WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1801 | Eventer | 40 | 61 | 55 | 1k+ | Output is not escaped | ||
| #1802 | FameTheme Demo Importer | 40 | 8 | 74 | 30k+ | Nonce verification recommended | ||
| #1803 | Flamingo | 40 | 15 | 228 | 800k+ | Nonce verification recommended | ||
| #1804 | Product Enquiry for WooCommerce | 40 | 57 | 41 | 3k+ | Output is not escaped | ||
| #1805 | Hostinger Reach – AI-Powered Email Marketing for WordPress | 40 | 9 | 46 | 1m+ | Direct Query | ||
| #1806 | Image Alt Text | 40 | 79 | 97 | 9k+ | Non Singular String Literal Domain | ||
| #1807 | Internal Linking of Related Contents | 40 | 714 | 47 | 1k+ | Output is not escaped | ||
| #1808 | JSM Show Post Metadata | 40 | 15 | 66 | 10k+ | Nonce verification recommended | ||
| #1809 | JSM Show User Metadata | 40 | 14 | 64 | 3k+ | Nonce verification recommended | ||
| #1810 | La Sentinelle antispam | 40 | 88 | 46 | 3k+ | Output is not escaped | ||
| #1811 | Logbook | 40 | 33 | 59 | 2k+ | Nonce verification recommended | ||
| #1812 | Modal Window – create popup modal window | 40 | 4 | 170 | 10k+ | Non-prefixed global variable | ||
| #1813 | Multiple Featured Images | 40 | 50 | 22 | 5k+ | Output is not escaped | ||
| #1814 | Plugin Load Filter | 40 | 76 | 112 | 7k+ | Text Domain Mismatch | ||
| #1815 | Quiz Cat – WordPress Quiz Plugin | 40 | 151 | 69 | 5k+ | Output is not escaped | ||
| #1816 | Random Banner | 40 | 59 | 125 | 1k+ | Output is not escaped | ||
| #1817 | Redirector | 40 | 48 | 32 | 7k+ | Output is not escaped | ||
| #1818 | Role Based Redirect | 40 | 20 | 96 | 2k+ | Non-prefixed global variable | ||
| #1819 | Shortcodes Finder | 40 | 22 | 188 | 4k+ | Nonce verification recommended | ||
| #1820 | Simple Page Sidebars | 40 | 55 | 65 | 20k+ | Output is not escaped | ||
| #1821 | Statify Widget | 40 | 52 | 13 | 4k+ | Output is not escaped | ||
| #1822 | Payment Gateway – nexi Alpha Bank for WooCommerce | 40 | 28 | 45 | 1k+ | Missing nonce verification | ||
| #1823 | Word Balloon | 40 | 20 | 125 | 10k+ | Request data is not unslashed | ||
| #1824 | WP All Import – Job Listing Import for WP Job Manager | 40 | 35 | 27 | 2k+ | Output is not escaped | ||
| #1825 | Media Library Categories | 40 | 29 | 49 | 20k+ | Output is not escaped | ||
| #1826 | WP Reroute Email | 40 | 141 | 106 | 1k+ | Output is not escaped | ||
| #1827 | WPC Grouped Product for WooCommerce | 40 | 19 | 95 | 3k+ | Request data is not unslashed | ||
| #1828 | WPFront Notification Bar | 40 | 222 | 44 | 50k+ | Output is not escaped | ||
| #1829 | WPS Menu Exporter | 40 | 47 | 22 | 10k+ | Output is not escaped | ||
| #1830 | My YouTube Channel | 40 | 54 | 38 | 5k+ | Output is not escaped | ||
| #1831 | Zippy | 40 | 43 | 31 | 9k+ | Output is not escaped | ||
| #1832 | AMP for WP – Accelerated Mobile Pages | 41 | 656 | 2,401 | 80k+ | Non-prefixed global variable | ||
| #1833 | Alma – Pay in installments or later for WooCommerce | 41 | 116 | 68 | 1k+ | Exception output is not escaped | ||
| #1834 | Authenticator | 41 | 59 | 44 | 1k+ | Output is not escaped | ||
| #1835 | Auto Focus Keyword for SEO | 41 | 12 | 38 | 2k+ | Input is not validated | ||
| #1836 | Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) | 41 | 175 | 26 | 100k+ | Unsafe printing function | ||
| #1837 | Beautiful Cookie Consent Banner | 41 | 33 | 76 | 40k+ | Non-prefixed global variable | ||
| #1838 | BuddyPress Xprofile Custom Field Types | 41 | 39 | 189 | 4k+ | Missing nonce verification | ||
| #1839 | Database for CF7 | 41 | 37 | 32 | 2k+ | Text Domain Mismatch | ||
| #1840 | DevVN Local Store | 41 | 84 | 28 | 1k+ | Unsafe printing function | ||
| #1841 | Disable Everything | 41 | 90 | 16 | 30k+ | Output is not escaped | ||
| #1842 | Duplicate Post Page Menu & Custom Post Type | 41 | 35 | 11 | 10k+ | Text Domain Mismatch | ||
| #1843 | Duplicate Page and Post | 41 | 26 | 21 | 80k+ | Unsafe printing function | ||
| #1844 | Multiple Themes | 41 | 112 | 41 | 10k+ | Output is not escaped | ||
| #1845 | Log cleaner for Solid Security | 41 | 65 | 47 | 8k+ | Text Domain Mismatch | ||
| #1846 | Mobile Contact Bar | 41 | 94 | 36 | 10k+ | Unsafe printing function | ||
| #1847 | Mollie Forms | 41 | 14 | 565 | 3k+ | Request data is not unslashed | ||
| #1848 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #1849 | Social Login | 41 | 8 | 110 | 5k+ | Input is not sanitized | ||
| #1850 | Omnibus — show the lowest price | 41 | 35 | 37 | 10k+ | Output is not escaped |
