PluginScore

WordPress.DB.PreparedSQLPlaceholders.UnsupportedPlaceholder

Unsupported Placeholder

A SQL query is built in a way that Plugin Check cannot verify as safely prepared.

critical weight

Why It Shows Up

The scan found missing, incorrect, quoted, unsupported, or mismatched SQL placeholders around `$wpdb->prepare()` usage.

Why It Matters

Broken preparation can leave dynamic SQL values unsafe or make queries behave differently than intended.

How to Fix

  • Keep placeholders in the SQL string and pass dynamic values as separate arguments.
  • Use the placeholder that matches the value type.
  • Do not quote placeholders manually, and use allowlists for identifiers or SQL fragments.

References

WordPress database access

Affected Plugins

RankPluginScoreErrorsWarningsInstallsUpdatedTop Issue
#1Feeds for YouTube (YouTube video, channel, and gallery plugin)21558978100k+Output Not Escaped
#2LearnPress – WordPress LMS Plugin for Create and Sell Online Courses222,3613,38470k+Non Prefixed Variable Found
#3Welcart e-Commerce2210,37710,89610k+Text Domain Mismatch
#4Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder234,7461,27930k+Non Singular String Literal Domain
#5All-In-One Security (AIOS) – Security and Firewall245521,2281m+Non Prefixed Variable Found
#6WP Travel Engine – Tour Booking Plugin – Tour Operator Software242,0105,68820k+Non Prefixed Variable Found
#7Appointment Hour Booking – Booking Calendar252611,25410k+Non Prefixed Variable Found
#8ATUM WooCommerce Inventory Management and Stock Tracking252,6381,30410k+Non Singular String Literal Domain
#9Booking Package251,7003,97710k+Missing
#10Smash Balloon Social Photo Feed – Easy Social Feeds Plugin254491,3001m+Interpolated Not Prepared
#11Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant302642214k+Missing Unslash
#12Two Factor Authentication3510813920k+Output Not Escaped
#13Mollie Forms41145653k+Missing Unslash