Please make sure you properly prepare your data for $wpdb

This is one of my wordpress theme soft reject reasons:

Please make sure you properly prepare your data for $wpdb.
Please also read

• http://codex.wordpress.org/Data_Validation#Database
• http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks

I search all files in my theme folder for keyword “wpdb” and there’s only one place use the global $wpdb variable and it’s already prepare like this:

global $wpdb;
$query = $wpdb->prepare(
    	"SELECT po.*, count(*) as number_enrolled
    	 FROM {$wpdb->prefix}learnpress_user_items ui
    	 INNER JOIN {$wpdb->posts} po ON po.ID = ui.item_id
    	 WHERE ui.item_type = %s
    	 AND ( ui.status = %s OR ui.status = %s )
    	 AND po.post_status = %s
    	 GROUP BY ui.item_id
    	 ORDER BY ui.item_id DESC
    	LIMIT %d
    	",
    	LP_COURSE_CPT,
    	'enrolled',
    	'finished',
    	'publish',
    	(int) $this->instance['limit']
    );
$posts = $wpdb->get_results(
    				$query
    			);

Can anyone help me explain this bug?

Is anyone understand this bug? any idea?