WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2001 | Shipping Zones by Drawing for WooCommerce | 35 | 278 | 95 | 600 | Text Domain Mismatch | ||
| #2002 | ShopMagic Abandoned Cart Recovery for WooCommerce | 35 | 16 | 23 | 2k+ | Non-prefixed global variable | ||
| #2003 | Product Feed for Google Shopping, Microsoft Advertising and 40+ Channels for WooCommerce Merchant | 35 | 83 | 76 | 2k+ | Output is not escaped | ||
| #2004 | SHOPVOTE | 35 | 64 | 58 | 400 | curl curl setopt | ||
| #2005 | Simple Export Import for ACF Data | 35 | 19 | 64 | 1k+ | Request data is not unslashed | ||
| #2006 | Simple Image Sizes | 35 | 53 | 75 | 60k+ | Unsafe printing function | ||
| #2007 | Simple Yearly Archive | 35 | 102 | 36 | 6k+ | Unsafe printing function | ||
| #2008 | SiteGround Migrator | 35 | 113 | 74 | 70k+ | Missing Arg Domain | ||
| #2009 | Sky Login Redirect | 35 | 7 | 24 | 2k+ | Non-prefixed hook name | ||
| #2010 | Social Sharing Plugin – Social Warfare | 35 | 17 | 143 | 20k+ | Non-prefixed class | ||
| #2011 | Spacious Toolkit | 35 | 48 | 94 | 700 | Non-prefixed global variable | ||
| #2012 | Speedy Page Redirect | 35 | 6 | 10 | 1k+ | Output is not escaped | ||
| #2013 | Spots | 35 | 195 | 49 | 800 | Output is not escaped | ||
| #2014 | Sticky Chat Widget – Floating Chat Icons, Contact Form, Call, Click to Chat, Email & Message Buttons | 35 | 33 | 293 | 10k+ | Non-prefixed global variable | ||
| #2015 | StoreEngine — Complete eCommerce Solution with Memberships, Licensing, Affiliates & More | 35 | 519 | 600 | Non-prefixed global variable | |||
| #2016 | String locator | 35 | 52 | 319 | 100k+ | Non-prefixed global variable | ||
| #2017 | Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress | 35 | 106 | 145 | 500 | Non-prefixed global variable | ||
| #2018 | Tapfiliate | 35 | 35 | 49 | 400 | Nonce verification recommended | ||
| #2019 | TBThemes Theme Import | 35 | 84 | 48 | 400 | Text Domain Mismatch | ||
| #2020 | Starter Sites & Templates by Neve | 35 | 28 | 88 | 100k+ | Non-prefixed hook name | ||
| #2021 | Advance Product Search- Voice & Ajax Search for WooCommerce | 35 | 125 | 92 | 10k+ | Text Domain Mismatch | ||
| #2022 | The Courier Guy Shipping for WooCommerce | 35 | 57 | 107 | 3k+ | Missing nonce verification | ||
| #2023 | theMarketer – Email marketing, Newsletters, Automation & Loyalty for Woocommerce | 35 | 4 | 47 | 700 | Nonce verification recommended | ||
| #2024 | Two Factor Authentication | 35 | 108 | 139 | 20k+ | Output is not escaped | ||
| #2025 | Ultimate Post List | 35 | 186 | 84 | 2k+ | Missing Arg Domain | ||
| #2026 | Uptime Robot Plugin for WordPress | 35 | 398 | 324 | 600 | Text Domain Mismatch | ||
| #2027 | User Photo | 35 | 112 | 68 | 3k+ | Output is not escaped | ||
| #2028 | Video Grid | 35 | 253 | 106 | 1k+ | Output is not escaped | ||
| #2029 | Video Gallery | 35 | 336 | 178 | 600 | Output is not escaped | ||
| #2030 | Void Elementor Post Grid Addon for Elementor Page builder | 35 | 189 | 93 | 3k+ | Text Domain Mismatch | ||
| #2031 | W4 Post List | 35 | 50 | 138 | 3k+ | Non-prefixed global variable | ||
| #2032 | WC Cancel Order | 35 | 52 | 122 | 5k+ | Non-prefixed hook name | ||
| #2033 | Spreadconnect | 35 | 128 | 126 | 700 | Output is not escaped | ||
| #2034 | WC Ukraine Shipping – Integration of Nova Poshta and Ukrposhta for WooCommerce | 35 | 504 | 164 | 7k+ | Text Domain Mismatch | ||
| #2035 | Webflow Pages | 35 | 36 | 63 | 2k+ | Non Singular String Literal Domain | ||
| #2036 | wePOS – Point Of Sale (POS) for WooCommerce & Dokan | 35 | 47 | 66 | 2k+ | Output is not escaped | ||
| #2037 | Wired Impact Volunteer Management | 35 | 253 | 175 | 1k+ | Output is not escaped | ||
| #2038 | CardCom Payment Gateway | 35 | 201 | 84 | 3k+ | Text Domain Mismatch | ||
| #2039 | WP Courseware for WooCommerce | 35 | 55 | 49 | 1k+ | Text Domain Mismatch | ||
| #2040 | Backend Payments for WooCommerce | 35 | 63 | 42 | 900 | Exception output is not escaped | ||
| #2041 | DPD Baltic Shipping | 35 | 91 | 202 | 2k+ | Text Domain Mismatch | ||
| #2042 | Conversion Tracking for WooCommerce | 35 | 74 | 61 | 20k+ | Output is not escaped | ||
| #2043 | Japanized for WooCommerce | 35 | 6 | 68 | 10k+ | Non-prefixed class | ||
| #2044 | Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing | 35 | 49 | 230 | 40k+ | Non-prefixed hook name | ||
| #2045 | Payment Gateway for PayPal Pro & PayPal Checkout for WooCommerce | 35 | 67 | 147 | 2k+ | Request data is not unslashed | ||
| #2046 | Quaderno: Global Tax & Invoicing Automation for WooCommerce | 35 | 4 | 70 | 500 | Missing nonce verification | ||
| #2047 | Brevo for WooCommerce | 35 | 116 | 67 | 30k+ | Output is not escaped | ||
| #2048 | Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices | 35 | 22 | 52 | 20k+ | Direct Query | ||
| #2049 | Wooplatnica | 35 | 27 | 24 | 400 | Non-prefixed class | ||
| #2050 | Access Areas for WordPress | 35 | 17 | 95 | 400 | Direct Query |