WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1701 | Textmetrics | 33 | 324 | 163 | 400 | Output is not escaped | ||
| #1702 | White Label CMS | 33 | 409 | 207 | 200k+ | Unsafe printing function | ||
| #1703 | Rich Showcase for Google Reviews | 33 | 213 | 278 | 100k+ | Output is not escaped | ||
| #1704 | Wonder Slider Lite | 33 | 273 | 187 | 8k+ | Output is not escaped | ||
| #1705 | Product Addons for Woocommerce – Product Options with Custom Fields | 33 | 124 | 114 | 30k+ | Output is not escaped | ||
| #1706 | Min Max Control – Min Max Quantity & Step Control for WooCommerce | 33 | 96 | 215 | 10k+ | Non-prefixed global variable | ||
| #1707 | Hyyan WooCommerce Polylang Integration | 33 | 141 | 220 | 8k+ | Nonce verification recommended | ||
| #1708 | CartBounty – Save and recover abandoned carts for WooCommerce | 33 | 370 | 399 | 10k+ | Output is not escaped | ||
| #1709 | CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce | 33 | 229 | 105 | 5k+ | Text Domain Mismatch | ||
| #1710 | Pay. Payment Methods for WooCommerce | 33 | 316 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #1711 | PDF Invoices Italian Add-on for WooCommerce | 33 | 325 | 200 | 5k+ | Non Singular String Literal Domain | ||
| #1712 | WOW Slider | 33 | 176 | 101 | 3k+ | Output is not escaped | ||
| #1713 | Books Gallery – Book Showcase, Library & Affiliate Plugin | 33 | 1,753 | 178 | 2k+ | Output is not escaped | ||
| #1714 | WP Edit | 33 | 337 | 137 | 40k+ | Unsafe printing function | ||
| #1715 | WP EXtra – One Click Optimize | 33 | 414 | 101 | 7k+ | Missing Arg Domain | ||
| #1716 | WP Social AutoConnect | 33 | 290 | 144 | 500 | Output is not escaped | ||
| #1717 | Connector for Gravity Forms and Google Sheets | 33 | 692 | 155 | 3k+ | Text Domain Mismatch | ||
| #1718 | WP Multilang – Translation and Multilingual Plugin | 33 | 51 | 118 | 10k+ | Database parameter is not escaped | ||
| #1719 | WP-UserOnline | 33 | 111 | 161 | 10k+ | Output is not escaped | ||
| #1720 | WPReplace内容字符替换插件 | 33 | 209 | 195 | 800 | Non Singular String Literal Domain | ||
| #1721 | XML Sitemaps | 33 | 65 | 62 | 2k+ | Output is not escaped | ||
| #1722 | Zita Site Library for Elementor | 33 | 107 | 135 | 1k+ | Text Domain Mismatch | ||
| #1723 | Advanced Coupons for WooCommerce Coupons & Store Credit | 34 | 74 | 214 | 20k+ | Non-prefixed global variable | ||
| #1724 | Advanced Shipping Validation for WooCommerce | 34 | 331 | 127 | 400 | Text Domain Mismatch | ||
| #1725 | AI WP Writer – SEO content generator, chatGPT, Gemini | 34 | 581 | 509 | 3k+ | Text Domain Mismatch | ||
| #1726 | All-in-One WP Migration and Backup | 34 | 47 | 69 | 5m+ | Missing nonce verification | ||
| #1727 | Assistant – Every Day Productivity Apps | 34 | 124 | 97 | 4k+ | Exception output is not escaped | ||
| #1728 | Audit Trail | 34 | 90 | 107 | 10k+ | Unsafe printing function | ||
| #1729 | AyeCode Connect | 34 | 178 | 253 | 10k+ | Nonce verification recommended | ||
| #1730 | Beeketing for WooCommerce – Marketing Automation to Boost Sales | 34 | 113 | 123 | 600 | SQL query is not prepared | ||
| #1731 | Blog-in-Blog | 34 | 64 | 93 | 800 | Non-prefixed function | ||
| #1732 | BoldGrid Easy SEO – Simple and Effective SEO | 34 | 149 | 104 | 40k+ | Text Domain Mismatch | ||
| #1733 | Buckets | 34 | 68 | 76 | 500 | Output is not escaped | ||
| #1734 | BuddyPress & BuddyBoss Member Profile Forms | 34 | 154 | 121 | 400 | Text Domain Mismatch | ||
| #1735 | Campi Moduli Italiani | 34 | 72 | 363 | 500 | Unquoted Complex Placeholder | ||
| #1736 | CM Search And Replace – Optimize content edits with a powerful search and replace tool | 34 | 286 | 111 | 2k+ | Output is not escaped | ||
| #1737 | Contact Form 7 – PayPal & Stripe Add-on | 34 | 93 | 233 | 7k+ | Exception output is not escaped | ||
| #1738 | Cornerstone | 34 | 161 | 174 | 30k+ | Nonce verification recommended | ||
| #1739 | CSS JS Manager, Async JavaScript, Defer Render Blocking CSS | 34 | 76 | 106 | 1k+ | Input is not validated | ||
| #1740 | Custom Post Type Attachment | 34 | 153 | 49 | 800 | wp function not compatible with requires wp | ||
| #1741 | Custom Sidebars – Dynamic Sidebar Classic Widget Area Manager | 34 | 32 | 307 | 100k+ | Non-prefixed global variable | ||
| #1742 | Datafeedr API | 34 | 307 | 48 | 6k+ | Output is not escaped | ||
| #1743 | DD Last Viewed | 34 | 193 | 132 | 500 | Output is not escaped | ||
| #1744 | Debug Log Manager Tool | 34 | 44 | 143 | 3k+ | Nonce verification recommended | ||
| #1745 | Document Library Lite | 34 | 149 | 85 | 4k+ | Text Domain Mismatch | ||
| #1746 | Download After Email – Subscribe & Download Form Plugin | 34 | 22 | 356 | 7k+ | Input is not validated | ||
| #1747 | Dr. Flex | 34 | 83 | 51 | 1k+ | Output is not escaped | ||
| #1748 | Easy Social Sharing | 34 | 16 | 240 | 1k+ | Non-prefixed global variable | ||
| #1749 | EasyIndex | 34 | 74 | 135 | 1k+ | Missing nonce verification | ||
| #1750 | Einsatzverwaltung | 34 | 152 | 128 | 1k+ | Output is not escaped |