WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1151 | Quick Featured Images | 32 | 436 | 323 | 50k+ | Non-prefixed global variable | ||
| #1152 | Relevanssi – A Better Search | 32 | 86 | 266 | 100k+ | Missing direct file access protection | ||
| #1153 | Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio | 32 | 436 | 163 | 1k+ | Output is not escaped | ||
| #1154 | Restrict Usernames Emails Characters | 32 | 327 | 367 | 1k+ | Output is not escaped | ||
| #1155 | Revolut Gateway for WooCommerce | 32 | 85 | 157 | 6k+ | Input is not sanitized | ||
| #1156 | RSS for Yandex Turbo | 32 | 687 | 307 | 20k+ | Unsafe printing function | ||
| #1157 | Simple Ajax Chat – Add a Fast, Secure Chat Box | 32 | 108 | 266 | 2k+ | Output is not escaped | ||
| #1158 | Page Builder by SiteOrigin | 32 | 224 | 212 | 500k+ | Output is not escaped | ||
| #1159 | Sky Addons for Elementor | 32 | 85 | 351 | 2k+ | Non-prefixed namespace | ||
| #1160 | Split Test For Elementor | 32 | 98 | 132 | 3k+ | Non-prefixed global variable | ||
| #1161 | Stock Sync for WooCommerce | 32 | 362 | 232 | 1k+ | Text Domain Mismatch | ||
| #1162 | Subscribe2 – Form, Email Subscribers & Newsletters | 32 | 32 | 410 | 10k+ | Direct Query | ||
| #1163 | Thrive Automator | 32 | 84 | 84 | 10k+ | SQL query is not prepared | ||
| #1164 | TK Google Fonts GDPR Compliant | 32 | 582 | 34 | 1k+ | Output is not escaped | ||
| #1165 | Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor | 32 | 57 | 293 | 4k+ | Post Not In exclude | ||
| #1166 | Unbounce Landing Pages | 32 | 169 | 86 | 10k+ | Output is not escaped | ||
| #1167 | WebwinkelKeur: Webshop keurmerk & reviews for WordPress | 32 | 200 | 47 | 4k+ | Short PHP open tag found | ||
| #1168 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | 32 | 5 | 933 | 40k+ | Non-prefixed global variable | ||
| #1169 | wp-jalali | 32 | 219 | 66 | 10k+ | Text Domain Mismatch | ||
| #1170 | SEOPress – AI SEO Plugin & On-site SEO | 32 | 138 | 429 | 300k+ | Non-prefixed global variable | ||
| #1171 | WP-Stats | 32 | 237 | 126 | 2k+ | Output is not escaped | ||
| #1172 | Privacy Policy Generator – WPLP Legal Pages | 32 | 26 | 409 | 10k+ | Non-prefixed global variable | ||
| #1173 | Dynamic XML Sitemaps Generator for Google | 32 | 74 | 411 | 20k+ | Non-prefixed global variable | ||
| #1174 | YITH Infinite Scrolling | 32 | 387 | 1,417 | 10k+ | Non-prefixed global variable | ||
| #1175 | YITH WooCommerce Badge Management | 32 | 413 | 1,446 | 10k+ | Non-prefixed global variable | ||
| #1176 | YITH WooCommerce Compare | 32 | 422 | 1,508 | 100k+ | Non-prefixed global variable | ||
| #1177 | YITH WooCommerce Quick View | 32 | 388 | 1,420 | 90k+ | Non-prefixed global variable | ||
| #1178 | Extra Product Options Builder for WooCommerce | 33 | 101 | 155 | 2k+ | Non-prefixed hook name | ||
| #1179 | Advanced Forms for ACF | 33 | 169 | 278 | 3k+ | Non-prefixed hook name | ||
| #1180 | Auto Listings – Car Listings & Car Dealership Plugin for WordPress | 33 | 80 | 321 | 2k+ | Non-prefixed global variable | ||
| #1181 | Premium Portfolio Features for Phlox theme | 33 | 204 | 137 | 40k+ | Output is not escaped | ||
| #1182 | AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth | 33 | 33 | 229 | 9k+ | Non-prefixed global variable | ||
| #1183 | Nexi XPay | 33 | 496 | 277 | 6k+ | Text Domain Mismatch | ||
| #1184 | CartPops – High Converting Add To Cart Popup For WooCommerce | 33 | 63 | 188 | 4k+ | Non-prefixed global variable | ||
| #1185 | Chartify – WordPress Chart Plugin | 33 | 76 | 411 | 3k+ | Non-prefixed global variable | ||
| #1186 | ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form | 33 | 57 | 204 | 1k+ | Non-prefixed global variable | ||
| #1187 | Clicky Analytics | 33 | 166 | 92 | 10k+ | Output is not escaped | ||
| #1188 | Companion Auto Update | 33 | 159 | 298 | 50k+ | Direct Query | ||
| #1189 | Companion Sitemap Generator – Simple, Smart, and SEO-Ready | 33 | 118 | 57 | 7k+ | Missing Translators Comment | ||
| #1190 | Easy Timer | 33 | 78 | 450 | 1k+ | Non-prefixed global variable | ||
| #1191 | EchBay Phonering Alo | 33 | 74 | 47 | 1k+ | Output is not escaped | ||
| #1192 | FastPixel Cache – Optimize Page Speed: Compress Images, Minify, Clean Database & CDN | 33 | 51 | 333 | 4k+ | Request data is not unslashed | ||
| #1193 | Gallery Custom Links | 33 | 64 | 62 | 30k+ | Non Singular String Literal Domain | ||
| #1194 | GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice for CCPA, EU Cookie Law | 33 | 48 | 370 | 300k+ | Non-prefixed global variable | ||
| #1195 | Flipbox – Awesomes Flip Boxes Image Overlay | 33 | 400 | 7,279 | 10k+ | Input is not validated | ||
| #1196 | Image Source Control Lite – Show Image Credits and Captions | 33 | 140 | 221 | 3k+ | Non-prefixed hook name | ||
| #1197 | ImageLinks – Interactive Image Builder with Hotspots | 33 | 517 | 90 | 1k+ | Text Domain Mismatch | ||
| #1198 | WPZOOM Social Feed Widget & Block | 33 | 310 | 278 | 60k+ | Unsafe printing function | ||
| #1199 | Intagrate Lite | 33 | 94 | 152 | 4k+ | date date | ||
| #1200 | ITRO Popup Plugin | 33 | 591 | 135 | 6k+ | Output is not escaped |
