WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare

Unfinished Prepare

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical weight

Why It Shows Up

The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.

Why It Matters

Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.

How to Fix

  • Keep placeholders in the SQL string and pass dynamic values as separate arguments.
  • Use the placeholder that matches the value type.
  • Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#351News Manager3613457600Output is not escaped
#352Post Views Stats Counter36142241700Non-prefixed global variable
#353افزونه رسمی ترب36428620k+Exception output is not escaped
#354Better Find and Replace – AI-Powered Suggestions366712940k+Missing direct file access protection
#355SMTP for SendGrid – YaySMTP3627961k+Non-prefixed global variable
#356Bulk Product Editor plugin allows you to create and edit your WooCommerce products and categories with Google Sheets.3650105400Direct Query
#357Zoho ZeptoMail36321105k+Request data is not unslashed
#358WP Coder – Insert & Manage Code Snippets365328010k+Nonce verification recommended
#359WP Super Edit36351852k+Nonce verification recommended
#360YayExtra – WooCommerce Extra Product Options36114721k+Non-prefixed global variable
#361CookieAdmin – Cookie Consent Banner374386400k+Nonce verification recommended
#362HandL UTM Grabber / Tracker372714110k+Missing nonce verification
#363Media Sweep – WordPress Media Cleaner37561371k+Interpolated SQL is not prepared
#364Oliver POS – WooCommerce POS for iPhone, iPad & Android3715242800Interpolated SQL is not prepared
#365Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales3759642k+SQL query is not prepared
#366Quentn WP374251500Nonce verification recommended
#367rapidmail: Newsletter & E-Mail Marketing for WooCommerce377947400Text Domain Mismatch
#368ValidateCertify Free37123971k+Text Domain Mismatch
#369Alphabetic Pagination38144117500Unsafe printing function
#370CRUDLab Disable Comments382054700Missing nonce verification
#371Decent Comments3893282k+Output is not escaped
#372Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster3837985k+Interpolated SQL is not prepared
#373Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration38160821k+Unsafe printing function
#374ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More38218830k+Direct Query
#375LWS Cleaner388112920k+Direct Query
#376MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites383136700k+Non-prefixed hook name
#377Restrict Widgets38135404k+Non Singular String Literal Domain
#378Accessibility Tools & Alt Text Finder3836563k+Text Domain Mismatch
#379Vertical News Scroller38118605k+Output is not escaped
#380VidShop – Shoppable Videos for WooCommerce38491441k+Database parameter is not escaped
#381ZeroBounce Email Verification & Validation382991621k+Text Domain Mismatch
#382Ad Invalid Click Protector (AICP)39785710k+Text Domain Mismatch
#383Better Random Redirect398840700Text Domain Mismatch
#384Better User Search392444700SQL query is not prepared
#385Content Visibility for Divi Builder39184592k+Non Singular String Literal Domain
#386DefendWP Firewall39162033k+Non-prefixed global variable
#387Duplicate Killer – Prevent Duplicate Form Submissions39571031k+Non-prefixed global variable
#388Markup by Attribute for WooCommerce39461022k+Direct Query
#389Wallet for WooCommerce393652420k+Non-prefixed hook name
#390WPEPP – Essential Security, Password Protect & Login Page Customizer3934293k+Unsupported Identifier Placeholder
#391Zotpress39804032k+Non-prefixed global variable
#392Alt Magic: AI Image Alt Text Generator for WP & Image Rename40551181k+Direct Query
#393Broken Link Notifier40111931k+Non-prefixed global variable
#394Bulk Delete Comments4016615k+Direct Query
#395Auto Focus Keyword for SEO4112382k+Input is not validated
#396Smart Post – Post Grid, Post Carousel, Post Slider Gutenberg Blocks for Blog & News4153720k+Non-prefixed global variable
#397StifLi Flex MCP – MCP Server with undo for ChatGPT, Claude & Gemini4121111k+Interpolated SQL is not prepared
#398Geo Blocker – Control Site Access by Region and IP421064800Direct Query
#399Transients Manager42455020k+Output is not escaped
#400Qodax Checkout Manager – Checkout Field Editor for WooCommerce431727400Interpolated SQL is not prepared