What exactly is your criticism here? Do you know of some issue with prepare()? The quality of the core Wordpress code is quite high. You could argue that the plugin system is a footgun, but it’s kinda an essential element if you want extensibility.
Parameterised queries done properly are sent to the database server specifically as a query with placeholders and values - the values are never evaluated as sql, there is no chance for a userland bug/attack to perform sql injection using them.
What wordpress does is basically glorified printf, substituting values into a string.
If you can’t see how this is a danger, you’re in no position to comment on the quality of the code.
A couple of little snippets to highlight the point I'm trying to make:
> The current system is insecure-by-design. That doesn’t mean it’s always hackable, but it means you have to actively work to make it not attackable. It’s better to switch to a design that’s secure-by-default and make the insecure the exceptional case.
> The best path forward would be to switch to PDO/MySQLi and use real prepared statements and not emulate them in PHP land. That’s the best path forward.
But given that the core wordpress team basically ignore this type of suggestion from PHP core contributors, why would I expect you to believe me about it here?
