WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2101 | Conditional Payments for WooCommerce | 36 | 292 | 184 | 10k+ | Text Domain Mismatch | ||
| #2102 | Conditional Shipping for WooCommerce | 36 | 93 | 196 | 10k+ | Non-prefixed global variable | ||
| #2103 | Continuous Image Carousel With Lightbox | 36 | 255 | 129 | 1k+ | Output is not escaped | ||
| #2104 | CP Blocks | 36 | 46 | 38 | 1k+ | wp function not compatible with requires wp | ||
| #2105 | Crelly Slider | 36 | 421 | 185 | 10k+ | Unsafe printing function | ||
| #2106 | CSH Login | 36 | 126 | 41 | 500 | Output is not escaped | ||
| #2107 | Custom Category Post Order | 36 | 80 | 83 | 500 | Text Domain Mismatch | ||
| #2108 | Dashboard Widgets Suite | 36 | 206 | 124 | 4k+ | Output is not escaped | ||
| #2109 | Database Collation Fix | 36 | 50 | 32 | 1k+ | Output is not escaped | ||
| #2110 | Desktop Mode | 36 | 1 | 587 | 2k+ | Direct Query | ||
| #2111 | Doneren met Mollie | 36 | 420 | 351 | 4k+ | SQL query is not prepared | ||
| #2112 | Duplicate Post – duplicate pages, copy content, clone posts | 36 | 71 | 81 | 5k+ | wp function not compatible with requires wp | ||
| #2113 | Dynamic Copyright Year | 36 | 972 | 43 | 800 | Output is not escaped | ||
| #2114 | Dynamic Front-End Heartbeat Control | 36 | 217 | 111 | 1k+ | Text Domain Mismatch | ||
| #2115 | Dynamic Visibility for Elementor | 36 | 56 | 89 | 50k+ | Non-prefixed hook name | ||
| #2116 | WP CTA – Call Now Button, Sticky Button & Call to Action Builder | 36 | 1 | 433 | 2k+ | Non-prefixed global variable | ||
| #2117 | Easy Support Videos – Embed videos in the admin | 36 | 160 | 95 | 500 | Output is not escaped | ||
| #2118 | Enhanced Media Library | 36 | 361 | 117 | 60k+ | Unsafe printing function | ||
| #2119 | Enormail Sign Up Forms | 36 | 133 | 126 | 400 | Output is not escaped | ||
| #2120 | Events Manager and WPML Compatibility | 36 | 101 | 177 | 1k+ | Direct Query | ||
| #2121 | FreePay for WooCommerce | 36 | 114 | 102 | 400 | Output is not escaped | ||
| #2122 | Friendly Functions for Welcart | 36 | 311 | 83 | 1k+ | Non Singular String Literal Domain | ||
| #2123 | Genesis Sandbox Featured Content Widget | 36 | 229 | 24 | 1k+ | Text Domain Mismatch | ||
| #2124 | GetPaid > Wallet | 36 | 149 | 174 | 700 | Text Domain Mismatch | ||
| #2125 | Google SEO Pressor for Rich snippets | 36 | 51 | 160 | 400 | Missing nonce verification | ||
| #2126 | Google Webfont Optimizer | 36 | 45 | 49 | 700 | Output is not escaped | ||
| #2127 | Header Footer Script Adder – Insert Code in Header, Body & Footer | 36 | 203 | 78 | 1k+ | Text Domain Mismatch | ||
| #2128 | Header Footer Code Manager | 36 | 81 | 180 | 600k+ | Non-prefixed global variable | ||
| #2129 | Optimize Social Share | 36 | 203 | 61 | 3k+ | Unsafe printing function | ||
| #2130 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | Output is not escaped | ||
| #2131 | HTTP Requests Manager | 36 | 98 | 90 | 1k+ | Output is not escaped | ||
| #2132 | IntelliWidget Per Page Custom Menus and Dynamic Content | 36 | 586 | 162 | 600 | Output is not escaped | ||
| #2133 | Italy Cookie Choices (for EU Cookie Law & Cookie Notice) | 36 | 115 | 77 | 10k+ | Unsafe printing function | ||
| #2134 | Lara's Google Analytics (GA4) | 36 | 303 | 57 | 9k+ | Unsafe printing function | ||
| #2135 | Legal Text Connector of the IT-Recht Kanzlei | 36 | 45 | 46 | 10k+ | Exception output is not escaped | ||
| #2136 | Libro de Reclamaciones y Quejas | 36 | 266 | 124 | 4k+ | Text Domain Mismatch | ||
| #2137 | LONG URL MAKER | 36 | 39 | 71 | 1k+ | Direct Query | ||
| #2138 | LocalWeb All In One | 36 | 34 | 297 | 5k+ | Non-prefixed global variable | ||
| #2139 | MailMunch – Grow your Email List | 36 | 102 | 49 | 6k+ | Output is not escaped | ||
| #2140 | Manage Notification E-mails | 36 | 129 | 98 | 100k+ | Non-prefixed function | ||
| #2141 | Materialis Companion | 36 | 129 | 67 | 6k+ | Unsafe printing function | ||
| #2142 | Media Deduper | 36 | 60 | 99 | 9k+ | Missing Arg Domain | ||
| #2143 | Microsoft Clarity | 36 | 48 | 163 | 200k+ | Nonce verification recommended | ||
| #2144 | Multiple Sidebars | 36 | 109 | 75 | 600 | Non Singular String Literal Domain | ||
| #2145 | News Manager | 36 | 134 | 57 | 600 | Output is not escaped | ||
| #2146 | NextGEN Custom Fields | 36 | 215 | 131 | 1k+ | SQL query is not prepared | ||
| #2147 | MailerLite – Signup forms (official) | 36 | 430 | 158 | 100k+ | Output is not escaped | ||
| #2148 | We’re Open! | 36 | 273 | 187 | 5k+ | Unsafe printing function | ||
| #2149 | Order Status History for WooCommerce | 36 | 210 | 171 | 1k+ | Output is not escaped | ||
| #2150 | Ovation Elements | 36 | 23 | 399 | 10k+ | Non-prefixed global variable |