WordPress.DB.PreparedSQLPlaceholders.QuotedDynamicPlaceholderGeneration
Quoted Dynamic Placeholder Generation
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Why It Shows Up
The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.
Why It Matters
Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.
How to Fix
- Keep placeholders in the SQL string and pass dynamic values as separate arguments.
- Use the placeholder that matches the value type.
- Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1 | WP Import Export Lite | 18 | 738 | 979 | 40k+ | Non Prefixed Variable Found | |
| #2 | MotoPress Hotel Booking | 21 | 3,061 | 1,037 | 10k+ | Text Domain Mismatch | |
| #3 | E2Pdf – Export Pdf Tool for WordPress | 22 | 1,075 | 836 | 10k+ | Unsafe Printing Function | |
| #4 | Advanced AJAX Product Filters | 22 | 2,683 | 1,205 | 50k+ | Text Domain Mismatch | |
| #5 | GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | 23 | 3,662 | 2,971 | 10k+ | Output Not Escaped | |
| #6 | Restaurant Menu and Food Ordering | 23 | 385 | 853 | 2k+ | Non Prefixed Variable Found | |
| #7 | Issues and Series for Newspapers, Magazines, Publishers, Writers | 23 | 346 | 710 | 2k+ | Recommended | |
| #8 | Coupon Affiliates – Affiliate Plugin for WooCommerce | 24 | 1,022 | 3,074 | 5k+ | Non Prefixed Variable Found | |
| #9 | Yoast SEO – Advanced SEO with real-time guidance and built-in AI | 24 | 159 | 386 | 10m+ | Non Prefixed Variable Found | |
| #10 | Enhanced Media Library | 36 | 361 | 117 | 60k+ | Unsafe Printing Function |
