Remediation Steps

Follow the steps below to remediate this finding on WordPress.

1. Use $wpdb->prepare() for all custom MySQL queries:

   $results = $wpdb->get_results(
   $wpdb->prepare('SELECT * FROM wp_users WHERE user_login = %s', $username)
   );

2. Ensure the WordPress database user only has the minimum required privileges.

3. Review plugins for raw SQL usage — replace with $wpdb->prepare() equivalents.