WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1101 | aThemes Starter Sites | 30 | 262 | 195 | 40k+ | Text Domain Mismatch | ||
| #1102 | AutoWP – AI Content Writer & Rewriter | 30 | 548 | 370 | 1k+ | Text Domain Mismatch | ||
| #1103 | Private groups | 30 | 583 | 316 | 1k+ | Unsafe printing function | ||
| #1104 | Buy Me a Coffee – Button and Widget Plugin | 30 | 139 | 140 | 6k+ | Output is not escaped | ||
| #1105 | Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster | 30 | 306 | 434 | 30k+ | Non-prefixed global variable | ||
| #1106 | Contact Form 7 – PayPal & Stripe Add-on | 30 | 385 | 233 | 7k+ | Unsafe printing function | ||
| #1107 | Custom Field Template | 30 | 521 | 618 | 30k+ | Nonce verification recommended | ||
| #1108 | DethemeKit for Elementor | 30 | 335 | 228 | 30k+ | Output is not escaped | ||
| #1109 | Easy Affiliate Links | 30 | 186 | 198 | 7k+ | Missing direct file access protection | ||
| #1110 | Element Invader – Template Kits for Elementor | 30 | 274 | 130 | 3k+ | Output is not escaped | ||
| #1111 | Event post | 30 | 355 | 100 | 1k+ | Output is not escaped | ||
| #1112 | PiWeb Export Customers Users & Guest customer to CSV for WooCommerce | 30 | 173 | 75 | 1k+ | Text Domain Mismatch | ||
| #1113 | Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant | 30 | 264 | 221 | 4k+ | Non Singular String Literal Text | ||
| #1114 | Kargo Takip, Kargo SMS, İlçe Mahalle Sözleşme by Hezarfen | 30 | 70 | 276 | 2k+ | Non-prefixed global variable | ||
| #1115 | Import WooCommerce Suite for Products, Orders, Coupons, Reviews, and Customers | WP Ultimate CSV Importer | 30 | 80 | 434 | 4k+ | Interpolated SQL is not prepared | ||
| #1116 | Invisible reCaptcha for WordPress | 30 | 90 | 185 | 80k+ | Input is not sanitized | ||
| #1117 | Jetpack Protect | 30 | 657 | 217 | 100k+ | Text Domain Mismatch | ||
| #1118 | Mailrelay | 30 | 318 | 170 | 1k+ | Text Domain Mismatch | ||
| #1119 | Meow Gallery | 30 | 111 | 182 | 10k+ | Direct Query | ||
| #1120 | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | 30 | 63 | 227 | 600k+ | Non-prefixed global variable | ||
| #1121 | Novelist | 30 | 475 | 158 | 1k+ | Output is not escaped | ||
| #1122 | Operation Demo Importer – Demo Importer For WPoperation Themes | 30 | 245 | 104 | 1k+ | Text Domain Mismatch | ||
| #1123 | PayU CommercePro Plugin | 30 | 95 | 270 | 7k+ | Text Domain Mismatch | ||
| #1124 | Popularis Extra | 30 | 237 | 141 | 7k+ | Output is not escaped | ||
| #1125 | Popup Builder – Create highly converting, mobile friendly marketing popups. | 30 | 26 | 722 | 200k+ | Non-prefixed global variable | ||
| #1126 | Pubjet | پابجت | 30 | 91 | 172 | 1k+ | Output is not escaped | ||
| #1127 | QA Assistants – Driven by data | 30 | 4 | 867 | 2k+ | Non-prefixed global variable | ||
| #1128 | Real Cookie Banner: GDPR & ePrivacy Cookie Consent | 30 | 9 | 496 | 100k+ | Database parameter is not escaped | ||
| #1129 | Responsive Addons for Elementor – Free Elementor Addons, Kits and Elementor Templates | 30 | 60 | 387 | 3k+ | Non-prefixed global variable | ||
| #1130 | SmartCrawl SEO checker, analyzer & optimizer | 30 | 347 | 1,307 | 20k+ | Non-prefixed global variable | ||
| #1131 | SMTP for Amazon SES – YaySMTP | 30 | 197 | 122 | 3k+ | Exception output is not escaped | ||
| #1132 | Subscriptions for WooCommerce | 30 | 1 | 1,190 | 10k+ | Non-prefixed global variable | ||
| #1133 | Taboola | 30 | 89 | 147 | 1k+ | Output is not escaped | ||
| #1134 | User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress | 30 | 484 | 280 | 3k+ | Text Domain Mismatch | ||
| #1135 | Waitlist Woocommerce ( Back in stock notifier ) | 30 | 272 | 311 | 4k+ | Output is not escaped | ||
| #1136 | Checkout with Cash App on WooCommerce | 30 | 122 | 308 | 2k+ | Non-prefixed global variable | ||
| #1137 | Dropify | 30 | 130 | 252 | 2k+ | Nonce verification recommended | ||
| #1138 | FOX – Currency Switcher Professional for WooCommerce | 30 | 211 | 1,022 | 50k+ | Non-prefixed global variable | ||
| #1139 | WooCommerce Stripe Payment Gateway | 30 | 173 | 591 | 700k+ | Non-prefixed hook name | ||
| #1140 | WooPayments: Integrated WooCommerce Payments | 30 | 182 | 308 | 900k+ | Exception output is not escaped | ||
| #1141 | WCPOS – Point of Sale (POS) plugin for WooCommerce | 30 | 77 | 228 | 5k+ | Nonce verification recommended | ||
| #1142 | WooCommerce Tax (formerly WooCommerce Shipping & Tax) | 30 | 103 | 198 | 600k+ | Non-prefixed class | ||
| #1143 | WP 2FA – Two-factor authentication for WordPress | 30 | 269 | 380 | 100k+ | Exception output is not escaped | ||
| #1144 | WP Docs | 30 | 268 | 271 | 1k+ | Output is not escaped | ||
| #1145 | WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar | 30 | 113 | 419 | 1k+ | Non-prefixed global variable | ||
| #1146 | WP Inventory Manager | 30 | 856 | 233 | 1k+ | Output is not escaped | ||
| #1147 | Photo Gallery Slideshow & Masonry Tiled Gallery | 30 | 806 | 352 | 1k+ | Output is not escaped | ||
| #1148 | WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA | 30 | 484 | 222 | 2k+ | Unsafe printing function | ||
| #1149 | WPS Cleaner | 30 | 430 | 491 | 20k+ | Output is not escaped | ||
| #1150 | YayPricing – WooCommerce Dynamic Pricing & Discounts | 30 | 174 | 186 | 3k+ | Non-prefixed global variable |
