WordPress.DB.PreparedSQL.NotPrepared

SQL query is not prepared

A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.

critical weight

Why It Shows Up

The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.

Why It Matters

Unprepared SQL can allow SQL injection when user-controlled values reach the query.

How to Fix

Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
Pass the values as separate arguments to `$wpdb->prepare()`.
For table names, column names, and sort directions, use strict allowlists instead of raw user input.

References

WordPress database access

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Updated	Top Issue
#1	BulletProof Security	0	5,048	4,949	20k+	2026-05-20	Output Not Escaped
#2	JetBackup – Backup, Restore & Migrate	10	1,559	145	100k+	2026-05-03	Exception Not Escaped
#3	wpForo Forum	17	4,033	2,922	20k+	2026-05-31	Unsafe Printing Function
#4	Prime Slider Addons for Elementor	18	3,500	230	100k+	2026-06-15	Text Domain Mismatch
#5	WP Import Export Lite	18	738	979	40k+	2025-08-04	Non Prefixed Variable Found
#6	Element Pack – Widgets, Templates & Addons for Elementor	19	9,448	517	100k+	2026-06-16	Text Domain Mismatch
#7	Download Monitor	19	425	1,364	80k+	2026-06-16	Non Prefixed Hookname Found
#8	Event Organiser	19	1,106	544	20k+	2024-10-10	Text Domain Mismatch
#9	Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution	19	1,218	901	100k+	2026-06-09	Exception Not Escaped
#10	Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)	19	3,275	3,228	10k+	2025-12-05	Output Not Escaped
#11	Matomo Analytics – Powerful, Privacy-First Insights for WordPress	19	1,909	878	100k+	2026-06-16	Exception Not Escaped
#12	Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization	19	1,295	2,679	9k+	2026-06-15	Output Not Escaped
#13	Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)	19	541	385	3m+	2026-06-17	Missing Translators Comment
#14	Membership Plugin – Kadence Memberships	19	5,082	2,982	9k+	2026-05-26	Text Domain Mismatch
#15	BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot	20	508	1,406	30k+	2026-06-18	Non Prefixed Variable Found
#16	Brizy – Page Builder	20	589	720	70k+	2026-06-09	Output Not Escaped
#17	Filter Everything — WordPress & WooCommerce Filters	20	568	730	50k+	2026-06-18	Output Not Escaped
#18	GiveWP – Donation Plugin and Fundraising Platform	20	3,435	3,580	100k+	2026-06-15	Output Not Escaped
#19	Link Library	20	1,941	1,397	10k+	2026-04-26	Unsafe Printing Function
#20	Brevo – Email, SMS, Web Push, Chat, and more.	20	460	646	100k+	2026-04-10	Missing Unslash
#21	Microthemer Lite – Visual Editor to Customize CSS	20	1,004	1,699	10k+	2026-04-15	Non Prefixed Variable Found
#22	Nimble Page Builder	20	1,591	1,684	30k+	2025-03-24	Missing Arg Domain
#23	Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF	20	557	541	100k+	2026-05-19	Output Not Escaped
#24	Razorpay for WooCommerce	20	974	855	100k+	2026-06-19	Non Prefixed Function Found
#25	Store Locator WordPress	21	2,372	1,572	10k+	2026-06-03	Text Domain Mismatch
#26	Backup Migration	21	981	1,093	80k+	2026-06-05	Non Prefixed Variable Found
#27	bbPress	21	929	3,672	100k+	2025-07-02	Non Prefixed Function Found
#28	Cost Calculator Builder	21	322	765	30k+	2026-06-19	Non Prefixed Variable Found
#29	Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More	21	2,572	1,277	1m+	2026-05-22	Output Not Escaped
#30	Feeds for YouTube (YouTube video, channel, and gallery plugin)	21	558	978	100k+	2026-06-10	Output Not Escaped
#31	Imagify: Optimize Images for Top Speed (Compress & Convert to WebP/AVIF)	21	418	851	1m+	2026-06-01	Non Prefixed Variable Found
#32	Modular DS: Monitor, update, and backup multiple websites	21	161	81	40k+	2026-05-22	Exception Not Escaped
#33	MotoPress Hotel Booking	21	3,061	1,037	10k+	2026-06-15	Text Domain Mismatch
#34	Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred	21	1,469	3,333	10k+	2026-06-18	Non Prefixed Variable Found
#35	Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages	21	1,173	2,983	9k+	2026-06-02	Non Prefixed Variable Found
#36	Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction	21	1,918	5,065	10k+	2026-06-02	Non Prefixed Hookname Found
#37	User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor	21	696	1,483	50k+	2026-06-10	Recommended
#38	Five Star Restaurant Reservations – WordPress Booking Plugin	21	1,099	1,147	10k+	2026-06-19	Output Not Escaped
#39	Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic	21	327	181	10k+	2024-11-05	Output Not Escaped
#40	ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin	21	190	660	30k+	2026-05-27	Non Prefixed Variable Found
#41	WCFM – Frontend Manager for WooCommerce	21	4,721	5,067	20k+	2026-04-25	Non Prefixed Variable Found
#42	WebP Express	21	160	427	300k+	2026-06-19	Non Prefixed Variable Found
#43	Wordfence Security – Firewall, Malware Scan, and Login Security	21	1,592	2,973	5m+	2026-05-13	Output Not Escaped
#44	WP phpMyAdmin	21	4,528	6,435	50k+	2025-10-17	Missing Arg Domain
#45	wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin	21	1,354	1,140	70k+	2026-06-08	Output Not Escaped
#46	WPScan – WordPress Security Scanner	21	527	265	8k+	2026-01-12	Text Domain Mismatch
#47	Frontend Admin by DynamiApps	22	5,922	3,208	10k+	2026-06-17	Text Domain Mismatch
#48	Advanced Ads – Ad Manager & AdSense	22	578	734	100k+	2026-06-08	Non Prefixed Variable Found
#49	Advanced Form Integration — Connect Forms to 200+ Apps	22	5,771	4,678	10k+	2026-06-18	wp function not compatible with requires wp
#50	All-in-One Video Gallery	22	911	2,892	20k+	2026-05-11	Non Prefixed Variable Found