders.QuotedSimplePlaceholder
Quoted Simple Placeholder
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Why It Shows Up
The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.
Why It Matters
Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.
How to Fix
- Keep placeholders in the SQL string and pass dynamic values as separate arguments.
- Use the placeholder that matches the value type.
- Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #201 | Calculator Builder – Create an Online Calculator | 39 | 16 | 221 | 1k+ | Non-prefixed global variable | ||
| #202 | Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR) | 39 | 28 | 45 | 80k+ | Missing nonce verification | ||
| #203 | WP Most Popular | 39 | 50 | 35 | 2k+ | Output is not escaped | ||
| #204 | Random Banner | 40 | 59 | 125 | 1k+ | Output is not escaped | ||
| #205 | Zippy | 40 | 43 | 31 | 9k+ | Output is not escaped | ||
| #206 | OSS Aliyun | 41 | 19 | 40 | 3k+ | Request data is not unslashed | ||
| #207 | Companion Revision Manager – Revision Control | 42 | 18 | 28 | 4k+ | Unsafe printing function | ||
| #208 | Custom Taxonomy Order | 42 | 20 | 56 | 50k+ | Output is not escaped | ||
| #209 | User Role Editor | 43 | 117 | 145 | 700k+ | Output is not escaped | ||
| #210 | Tabby Checkout | 47 | 33 | 46 | 4k+ | Non-prefixed class | ||
| #211 | Secondary Product Image for WooCommerce | 49 | 25 | 29 | 2k+ | Output is not escaped | ||
| #212 | Multiple Post Thumbnails | 53 | 25 | 18 | 20k+ | Output is not escaped | ||
| #213 | Classic Editor and Classic Widgets | 63 | 18 | 41 | 20k+ | Nonce verification recommended | ||
| #214 | WP REST API Controller | 64 | 8 | 22 | 8k+ | Nonce verification recommended | ||
| #215 | Cognito Forms | 75 | 13 | 4 | 2k+ | wp function not compatible with requires wp | ||
| #216 | Simple Taxonomy Ordering | 75 | 7 | 10 | 20k+ | Direct Query | ||
| #217 | Discounts Per Payment Method on WooCommerce | 80 | 8 | 8 | 1k+ | Missing Translators Comment |
