WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1201 | Tutor LMS Elementor Addons | 31 | 227 | 457 | 30k+ | Non-prefixed global variable | ||
| #1202 | User Spam Remover | 31 | 115 | 14 | 1k+ | Output is not escaped | ||
| #1203 | Blacklist Manager – WooCommerce Anti-Fraud, Blacklist & Checkout Verification | 31 | 284 | 830 | 2k+ | Missing nonce verification | ||
| #1204 | Web Push Notifications – Webpushr | 31 | 169 | 293 | 10k+ | Output is not escaped | ||
| #1205 | Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker | 31 | 63 | 933 | 6k+ | Interpolated SQL is not prepared | ||
| #1206 | Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | 31 | 837 | 295 | 100k+ | Unsafe printing function | ||
| #1207 | WooCommerce Legacy REST API | 31 | 324 | 177 | 400k+ | Missing Translators Comment | ||
| #1208 | Tooltips for WordPress | 31 | 312 | 252 | 5k+ | Output is not escaped | ||
| #1209 | WPGatsby | 31 | 125 | 55 | 3k+ | Text Domain Mismatch | ||
| #1210 | HireZoot – (WP Job Openings) Job Listings, Career Page & Recruitment Tool | 31 | 14 | 539 | 40k+ | Non-prefixed global variable | ||
| #1211 | WP Simple Booking Calendar | 31 | 337 | 381 | 20k+ | Output is not escaped | ||
| #1212 | WP Visitor Statistics (Real Time Traffic) | 31 | 353 | 691 | 20k+ | Nonce verification recommended | ||
| #1213 | WP ULike – Like & Dislike Buttons for Engagement and Feedback | 31 | 269 | 358 | 60k+ | Output is not escaped | ||
| #1214 | WP125 | 31 | 178 | 184 | 3k+ | Unsafe printing function | ||
| #1215 | Hosting Benchmark tool | 31 | 202 | 115 | 4k+ | rand rand | ||
| #1216 | YITH Color and Label Variations for WooCommerce | 31 | 393 | 1,428 | 9k+ | Non-prefixed global variable | ||
| #1217 | YITH WooCommerce Brands Add-On | 31 | 393 | 1,425 | 9k+ | Non-prefixed global variable | ||
| #1218 | YITH WooCommerce Catalog Mode | 31 | 380 | 1,418 | 60k+ | Non-prefixed global variable | ||
| #1219 | YITH WooCommerce Featured Video | 31 | 383 | 1,434 | 3k+ | Non-prefixed global variable | ||
| #1220 | YITH Frequently Bought Together for WooCommerce | 31 | 389 | 1,452 | 8k+ | Non-prefixed global variable | ||
| #1221 | YITH WooCommerce Order & Shipment Tracking | 31 | 380 | 1,420 | 7k+ | Non-prefixed global variable | ||
| #1222 | YITH Request a Quote for WooCommerce | 31 | 408 | 1,481 | 10k+ | Non-prefixed global variable | ||
| #1223 | YITH WooCommerce Tab Manager | 31 | 395 | 1,429 | 4k+ | Non-prefixed global variable | ||
| #1224 | Zendesk Support for WordPress | 31 | 195 | 88 | 2k+ | Output is not escaped | ||
| #1225 | PayPal Zettle POS for WooCommerce | 31 | 302 | 44 | 4k+ | Exception output is not escaped | ||
| #1226 | ActiveDEMAND | 32 | 157 | 161 | 1k+ | Output is not escaped | ||
| #1227 | Advanced Access Manager – Access Governance for WordPress | 32 | 849 | 62 | 100k+ | Output is not escaped | ||
| #1228 | annasta Filters for WooCommerce | 32 | 1,073 | 441 | 2k+ | Text Domain Mismatch | ||
| #1229 | APCu Manager | 32 | 151 | 126 | 10k+ | Output is not escaped | ||
| #1230 | Author Avatars List/Block | 32 | 85 | 135 | 4k+ | Non-prefixed hook name | ||
| #1231 | Auto YouTube Importer | 32 | 338 | 173 | 1k+ | Text Domain Mismatch | ||
| #1232 | Better Chat Support for Messenger | 32 | 72 | 103 | 1k+ | Interpolated SQL is not prepared | ||
| #1233 | Blog2Social: Social Media Auto Post & Scheduler | 32 | 7 | 962 | 50k+ | Direct Query | ||
| #1234 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | Output is not escaped | ||
| #1235 | Addi – Cuotas que se adaptan a ti | 32 | 106 | 210 | 2k+ | Direct Query | ||
| #1236 | Vimeotheque – Vimeo WordPress Plugin & Video Gallery | 32 | 642 | 264 | 2k+ | Unsafe printing function | ||
| #1237 | Cooked – Recipe Management | 32 | 462 | 275 | 3k+ | Output is not escaped | ||
| #1238 | Currency Switcher for WooCommerce | 32 | 357 | 263 | 10k+ | Text Domain Mismatch | ||
| #1239 | Download Attachments | 32 | 69 | 188 | 8k+ | Non-prefixed hook name | ||
| #1240 | Enter Addons – Ultimate Template Builder for Elementor | 32 | 82 | 72 | 1k+ | Output is not escaped | ||
| #1241 | Fable Extra | 32 | 79 | 282 | 4k+ | Non-prefixed global variable | ||
| #1242 | Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages | 32 | 53 | 773 | 9k+ | Nonce verification recommended | ||
| #1243 | CRM Perks Integration for Gravity Forms and Salesforce | 32 | 807 | 178 | 1k+ | Text Domain Mismatch | ||
| #1244 | Insights from Google PageSpeed | 32 | 414 | 475 | 20k+ | Text Domain Mismatch | ||
| #1245 | GSheetConnector For Ninja Forms | 32 | 165 | 93 | 1k+ | Unsafe printing function | ||
| #1246 | GSheetConnector For WPForms – WPForms Google Sheets Integration (Real-Time Sync) | 32 | 120 | 145 | 8k+ | Non-prefixed global variable | ||
| #1247 | Gwolle Guestbook | 32 | 269 | 527 | 20k+ | Output is not escaped | ||
| #1248 | HTML5 jQuery Audio Player | 32 | 251 | 153 | 1k+ | Unsafe printing function | ||
| #1249 | HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce | 32 | 396 | 142 | 20k+ | Output is not escaped | ||
| #1250 | ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More | 32 | 101 | 308 | 30k+ | Non-prefixed global variable |
