WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1551 | WP Gravity Forms HubSpot | 32 | 771 | 160 | 600 | Text Domain Mismatch | ||
| #1552 | CRM Perks Integration for Gravity Forms and Salesforce | 32 | 807 | 178 | 1k+ | Text Domain Mismatch | ||
| #1553 | WP Gravity Forms Zoho CRM and Bigin | 32 | 750 | 174 | 400 | Text Domain Mismatch | ||
| #1554 | GlotPress | 32 | 403 | 103 | 500 | Unsafe printing function | ||
| #1555 | Insights from Google PageSpeed | 32 | 414 | 475 | 20k+ | Text Domain Mismatch | ||
| #1556 | GSheetConnector For Ninja Forms | 32 | 165 | 93 | 1k+ | Unsafe printing function | ||
| #1557 | GSheetConnector For WPForms – WPForms Google Sheets Integration (Real-Time Sync) | 32 | 120 | 145 | 8k+ | Non-prefixed global variable | ||
| #1558 | Gwolle Guestbook | 32 | 269 | 527 | 20k+ | Output is not escaped | ||
| #1559 | Honeypot Toolkit | 32 | 155 | 770 | 400 | Missing nonce verification | ||
| #1560 | HTML5 jQuery Audio Player | 32 | 251 | 153 | 1k+ | Unsafe printing function | ||
| #1561 | Image Slider Slideshow | 32 | 409 | 171 | 2k+ | Text Domain Mismatch | ||
| #1562 | Jetpack VaultPress Backup | 32 | 554 | 211 | 20k+ | Text Domain Mismatch | ||
| #1563 | Juiz Last Tweet Widget | 32 | 136 | 53 | 500 | Output is not escaped | ||
| #1564 | Manager for IcoMoon | 32 | 270 | 68 | 400 | Short PHP open tag found | ||
| #1565 | MapPress Maps for WordPress | 32 | 695 | 133 | 30k+ | Missing Arg Domain | ||
| #1566 | Members – Membership & User Role Editor Plugin | 32 | 233 | 259 | 300k+ | Output is not escaped | ||
| #1567 | MetaSlider Gallery – Image Gallery, Lightbox Galleries, Modal Windows | 32 | 159 | 62 | 10k+ | Output is not escaped | ||
| #1568 | WP Mobile Menu – The Mobile-Friendly Responsive Menu | 32 | 990 | 195 | 80k+ | Output is not escaped | ||
| #1569 | Moyasar | 32 | 539 | 219 | 700 | Text Domain Mismatch | ||
| #1570 | Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation | 32 | 462 | 41 | 1m+ | Text Domain Mismatch | ||
| #1571 | Organization chart | 32 | 187 | 334 | 5k+ | SQL query is not prepared | ||
| #1572 | Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin | 32 | 446 | 173 | 5k+ | Text Domain Mismatch | ||
| #1573 | DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce | 32 | 166 | 119 | 5k+ | Output is not escaped | ||
| #1574 | Account Engagement | 32 | 115 | 74 | 2k+ | Output is not escaped | ||
| #1575 | PilotPress | 32 | 150 | 285 | 900 | Output is not escaped | ||
| #1576 | Plugin Organizer | 32 | 326 | 257 | 10k+ | Output is not escaped | ||
| #1577 | TS Poll – Survey, Versus Poll, Image Poll, Video Poll | 32 | 570 | 171 | 4k+ | Text Domain Mismatch | ||
| #1578 | Volunteer Sign Up Sheets | 32 | 967 | 401 | 1k+ | Output is not escaped | ||
| #1579 | Quick Featured Images | 32 | 436 | 323 | 50k+ | Non-prefixed global variable | ||
| #1580 | Relevanssi – A Better Search | 32 | 86 | 266 | 100k+ | Missing direct file access protection | ||
| #1581 | Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio | 32 | 436 | 163 | 1k+ | Output is not escaped | ||
| #1582 | Restrict Usernames Emails Characters | 32 | 327 | 367 | 1k+ | Output is not escaped | ||
| #1583 | Revolut Gateway for WooCommerce | 32 | 85 | 157 | 6k+ | Input is not sanitized | ||
| #1584 | RSS for Yandex Turbo | 32 | 687 | 307 | 20k+ | Unsafe printing function | ||
| #1585 | Simple Ajax Chat – Add a Fast, Secure Chat Box | 32 | 108 | 266 | 2k+ | Output is not escaped | ||
| #1586 | Site Search 360 | 32 | 202 | 213 | 400 | Output is not escaped | ||
| #1587 | Sky Addons for Elementor | 32 | 85 | 351 | 2k+ | Non-prefixed namespace | ||
| #1588 | Split Test For Elementor | 32 | 98 | 132 | 3k+ | Non-prefixed global variable | ||
| #1589 | Spoki – Chat Buttons and WooCommerce Notifications | 32 | 1,074 | 260 | 700 | Unsafe printing function | ||
| #1590 | Stock Locations for WooCommerce | 32 | 549 | 360 | 1k+ | Output is not escaped | ||
| #1591 | Stock Sync for WooCommerce | 32 | 362 | 232 | 1k+ | Text Domain Mismatch | ||
| #1592 | Subscribe2 – Form, Email Subscribers & Newsletters | 32 | 32 | 410 | 10k+ | Direct Query | ||
| #1593 | System Dashboard | 32 | 91 | 205 | 1k+ | Request data is not unslashed | ||
| #1594 | Thrive Automator | 32 | 84 | 84 | 10k+ | SQL query is not prepared | ||
| #1595 | TK Google Fonts GDPR Compliant | 32 | 582 | 34 | 1k+ | Output is not escaped | ||
| #1596 | Tumult Hype Animations | 32 | 56 | 117 | 1k+ | Output is not escaped | ||
| #1597 | Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor | 32 | 57 | 293 | 4k+ | Post Not In exclude | ||
| #1598 | Unbounce Landing Pages | 32 | 169 | 86 | 10k+ | Output is not escaped | ||
| #1599 | Multi Currency For WooCommerce | 32 | 87 | 70 | 1k+ | Non-prefixed global variable | ||
| #1600 | WebwinkelKeur: Webshop keurmerk & reviews for WordPress | 32 | 200 | 47 | 4k+ | Short PHP open tag found |