PluginScore

WordPress.DB.PreparedSQLPlaceholders.LikeWildcardsInQuery

Like Wildcards In Query

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical weight

Why It Shows Up

The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.

Why It Matters

Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.

How to Fix

  • Keep placeholders in the SQL string and pass dynamic values as separate arguments.
  • Use the placeholder that matches the value type.
  • Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.

References

WordPress database access

Affected Plugins

RankPluginScoreErrorsWarningsInstallsUpdatedTop Issue
#1Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization191,2952,6799k+2026-06-15Output Not Escaped
#2BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot205081,40630k+2026-06-18Non Prefixed Variable Found
#3MotoPress Hotel Booking213,0611,03710k+2026-06-15Text Domain Mismatch
#4Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred211,4693,33310k+2026-06-18Non Prefixed Variable Found
#5User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor216961,48350k+2026-06-10Recommended
#6PublishPress Planner – Editorial Calendar, Marketing Content, Kanban Board216038906k+2026-05-21Output Not Escaped
#7Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots221,6042,01910k+2026-06-10Direct Query
#8GeoDirectory – WP Business Directory Plugin and Classified Listings Directory224,4623,97210k+2026-06-10Output Not Escaped
#9Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms221,03772220k+2026-05-27Unsafe Printing Function
#10LearnPress – WordPress LMS Plugin for Create and Sell Online Courses222,3613,38470k+2026-06-17Non Prefixed Variable Found
#11Molongui Authorship – Author Boxes, Guest Authors & Co-Authors for WordPress229191,23010k+2026-02-16Output Not Escaped
#12Product Catalog Feed by PixelYourSite225813578k+2023-10-15Output Not Escaped
#13Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin225302,33440k+2026-06-16Direct Query
#14Welcart e-Commerce2210,37710,89610k+2026-06-03Text Domain Mismatch
#15Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder234,7461,27930k+2026-06-10Non Singular String Literal Domain
#16FV Flowplayer Video Player231,3111,45420k+2026-06-02Output Not Escaped
#17GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress233,6622,97110k+2026-06-16Output Not Escaped
#18IP Geo Block233995899k+2019-01-22Output Not Escaped
#19King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder231,8373,87810k+2026-05-23Non Prefixed Variable Found
#20Photo Gallery by 10Web – Mobile-Friendly Image Gallery234,1591,553100k+2026-05-29Output Not Escaped
#21SecuPress with Simple SSL – Simple and Performant Security231,6961,59040k+2026-04-03Non Prefixed Variable Found
#22UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP236952,43420k+2026-06-12Non Prefixed Hookname Found
#23FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce231,1252,15320k+2026-05-22missing direct file access protection
#24WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress234,37689020k+2026-05-05Output Not Escaped
#25Calculated Fields Form2424352540k+2026-06-16Non Prefixed Variable Found
#26Custom Twitter Feeds – A Tweets Widget or X Feed Widget24446922100k+2026-06-10Output Not Escaped
#27Featured Image from URL (FIFU)241,65441870k+2026-02-02Non Singular String Literal Domain
#28FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler243044397k+2026-06-18Non Prefixed Variable Found
#29ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)24118442300k+2026-05-29Recommended
#30PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes2441457310k+2026-06-18Missing Translators Comment
#31Spotlight Social Feeds – Block, Shortcode, and Widget2441114760k+2026-05-28Output Not Escaped
#32Bulk Edit Products for WooCommerce – WP Sheet Editor2494193610k+2026-01-17Text Domain Mismatch
#33WPML Multilingual & Multicurrency for WooCommerce241,4531,618100k+2026-06-09Not Prepared
#34Iptanus File Upload245091,32510k+2025-12-20Non Prefixed Function Found
#35Bulk Edit Posts and Products in Spreadsheet249189129k+2026-01-17Text Domain Mismatch
#36WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce24911,7257k+2026-05-19Non Prefixed Hookname Found
#37All 404 Redirect to Homepage25140301200k+2026-04-06date date
#38Appointment Hour Booking – Booking Calendar252611,25410k+2026-06-15Non Prefixed Variable Found
#39ATUM WooCommerce Inventory Management and Stock Tracking252,6381,30410k+2026-05-11Non Singular String Literal Domain
#40Booking Package251,7003,97710k+2026-06-16Missing
#41Contact Form Email254098989k+2026-05-18Non Prefixed Variable Found
#42FunnelKit – Funnel Builder for WooCommerce Checkout253,2782,57430k+2026-05-18Text Domain Mismatch
#43MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)251164412m+2026-05-29Recommended
#44IP Location Block2552162410k+2026-03-13Output Not Escaped
#45Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force Prevention256216021m+2026-06-16Unsafe Printing Function
#46LWS Optimize – All-in-One Speed Booster & Cache Tools2543076420k+2026-06-15Non Prefixed Variable Found
#47Media Cleaner: Clean your WordPress!2515139190k+2026-05-30Direct Query
#48Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management2538793510k+2026-06-12Not Prepared
#49WP Google Review Slider251,3672,58230k+2026-06-12Non Prefixed Variable Found
#50Perfect Images: Regenerate Thumbnails, Image Sizes, WebP & AVIF2515411860k+2026-05-30Non Prefixed Variable Found