WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2051 | Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices | 35 | 22 | 52 | 20k+ | Direct Query | ||
| #2052 | Wooplatnica | 35 | 27 | 24 | 400 | Non-prefixed class | ||
| #2053 | Access Areas for WordPress | 35 | 17 | 95 | 400 | Direct Query | ||
| #2054 | WP Associate Post R2 | 35 | 259 | 86 | 3k+ | Output is not escaped | ||
| #2055 | WP Cassify | 35 | 106 | 143 | 700 | Missing nonce verification | ||
| #2056 | Custom Body Class | 35 | 39 | 101 | 10k+ | Non-prefixed global variable | ||
| #2057 | WP Dark Mode – Improve Accessibility with AI Powered Dark Theme | 35 | 20 | 160 | 20k+ | Non-prefixed global variable | ||
| #2058 | WP Datepicker | 35 | 225 | 181 | 7k+ | Output is not escaped | ||
| #2059 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #2060 | Mail logging – WP Mail Catcher | 35 | 232 | 157 | 20k+ | Text Domain Mismatch | ||
| #2061 | WP Open Street Map | 35 | 59 | 111 | 3k+ | Input is not validated | ||
| #2062 | WP-PageNavi | 35 | 84 | 95 | 500k+ | Non Singular String Literal Domain | ||
| #2063 | WP-Persian | 35 | 144 | 37 | 7k+ | Unsafe printing function | ||
| #2064 | WP-PostViews | 35 | 132 | 64 | 100k+ | Unsafe printing function | ||
| #2065 | WP All Import – Property Import for WP Residence | 35 | 41 | 32 | 700 | Output is not escaped | ||
| #2066 | video carousel slider with lightbox | 35 | 350 | 136 | 1k+ | Output is not escaped | ||
| #2067 | WP Store Locator | 35 | 26 | 14 | 50k+ | wp function not compatible with requires wp | ||
| #2068 | WP System Information | 35 | 237 | 30 | 700 | Text Domain Mismatch | ||
| #2069 | Integration for WooCommerce and QuickBooks | 35 | 263 | 125 | 1k+ | Output is not escaped | ||
| #2070 | WPCore Plugin Manager | 35 | 118 | 38 | 9k+ | Text Domain Mismatch | ||
| #2071 | WP Views Counter | 35 | 81 | 42 | 2k+ | Output is not escaped | ||
| #2072 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #2073 | wpLingua – Automatic translation – Translate and make website multilingual | 35 | 79 | 167 | 2k+ | Nonce verification recommended | ||
| #2074 | WPPerformanceTester | 35 | 94 | 44 | 1k+ | Output is not escaped | ||
| #2075 | WPZOOM Addons for Elementor – Starter Templates & Widgets | 35 | 160 | 130 | 20k+ | Output is not escaped | ||
| #2076 | WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress | 35 | 74 | 109 | 10k+ | Nonce verification recommended | ||
| #2077 | WPZOOM Portfolio Lite – Filterable Portfolio Plugin | 35 | 42 | 92 | 20k+ | Non-prefixed global variable | ||
| #2078 | xili-tidy-tags | 35 | 224 | 157 | 1k+ | Output is not escaped | ||
| #2079 | Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts | 35 | 48 | 114 | 5k+ | Non-prefixed hook name | ||
| #2080 | Yes/No Chart | 35 | 136 | 139 | 2k+ | Unsafe printing function | ||
| #2081 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #2082 | Yotpo: Product & Photo Reviews for WooCommerce | 35 | 24 | 189 | 2k+ | Non-prefixed function | ||
| #2083 | Embeds for YouTube | 35 | 255 | 307 | 10k+ | Non-prefixed global variable | ||
| #2084 | Ziina | 35 | 10 | 25 | 2k+ | Input is not sanitized | ||
| #2085 | Product Labels For Woocommerce (Sale Badges) | 36 | 90 | 48 | 10k+ | Output is not escaped | ||
| #2086 | Advanced Export for WP & WPMU | 36 | 124 | 55 | 700 | Output is not escaped | ||
| #2087 | SOOZ – AI for SEO – Bulk Generate Focus Keyphrases, Metadata, Alt Text (SEO Autopilot) | 36 | 4 | 342 | 2k+ | Nonce verification recommended | ||
| #2088 | Bard Extra | 36 | 159 | 75 | 700 | Text Domain Mismatch | ||
| #2089 | Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder | 36 | 3 | 322 | 10k+ | Nonce verification recommended | ||
| #2090 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #2091 | BlockStrap Page Builder – Bootstrap Blocks | 36 | 81 | 89 | 2k+ | Missing direct file access protection | ||
| #2092 | BP Disable Activation Reloaded | 36 | 147 | 28 | 800 | Output is not escaped | ||
| #2093 | BP Group Documents | 36 | 27 | 195 | 600 | Non-prefixed global variable | ||
| #2094 | BP Profile Search | 36 | 321 | 85 | 5k+ | Output is not escaped | ||
| #2095 | WOLF – WordPress Posts Bulk Editor and Manager Professional | 36 | 1 | 574 | 4k+ | Request data is not unslashed | ||
| #2096 | Bulk Post Update Date | 36 | 96 | 66 | 10k+ | Unsafe printing function | ||
| #2097 | Better WordPress Recent Comments | 36 | 319 | 69 | 600 | Text Domain Mismatch | ||
| #2098 | Carousel Horizontal Posts Content Slider | 36 | 271 | 59 | 2k+ | Text Domain Mismatch | ||
| #2099 | Simple SEO | 36 | 164 | 113 | 10k+ | Non Singular String Literal Domain | ||
| #2100 | Multi Step for Contact Form 7 | 36 | 61 | 106 | 10k+ | Missing nonce verification |