WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare
Unfinished Prepare
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Why It Shows Up
The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.
Why It Matters
Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.
How to Fix
- Keep placeholders in the SQL string and pass dynamic values as separate arguments.
- Use the placeholder that matches the value type.
- Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #351 | News Manager | 36 | 134 | 57 | 600 | Output is not escaped | ||
| #352 | Post Views Stats Counter | 36 | 142 | 241 | 700 | Non-prefixed global variable | ||
| #353 | افزونه رسمی ترب | 36 | 42 | 86 | 20k+ | Exception output is not escaped | ||
| #354 | Better Find and Replace – AI-Powered Suggestions | 36 | 67 | 129 | 40k+ | Missing direct file access protection | ||
| #355 | SMTP for SendGrid – YaySMTP | 36 | 27 | 96 | 1k+ | Non-prefixed global variable | ||
| #356 | Bulk Product Editor plugin allows you to create and edit your WooCommerce products and categories with Google Sheets. | 36 | 50 | 105 | 400 | Direct Query | ||
| #357 | Zoho ZeptoMail | 36 | 32 | 110 | 5k+ | Request data is not unslashed | ||
| #358 | WP Coder – Insert & Manage Code Snippets | 36 | 53 | 280 | 10k+ | Nonce verification recommended | ||
| #359 | WP Super Edit | 36 | 35 | 185 | 2k+ | Nonce verification recommended | ||
| #360 | YayExtra – WooCommerce Extra Product Options | 36 | 11 | 472 | 1k+ | Non-prefixed global variable | ||
| #361 | CookieAdmin – Cookie Consent Banner | 37 | 43 | 86 | 400k+ | Nonce verification recommended | ||
| #362 | HandL UTM Grabber / Tracker | 37 | 27 | 141 | 10k+ | Missing nonce verification | ||
| #363 | Media Sweep – WordPress Media Cleaner | 37 | 56 | 137 | 1k+ | Interpolated SQL is not prepared | ||
| #364 | Oliver POS – WooCommerce POS for iPhone, iPad & Android | 37 | 15 | 242 | 800 | Interpolated SQL is not prepared | ||
| #365 | Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales | 37 | 59 | 64 | 2k+ | SQL query is not prepared | ||
| #366 | Quentn WP | 37 | 4 | 251 | 500 | Nonce verification recommended | ||
| #367 | rapidmail: Newsletter & E-Mail Marketing for WooCommerce | 37 | 79 | 47 | 400 | Text Domain Mismatch | ||
| #368 | ValidateCertify Free | 37 | 123 | 97 | 1k+ | Text Domain Mismatch | ||
| #369 | Alphabetic Pagination | 38 | 144 | 117 | 500 | Unsafe printing function | ||
| #370 | CRUDLab Disable Comments | 38 | 20 | 54 | 700 | Missing nonce verification | ||
| #371 | Decent Comments | 38 | 93 | 28 | 2k+ | Output is not escaped | ||
| #372 | Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster | 38 | 37 | 98 | 5k+ | Interpolated SQL is not prepared | ||
| #373 | Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration | 38 | 160 | 82 | 1k+ | Unsafe printing function | ||
| #374 | ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More | 38 | 21 | 88 | 30k+ | Direct Query | ||
| #375 | LWS Cleaner | 38 | 81 | 129 | 20k+ | Direct Query | ||
| #376 | MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites | 38 | 3 | 136 | 700k+ | Non-prefixed hook name | ||
| #377 | Restrict Widgets | 38 | 135 | 40 | 4k+ | Non Singular String Literal Domain | ||
| #378 | Accessibility Tools & Alt Text Finder | 38 | 36 | 56 | 3k+ | Text Domain Mismatch | ||
| #379 | Vertical News Scroller | 38 | 118 | 60 | 5k+ | Output is not escaped | ||
| #380 | VidShop – Shoppable Videos for WooCommerce | 38 | 49 | 144 | 1k+ | Database parameter is not escaped | ||
| #381 | ZeroBounce Email Verification & Validation | 38 | 299 | 162 | 1k+ | Text Domain Mismatch | ||
| #382 | Ad Invalid Click Protector (AICP) | 39 | 78 | 57 | 10k+ | Text Domain Mismatch | ||
| #383 | Better Random Redirect | 39 | 88 | 40 | 700 | Text Domain Mismatch | ||
| #384 | Better User Search | 39 | 24 | 44 | 700 | SQL query is not prepared | ||
| #385 | Content Visibility for Divi Builder | 39 | 184 | 59 | 2k+ | Non Singular String Literal Domain | ||
| #386 | DefendWP Firewall | 39 | 16 | 203 | 3k+ | Non-prefixed global variable | ||
| #387 | Duplicate Killer – Prevent Duplicate Form Submissions | 39 | 57 | 103 | 1k+ | Non-prefixed global variable | ||
| #388 | Markup by Attribute for WooCommerce | 39 | 46 | 102 | 2k+ | Direct Query | ||
| #389 | Wallet for WooCommerce | 39 | 36 | 524 | 20k+ | Non-prefixed hook name | ||
| #390 | WPEPP – Essential Security, Password Protect & Login Page Customizer | 39 | 34 | 29 | 3k+ | Unsupported Identifier Placeholder | ||
| #391 | Zotpress | 39 | 80 | 403 | 2k+ | Non-prefixed global variable | ||
| #392 | Alt Magic: AI Image Alt Text Generator for WP & Image Rename | 40 | 55 | 118 | 1k+ | Direct Query | ||
| #393 | Broken Link Notifier | 40 | 11 | 193 | 1k+ | Non-prefixed global variable | ||
| #394 | Bulk Delete Comments | 40 | 16 | 61 | 5k+ | Direct Query | ||
| #395 | Auto Focus Keyword for SEO | 41 | 12 | 38 | 2k+ | Input is not validated | ||
| #396 | Smart Post – Post Grid, Post Carousel, Post Slider Gutenberg Blocks for Blog & News | 41 | 537 | 20k+ | Non-prefixed global variable | |||
| #397 | StifLi Flex MCP – MCP Server with undo for ChatGPT, Claude & Gemini | 41 | 2 | 111 | 1k+ | Interpolated SQL is not prepared | ||
| #398 | Geo Blocker – Control Site Access by Region and IP | 42 | 10 | 64 | 800 | Direct Query | ||
| #399 | Transients Manager | 42 | 45 | 50 | 20k+ | Output is not escaped | ||
| #400 | Qodax Checkout Manager – Checkout Field Editor for WooCommerce | 43 | 17 | 27 | 400 | Interpolated SQL is not prepared |