WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1751 | ECS – Ele Custom Skin for Elementor | 34 | 99 | 205 | 100k+ | Text Domain Mismatch | ||
| #1752 | Empik for Woocommerce | 34 | 70 | 259 | 400 | Missing nonce verification | ||
| #1753 | ePayco Plugin for WooCommerce | 34 | 155 | 136 | 3k+ | Text Domain Mismatch | ||
| #1754 | Event Post | 34 | 329 | 99 | 1k+ | Output is not escaped | ||
| #1755 | Meta for WooCommerce | 34 | 66 | 186 | 400k+ | Non-prefixed hook name | ||
| #1756 | Fancy Comments WordPress | 34 | 359 | 39 | 2k+ | Unsafe printing function | ||
| #1757 | Featured Video Plus | 34 | 99 | 105 | 10k+ | Non-prefixed global variable | ||
| #1758 | Flash Toolkit | 34 | 159 | 242 | 10k+ | Non-prefixed global variable | ||
| #1759 | Floating Side Tab | 34 | 94 | 153 | 600 | Non-prefixed global variable | ||
| #1760 | FluentAuth – The Ultimate Authorization & Security Plugin for WordPress | 34 | 44 | 229 | 10k+ | Nonce verification recommended | ||
| #1761 | FV Gravatar Cache | 34 | 50 | 42 | 700 | Output is not escaped | ||
| #1762 | Geolocation IP Detection | 34 | 227 | 167 | 20k+ | Output is not escaped | ||
| #1763 | APG Google Video Sitemap Feed | 34 | 96 | 45 | 800 | Output is not escaped | ||
| #1764 | Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program | 34 | 131 | 352 | 600 | Missing nonce verification | ||
| #1765 | Signature Add-On for Gravity Forms | 34 | 161 | 48 | 1k+ | Text Domain Mismatch | ||
| #1766 | Greenshift – animation and page builder blocks | 34 | 33 | 272 | 70k+ | Non-prefixed global variable | ||
| #1767 | HollerBox — Fast & Effective Popups & Lead-Generation | 34 | 78 | 92 | 2k+ | Output is not escaped | ||
| #1768 | 우커머스 포트원 플러그인 (국내 모든 PG를 한 번에) | 34 | 36 | 181 | 700 | Nonce verification recommended | ||
| #1769 | Image Cleanup | 34 | 52 | 94 | 1k+ | Nonce verification recommended | ||
| #1770 | Import XML and RSS Feeds | 34 | 260 | 85 | 2k+ | Unsafe printing function | ||
| #1771 | Inavii Social Feed – Live Social Proof Gallery | 34 | 532 | 180 | 9k+ | Text Domain Mismatch | ||
| #1772 | JS Archive List | 34 | 99 | 31 | 3k+ | Output is not escaped | ||
| #1773 | Lenix Leads Collector | 34 | 414 | 242 | 10k+ | Text Domain Mismatch | ||
| #1774 | Login with Vipps and MobilePay | 34 | 263 | 174 | 900 | Output is not escaped | ||
| #1775 | MailChimp Forms by MailMunch | 34 | 120 | 55 | 10k+ | Output is not escaped | ||
| #1776 | Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin | 34 | 36 | 459 | 3k+ | Input is not sanitized | ||
| #1777 | MantraBrain Starter Sites | MantraBrain Theme Demo Importer | 34 | 117 | 61 | 1k+ | Output is not escaped | ||
| #1778 | Mass Ping Tool for SEO – WordPress ping list to get indexed faster on Google, Yandex, … | 34 | 77 | 96 | 500 | Output is not escaped | ||
| #1779 | Media Vault | 34 | 115 | 150 | 800 | Output is not escaped | ||
| #1780 | Melhor Envio | 34 | 24 | 276 | 10k+ | Nonce verification recommended | ||
| #1781 | Meow Analytics (Google Analytics) | 34 | 80 | 54 | 400 | Output is not escaped | ||
| #1782 | Meow Lightbox | 34 | 77 | 52 | 10k+ | Non Singular String Literal Domain | ||
| #1783 | Montonio for WooCommerce | 34 | 44 | 257 | 10k+ | Non-prefixed global variable | ||
| #1784 | Multi Step Form | 34 | 277 | 136 | 9k+ | Output is not escaped | ||
| #1785 | My Tickets – Accessible Event Ticketing | 34 | 314 | 566 | 700 | Nonce verification recommended | ||
| #1786 | Ni WooCommerce Custom Order Status | 34 | 256 | 139 | 2k+ | Text Domain Mismatch | ||
| #1787 | One User Avatar | User Profile Picture | 34 | 68 | 190 | 100k+ | Non-prefixed global variable | ||
| #1788 | Optima Express IDX | 34 | 71 | 237 | 10k+ | Non-prefixed class | ||
| #1789 | Child Theme Creator by Orbisius | 34 | 86 | 39 | 10k+ | Output is not escaped | ||
| #1790 | OwnerRez | 34 | 79 | 56 | 700 | Unsafe printing function | ||
| #1791 | Payoneer Checkout | 34 | 168 | 41 | 5k+ | Exception output is not escaped | ||
| #1792 | PhonePe Payment Solutions | 34 | 77 | 106 | 10k+ | Missing direct file access protection | ||
| #1793 | PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget | 34 | 46 | 298 | 9k+ | Missing nonce verification | ||
| #1794 | PW WooCommerce Bulk Edit | 34 | 219 | 149 | 20k+ | Unsafe printing function | ||
| #1795 | QuadLayers Telegram Button | 34 | 149 | 71 | 1k+ | Text Domain Mismatch | ||
| #1796 | Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers | 34 | 261 | 863 | 20k+ | Non-prefixed global variable | ||
| #1797 | Redirection | 34 | 32 | 294 | 2m+ | Non-prefixed class | ||
| #1798 | Responsive Menu – Create Mobile-Friendly Menu | 34 | 68 | 40 | 70k+ | Nonce verification recommended | ||
| #1799 | Event Timeline – Vertical Timeline | 34 | 26 | 684 | 1k+ | Non-prefixed global variable | ||
| #1800 | RTMKit | 34 | 10 | 380 | 50k+ | Non-prefixed global variable |