WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1851 | Optimus – WordPress Image Optimizer | 41 | 52 | 20 | 30k+ | Unsafe printing function | |
| #1852 | OSS Aliyun | 41 | 19 | 40 | 3k+ | Request data is not unslashed | |
| #1853 | Page & Post Notes | 41 | 12 | 77 | 1k+ | Non-prefixed global variable | |
| #1854 | Pods – Custom Content Types and Fields | 41 | 5 | 233 | 100k+ | Direct Query | |
| #1855 | Smart Post – Post Grid, Post Carousel, Post Slider Gutenberg Blocks for Blog & News | 41 | 537 | 20k+ | Non-prefixed global variable | ||
| #1856 | Posts 2 Posts | 41 | 42 | 73 | 10k+ | Non Singular String Literal Domain | |
| #1857 | Product Expiry for WooCommerce | 41 | 31 | 85 | 2k+ | Request data is not unslashed | |
| #1858 | Simple Product Options for WooCommerce | 41 | 62 | 41 | 3k+ | Output is not escaped | |
| #1859 | Responsive Plus – Elementor Templates & Starter Sites | 41 | 46 | 307 | 10k+ | Non-prefixed global variable | |
| #1860 | ShinyStat Analytics | 41 | 88 | 25 | 1k+ | Output is not escaped | |
| #1861 | Simple Lightbox | 41 | 21 | 48 | 100k+ | Nonce verification recommended | |
| #1862 | Simple Page Access Restriction | 41 | 66 | 51 | 6k+ | Unsafe printing function | |
| #1863 | Simple Revision Control | 41 | 34 | 43 | 1k+ | Dynamic hook name | |
| #1864 | Squeeze – Image Optimization & Compression, WEBP Conversion | 41 | 18 | 71 | 2k+ | Nonce verification recommended | |
| #1865 | Visibility Logic for Elementor | 41 | 27 | 43 | 30k+ | Output is not escaped | |
| #1866 | WC Price History | 41 | 18 | 17 | 4k+ | SQL query is not prepared | |
| #1867 | Country Based Restrictions for WooCommerce | 41 | 27 | 67 | 5k+ | Request data is not unslashed | |
| #1868 | WP Media folders | 41 | 19 | 74 | 3k+ | Direct Query | |
| #1869 | WP Test Email | 41 | 32 | 28 | 20k+ | Unsafe printing function | |
| #1870 | WPS Hide Login | 41 | 34 | 72 | 2m+ | Nonce verification recommended | |
| #1871 | Post Grid Master — Post Grids & AJAX Filters | 42 | 44 | 115 | 1k+ | Non-prefixed global variable | |
| #1872 | Companion Revision Manager – Revision Control | 42 | 18 | 28 | 4k+ | Unsafe printing function | |
| #1873 | Custom Fields for Gutenberg | 42 | 24 | 24 | 1k+ | Output is not escaped | |
| #1874 | Custom Taxonomy Order | 42 | 20 | 56 | 50k+ | Output is not escaped | |
| #1875 | Delete Expired Transients | 42 | 49 | 65 | 5k+ | Direct Query | |
| #1876 | Enable Classic Editor & Widgets | 42 | 106 | 6 | 3k+ | Non Singular String Literal Domain | |
| #1877 | Etsy Shop | 42 | 58 | 21 | 3k+ | Unsafe printing function | |
| #1878 | Exclude Pages | 42 | 31 | 14 | 30k+ | Non Singular String Literal Domain | |
| #1879 | FormCraft – Form Builder | 42 | 186 | 156 | 2k+ | Text Domain Mismatch | |
| #1880 | Gelato Integration for WooCommerce | 42 | 36 | 32 | 5k+ | Output is not escaped | |
| #1881 | Hide Cart Functions | 42 | 12 | 50 | 3k+ | Nonce verification recommended | |
| #1882 | Image Uploader for Welcart | 42 | 27 | 24 | 3k+ | Output is not escaped | |
| #1883 | Manage User Columns | 42 | 15 | 27 | 1k+ | Request data is not unslashed | |
| #1884 | Nav Menu Collapse | 42 | 17 | 39 | 3k+ | Missing nonce verification | |
| #1885 | PDF Thumbnail Generator | 42 | 26 | 16 | 2k+ | Output is not escaped | |
| #1886 | Post Types Order | 42 | 45 | 43 | 600k+ | wp function not compatible with requires wp | |
| #1887 | Proxy & VPN Blocker | 42 | 10 | 72 | 1k+ | Nonce verification recommended | |
| #1888 | Rename wp-admin login | 42 | 23 | 38 | 8k+ | Output is not escaped | |
| #1889 | Republish Old Posts | 42 | 83 | 24 | 2k+ | Output is not escaped | |
| #1890 | Reusable Blocks Extended | 42 | 38 | 15 | 20k+ | Output is not escaped | |
| #1891 | Secure Passkeys | 42 | 146 | 76 | 1k+ | Exception output is not escaped | |
| #1892 | Sendcloud Shipping | 42 | 78 | 56 | 5k+ | Output is not escaped | |
| #1893 | Simple Googlebot Visit | 42 | 32 | 67 | 1k+ | Non Singular String Literal Domain | |
| #1894 | Speed Contact Bar | 42 | 53 | 20 | 5k+ | Output is not escaped | |
| #1895 | Transients Manager | 42 | 45 | 50 | 20k+ | Output is not escaped | |
| #1896 | Ultimate Category Excluder | 42 | 22 | 26 | 50k+ | Missing nonce verification | |
| #1897 | Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page | 42 | 15 | 89 | 10k+ | Non-prefixed global variable | |
| #1898 | Auto Coupons for WooCommerce | 42 | 81 | 68 | 4k+ | Output is not escaped | |
| #1899 | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) | 42 | 2,583 | 1,823 | 10k+ | Text Domain Mismatch | |
| #1900 | WP Fingerprint | 42 | 34 | 47 | 9k+ | Direct Query |
