This warning occurs when somebody is using the
$wpdb->prepare function incorrectly. It's a bad warning to have too, because it indicates a usage of prepare() in a way that can be a security risk.
Fixing it depends on the specific problem.
Here's an example line of code that I took from a plugin that was doing-it-wrong:
$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->comments SET comment_parent=$parentID WHERE comment_ID=$commentID;" ) );
The basic problem is that they're using the prepare statement incorrectly by including the variables of $parentID and $commentID directly in the SQL statement. They should be using placeholders, and then including the variables later.
This code is dangerous, because it leads to the possibility of what is called an "SQL Injection Exploit". Which is shorthand for a specific way to hack your site.
Here's the fixed code:
$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->comments SET comment_parent=%d WHERE comment_ID=%d;", $parentID, $commentID ) );
Basically, since both of these are supposed to be integers, I replaced the variables in the statement with
%d and then put the variables are the end of the prepare() statement. This is how prepare is supposed to be used. If they were strings, I would have used %s instead.
So if you want to fix the issue, you need to find the line of code with the problem, and correct it. This eliminates the exploit. And the warning message.