WordPress’s WPDB Class has a function called “prepare()” which developers should use before running database query. This prepare() function sanitizes input data to prevent SQL injection.
The keyword here is “input data” so if you are passing a query to the preparea() function that doesn’t have any input data then that is kind of wrong. You can just directly execute the query in that case.
The Issue
Now, before WordPress 3.5, passing a query string to the prepare() function without any input data wouldn’t do any harm but given the potential security risks the developers made it mandatory to pass input data as additional parameters when using the prepare() function. For example, the following line of code wouldn’t have any issue before WordPress 3.5:
$wpdb->prepare("SELECT * FROM my_fancy_wp_table");
If you are using a theme or plugin that was using the prepare function incorrectly before (see the above example) then when you upgrade to WordPress 3.5, you will start to see the following warning on your site:
"Warning: Missing argument 2 for wpdb::prepare(), called in /home/...
The Solution
Find out where in the code the following type of calls are made:
$wpdb->prepare("SELECT * FROM my_table WHERE key = $key");
Change them to the following (see how the input data is passed as a separate argument into the prepare function):
$wpdb->prepare("SELECT * FROM my_table WHERE key = %d", $key);
If you are a developer yourself then check the following WPDB codex reference and learn how to use the prepare function correctly and update your theme or plugin:
If you are not a developer then you should contact developer of the theme or the plugin to correct their code.