WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral
Unescaped Literal
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Why It Shows Up
The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.
Why It Matters
Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.
How to Fix
- Keep placeholders in the SQL string and pass dynamic values as separate arguments.
- Use the placeholder that matches the value type.
- Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1 | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | 22 | 2,361 | 3,384 | 70k+ | Non Prefixed Variable Found | |
| #2 | PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes | 24 | 414 | 573 | 10k+ | Missing Translators Comment | |
| #3 | Appointment Hour Booking – Booking Calendar | 25 | 261 | 1,254 | 10k+ | Non Prefixed Variable Found | |
| #4 | Product Labels For Woocommerce (Sale Badges) | 36 | 90 | 48 | 10k+ | Output Not Escaped |
