WordPress.DB.PreparedSQLPlaceholders.ReplacementsWrongNumber

Replacements Wrong Number

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical weight

Why It Shows Up

The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.

Why It Matters

Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.

How to Fix

  • Keep placeholders in the SQL string and pass dynamic values as separate arguments.
  • Use the placeholder that matches the value type.
  • Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#201WPVibe – MCP Server for WordPress. Connect Claude, ChatGPT, Gemini & Cursor5219583k+Interpolated SQL is not prepared
#202Booking Calendar54288550k+Mixed line endings
#203ProductFrame – Curated products from affiliate feeds55385400Direct Query
#204License For Envato5812319k+Non-prefixed global variable
#205Academy LMS61185212k+Non-prefixed global variable
#206Contact Form to Chat Apps | Click to Chat to Order – FormyChat63301343k+Direct Query
#207Multilingual Forms for Fluent Forms with WPML6752161k+Text Domain Mismatch
#208WooCommerce Shipping714870k+Direct Query
#209Duplicate Taxonomy Term74952k+Nonce verification recommended
#210Sublium Subscriptions – Subscriptions for WooCommerce – Recurring Payments, Subscription Plans & Installments743522400wp function not compatible with requires wp
#211FlowForms – Conversational Form Builder7517400Nonce verification recommended
#212UTM Event Tracker and Analytics, UTM Grabber76219900Interpolated SQL is not prepared
#213WP AdCenter – Ad Manager & Adsense Ads765711k+Direct Query
#214Bricksable for Bricks Builder8017610k+Post Not In exclude
#215HivePress Reviews905117k+Non-prefixed global variable