WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1951 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output is not escaped | ||
| #1952 | Lead Generation Form | 35 | 21 | 63 | 600 | Non-prefixed global variable | ||
| #1953 | Log HTTP Requests | 35 | 7 | 18 | 2k+ | Interpolated SQL is not prepared | ||
| #1954 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | ||
| #1955 | Mail Queue | 35 | 22 | 77 | 900 | Direct Query | ||
| #1956 | MapSVG – Vector maps, Image maps, Google Maps | 35 | 74 | 47 | 1k+ | Missing direct file access protection | ||
| #1957 | Mark Posts | 35 | 30 | 34 | 1k+ | Output is not escaped | ||
| #1958 | Marquee image crawler | 35 | 168 | 136 | 700 | Non-prefixed global variable | ||
| #1959 | Mechanic Visitor Counter | 35 | 240 | 66 | 7k+ | Output is not escaped | ||
| #1960 | Media Credit | 35 | 28 | 35 | 1k+ | Non-prefixed global variable | ||
| #1961 | MeetingHub – Webinar & Meeting Plugin for Zoom, Google Meet, Webex, Microsoft Teams, & Jitsi Meet | 35 | 33 | 289 | 400 | Non-prefixed global variable | ||
| #1962 | Restaurant Menu – Food Ordering System – Table Reservation | 35 | 317 | 186 | 8k+ | Unsafe printing function | ||
| #1963 | MONEI Payments for WooCommerce | 35 | 15 | 65 | 500 | Non-prefixed hook name | ||
| #1964 | AI Product Search for WooCommerce – Motive Commerce Search | 35 | 70 | 82 | 400 | Missing direct file access protection | ||
| #1965 | Moyasar | 35 | 436 | 128 | 700 | Text Domain Mismatch | ||
| #1966 | Hide from Search | 35 | 5 | 8 | 3k+ | Missing direct file access protection | ||
| #1967 | Never Let Me Go | 35 | 34 | 47 | 400 | Non-prefixed global variable | ||
| #1968 | NGG Smart Image Search | 35 | 298 | 155 | 400 | Output is not escaped | ||
| #1969 | Nginx Cache Controller | 35 | 79 | 96 | 1k+ | Text Domain Mismatch | ||
| #1970 | Ni WooCommerce Sales Report | 35 | 236 | 256 | 500 | Text Domain Mismatch | ||
| #1971 | Nooz | 35 | 287 | 108 | 500 | Text Domain Mismatch | ||
| #1972 | Noted! | 35 | 5 | 22 | 1k+ | Non-prefixed global variable | ||
| #1973 | NS Cloner – Site Copier | 35 | 29 | 16 | 7k+ | Missing direct file access protection | ||
| #1974 | Fonts Plugin | Google Fonts, Adobe Fonts & Upload Fonts | 35 | 41 | 8 | 200k+ | Missing direct file access protection | ||
| #1975 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output is not escaped | ||
| #1976 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | ||
| #1977 | OPcache Manager | 35 | 155 | 75 | 1k+ | Output is not escaped | ||
| #1978 | Orderable – Restaurant & Food Ordering System | 35 | 12 | 324 | 5k+ | Non-prefixed global variable | ||
| #1979 | Paybox WooCommerce Payment Gateway | 35 | 165 | 88 | 500 | Non Singular String Literal Domain | ||
| #1980 | Paytm Payment Gateway | 35 | 92 | 104 | 3k+ | Missing Arg Domain | ||
| #1981 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | SQL query is not prepared | ||
| #1982 | Pixeline's Email Protector | 35 | 77 | 5 | 800 | Unsafe printing function | ||
| #1983 | Accept Cryptocurrencies with Plisio | 35 | 37 | 47 | 1k+ | Text Domain Mismatch | ||
| #1984 | Popular Posts | 35 | 166 | 71 | 900 | Unsafe printing function | ||
| #1985 | Popup with fancybox | 35 | 196 | 168 | 1k+ | Unsafe printing function | ||
| #1986 | Post Content Shortcodes | 35 | 205 | 56 | 2k+ | Output is not escaped | ||
| #1987 | Post Draft Preview | 35 | 49 | 69 | 700 | Text Domain Mismatch | ||
| #1988 | Posts Table with Search & Sort | 35 | 143 | 33 | 3k+ | Text Domain Mismatch | ||
| #1989 | Presto Player | 35 | 37 | 77 | 100k+ | Missing Arg Domain | ||
| #1990 | Product Input Fields for WooCommerce | 35 | 18 | 84 | 4k+ | Non-prefixed function | ||
| #1991 | Min Max Step Quantity Limits Manager for WooCommerce | 35 | 67 | 158 | 3k+ | Non-prefixed global variable | ||
| #1992 | Protect the Children! | 35 | 2 | 34 | 1k+ | Missing nonce verification | ||
| #1993 | Quran multilanguage Text & Audio | 35 | 177 | 166 | 500 | Output is not escaped | ||
| #1994 | ReactPress – Create React App for WordPress | 35 | 26 | 43 | 3k+ | Request data is not unslashed | ||
| #1995 | Real Time Validation for Gravity Forms | 35 | 185 | 30 | 2k+ | Output is not escaped | ||
| #1996 | Related Posts by Taxonomy | 35 | 131 | 97 | 10k+ | Output is not escaped | ||
| #1997 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output is not escaped | ||
| #1998 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non-prefixed global variable | ||
| #1999 | Reseller Store | 35 | 56 | 34 | 1k+ | Output is not escaped | ||
| #2000 | WP Responsive Tabs horizontal vertical and accordion Tabs | 35 | 598 | 212 | 2k+ | Output is not escaped |