WordPress.DB.PreparedSQLPlaceholders.LikeWithoutWildcards
Like Without Wildcards
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Why It Shows Up
The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.
Why It Matters
Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.
How to Fix
- Keep placeholders in the SQL string and pass dynamic values as separate arguments.
- Use the placeholder that matches the value type.
- Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1 | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | 22 | 2,361 | 3,384 | 70k+ | Non Prefixed Variable Found | |
| #2 | Swift Performance Lite | 22 | 2,346 | 1,325 | 7k+ | Text Domain Mismatch | |
| #3 | FV Flowplayer Video Player | 23 | 1,311 | 1,454 | 20k+ | Output Not Escaped | |
| #4 | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce | 23 | 1,125 | 2,153 | 20k+ | missing direct file access protection | |
| #5 | WP Hotel Booking | 24 | 1,250 | 1,555 | 7k+ | Non Prefixed Variable Found | |
| #6 | FunnelKit – Funnel Builder for WooCommerce Checkout | 25 | 3,278 | 2,574 | 30k+ | Text Domain Mismatch | |
| #7 | TrackShip for WooCommerce | 25 | 433 | 880 | 6k+ | Non Prefixed Variable Found | |
| #8 | Transliterator – Multilingual and Multi-script Text Conversion | 28 | 305 | 320 | 3k+ | Output Not Escaped | |
| #9 | WP GPX Maps | 35 | 27 | 100 | 4k+ | Non Prefixed Variable Found | |
| #10 | Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | 48 | 63 | 273 | 100k+ | Non Prefixed Variable Found |
