WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1901 | Easy Dash for LearnDash | 35 | 623 | 88 | 800 | Text Domain Mismatch | ||
| #1902 | Easy Post Types and Fields | 35 | 138 | 135 | 1k+ | Text Domain Mismatch | ||
| #1903 | Product Bundle Builder for WooCommerce | 35 | 156 | 134 | 6k+ | Text Domain Mismatch | ||
| #1904 | Easy Social Icons | 35 | 182 | 158 | 20k+ | Output is not escaped | ||
| #1905 | Ele Conditions for Elementor | 35 | 2 | 7 | 4k+ | Request data is not unslashed | ||
| #1906 | Elementor Website Builder – more than just a page builder | 35 | 46 | 428 | 10m+ | Non-prefixed global variable | ||
| #1907 | Elements Hive for Breakdance | 35 | 76 | 25 | 1k+ | Output is not escaped | ||
| #1908 | Email Subscription Popup — Newsletter & GDPR Consent | 35 | 683 | 193 | 1k+ | Output is not escaped | ||
| #1909 | Email Validator for Contact Form 7 | 35 | 111 | 74 | 500 | SQL query is not prepared | ||
| #1910 | Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more | 35 | 102 | 92 | 400 | Non-prefixed global variable | ||
| #1911 | EnvíaloSimple: Email Marketing y Newsletters | 35 | 147 | 250 | 2k+ | Nonce verification recommended | ||
| #1912 | Equivalent Mobile Redirect | 35 | 29 | 17 | 2k+ | Text Domain Mismatch | ||
| #1913 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | Direct Query | ||
| #1914 | Expire User Passwords | 35 | 3 | 15 | 3k+ | Nonce verification recommended | ||
| #1915 | Export Featured Images | 35 | 176 | 67 | 1k+ | Output is not escaped | ||
| #1916 | Extendify | 35 | 117 | 168 | 500k+ | Non-prefixed global variable | ||
| #1917 | External Links Overview | 35 | 57 | 200 | 800 | Non-prefixed global variable | ||
| #1918 | WP2Social Auto Publish | 35 | 643 | 215 | 9k+ | Unsafe printing function | ||
| #1919 | Flexible Subscriptions | 35 | 46 | 249 | 1k+ | Non-prefixed global variable | ||
| #1920 | Force Regenerate Thumbnails | 35 | 12 | 17 | 200k+ | unlink unlink | ||
| #1921 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #1922 | Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery | 35 | 50 | 199 | 10k+ | Non-prefixed global variable | ||
| #1923 | GD bbPress Attachments | 35 | 2 | 10 | 6k+ | wp redirect wp redirect | ||
| #1924 | GDPR Compliance & Cookie Consent | 35 | 251 | 61 | 5k+ | Output is not escaped | ||
| #1925 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #1926 | Glossary | 35 | 169 | 93 | 2k+ | Non Singular String Literal Domain | ||
| #1927 | Google Analytics Opt-Out | 35 | 34 | 7 | 5k+ | Output is not escaped | ||
| #1928 | Gravitec.net – Web Push Notifications | 35 | 47 | 52 | 1k+ | wp function not compatible with requires wp | ||
| #1929 | Ultimate Addons for Elementor | 35 | 70 | 226 | 2m+ | Non-prefixed hook name | ||
| #1930 | Health Check & Troubleshooting | 35 | 264 | 238 | 300k+ | Missing Arg Domain | ||
| #1931 | Social Comments by Heateor | 35 | 285 | 35 | 700 | Unsafe printing function | ||
| #1932 | Hippoo Mobile App for WooCommerce | 35 | 5 | 92 | 1k+ | Direct Query | ||
| #1933 | HivePress – Business Directory, Listings & Classified Ads Plugin | 35 | 38 | 180 | 10k+ | Direct Query | ||
| #1934 | HookMeUp for WooCommerce | 35 | 59 | 29 | 10k+ | Output is not escaped | ||
| #1935 | Hyve Lite – AI Chatbot, ChatGPT-Powered Conversational Support | 35 | 1 | 40 | 7k+ | Direct Query | ||
| #1936 | ImageMagick Engine | 35 | 63 | 29 | 60k+ | Unsafe printing function | ||
| #1937 | Import Users & Customers with Meta | WP Ultimate CSV Importer Add-on | 35 | 27 | 140 | 5k+ | Interpolated SQL is not prepared | ||
| #1938 | Imsanity | 35 | 32 | 29 | 200k+ | Direct Query | ||
| #1939 | InPost PL | 35 | 2 | 925 | 10k+ | Non-prefixed global variable | ||
| #1940 | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts | 35 | 64 | 91 | 60k+ | Output is not escaped | ||
| #1941 | Social Feed Gallery | 35 | 104 | 52 | 80k+ | Text Domain Mismatch | ||
| #1942 | Instapage Plugin | 35 | 220 | 45 | 5k+ | Output is not escaped | ||
| #1943 | IntenseDebate Comments | 35 | 203 | 114 | 500 | Output is not escaped | ||
| #1944 | IP Based Login | 35 | 179 | 146 | 600 | Output is not escaped | ||
| #1945 | iPages – FlipBook Image & PDF Viewer | 35 | 467 | 177 | 2k+ | Text Domain Mismatch | ||
| #1946 | Jarvis | 35 | 10 | 19 | 500 | Input is not validated | ||
| #1947 | Static Site Exporter | 35 | 54 | 25 | 500 | file system operations mkdir | ||
| #1948 | JWT Auth – WordPress JSON Web Token Authentication | 35 | 14 | 18 | 6k+ | Output is not escaped | ||
| #1949 | KBoard 위젯 – 워드프레스 게시판 | 35 | 53 | 32 | 3k+ | Output is not escaped | ||
| #1950 | Kirki – Freeform Page Builder, Website Builder & Customizer | 35 | 1 | 773 | 500k+ | Nonce verification recommended |