WordPress.DB.PreparedSQLPlaceholders.UnescapedLiteral
Unescaped Literal
A SQL query is built in a way that Plugin Check cannot verify as safely prepared.
Why It Shows Up
The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.
Why It Matters
Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.
How to Fix
- Keep placeholders in the SQL string and pass dynamic values as separate arguments.
- Use the placeholder that matches the value type.
- Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1 | SendPress Newsletters | 19 | 2,293 | 1,422 | 2k+ | Output is not escaped | |
| #2 | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | 22 | 2,361 | 3,384 | 70k+ | Non-prefixed global variable | |
| #3 | Fix Alt Text | 24 | 544 | 346 | 1k+ | Non Singular String Literal Domain | |
| #4 | PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes | 24 | 414 | 573 | 10k+ | Missing Translators Comment | |
| #5 | Appointment Hour Booking – Booking Calendar | 25 | 261 | 1,254 | 10k+ | Non-prefixed global variable | |
| #6 | Product Labels For Woocommerce (Sale Badges) | 36 | 90 | 48 | 10k+ | Output is not escaped |
