WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2201 | WP Header Images | 36 | 174 | 133 | 6k+ | Unsafe printing function | ||
| #2202 | WP Mail | 36 | 202 | 201 | 500 | Output is not escaped | ||
| #2203 | WP Hardening (discontinued) | 36 | 230 | 85 | 10k+ | Text Domain Mismatch | ||
| #2204 | WP Sort Order | 36 | 134 | 211 | 6k+ | Direct Query | ||
| #2205 | WP Super Edit | 36 | 35 | 185 | 2k+ | Nonce verification recommended | ||
| #2206 | WPAvatar | 36 | 425 | 45 | 700 | Unsafe printing function | ||
| #2207 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | ||
| #2208 | WPLMS H5P | 36 | 111 | 106 | 1k+ | Text Domain Mismatch | ||
| #2209 | Wppao Sitemap | 36 | 128 | 21 | 9k+ | Output is not escaped | ||
| #2210 | wpShopGermany IT-RECHT KANZLEI | 36 | 37 | 47 | 500 | Input is not sanitized | ||
| #2211 | Database Snapshots – WPvivid | 36 | 66 | 108 | 1k+ | Direct Query | ||
| #2212 | YayExtra – WooCommerce Extra Product Options | 36 | 11 | 472 | 1k+ | Non-prefixed global variable | ||
| #2213 | Visual CSS Style Editor | 36 | 283 | 233 | 40k+ | Output is not escaped | ||
| #2214 | Custom Product Tabs for WooCommerce | 36 | 87 | 81 | 80k+ | Output is not escaped | ||
| #2215 | Zeno – AI-Powered Chatbot | 36 | 311 | 131 | 500 | Text Domain Mismatch | ||
| #2216 | Redirectioner | 37 | 234 | 410 | 1k+ | Output is not escaped | ||
| #2217 | Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs | 37 | 40 | 36 | 10k+ | Missing direct file access protection | ||
| #2218 | AJAX Hits Counter + Popular Posts Widget | 37 | 247 | 44 | 1k+ | Output is not escaped | ||
| #2219 | Anything Popup | 37 | 164 | 185 | 2k+ | Non-prefixed global variable | ||
| #2220 | Async JavaScript | 37 | 357 | 79 | 70k+ | Unsafe printing function | ||
| #2221 | avalex – Automatisch sichere Rechtstexte | 37 | 25 | 85 | 1k+ | Direct Query | ||
| #2222 | Avatar Privacy | 37 | 82 | 36 | 1k+ | Missing direct file access protection | ||
| #2223 | Random Posts and Pages Widget | 37 | 322 | 15 | 1k+ | Output is not escaped | ||
| #2224 | Banhammer – Monitor Site Traffic, Block Bad Users and Bots | 37 | 104 | 174 | 1k+ | Output is not escaped | ||
| #2225 | bunny.net – WordPress CDN Plugin | 37 | 165 | 159 | 10k+ | Output is not escaped | ||
| #2226 | Contact Zalo Report SW | 37 | 44 | 39 | 900 | Missing Arg Domain | ||
| #2227 | Call Now Button – The #1 Click to Call Button for WordPress | 37 | 1,273 | 5 | 200k+ | Exception output is not escaped | ||
| #2228 | Carousel Upsells and Related Product for Woocommerce | 37 | 173 | 35 | 1k+ | Output is not escaped | ||
| #2229 | ClickRank – Ai SEO Automation | 37 | 10 | 226 | 1k+ | Direct Query | ||
| #2230 | CodePeople Post Map for Google Maps | 37 | 257 | 31 | 3k+ | Unsafe printing function | ||
| #2231 | Lightweight Subscribe To Comments | 37 | 105 | 70 | 1k+ | Unsafe printing function | ||
| #2232 | Constant Contact Forms by MailMunch | 37 | 147 | 53 | 2k+ | wp function not compatible with requires wp | ||
| #2233 | CookieAdmin – Cookie Consent Banner | 37 | 43 | 86 | 400k+ | Nonce verification recommended | ||
| #2234 | CorvusPay WooCommerce Payment Gateway | 37 | 29 | 141 | 1k+ | Missing nonce verification | ||
| #2235 | Crafty Social Buttons | 37 | 279 | 27 | 1k+ | Non Singular String Literal Domain | ||
| #2236 | Simple Custom CSS and JS | 37 | 168 | 69 | 600k+ | Output is not escaped | ||
| #2237 | Customer Email Verification for WooCommerce | 37 | 165 | 164 | 2k+ | Nonce verification recommended | ||
| #2238 | Debug Log Viewer | 37 | 26 | 83 | 1k+ | Missing nonce verification | ||
| #2239 | Disclaimer Popup | 37 | 313 | 53 | 1k+ | Text Domain Mismatch | ||
| #2240 | Donation Block For PayPal | 37 | 23 | 106 | 600 | Input is not validated | ||
| #2241 | Pricing Table WordPress Plugin – Easy Pricing Tables | 37 | 332 | 161 | 10k+ | Output is not escaped | ||
| #2242 | Easy Testimonial Slider and Form | 37 | 14 | 144 | 700 | Request data is not unslashed | ||
| #2243 | Eazy CF Captcha | 37 | 93 | 54 | 500 | Text Domain Mismatch | ||
| #2244 | Encyclopedia / Glossary / Wiki | 37 | 263 | 48 | 1k+ | Output is not escaped | ||
| #2245 | Excerpt Editor | 37 | 170 | 142 | 500 | Unsafe printing function | ||
| #2246 | Exploit Scanner | 37 | 25 | 130 | 8k+ | Non-prefixed global variable | ||
| #2247 | Favorites | 37 | 204 | 121 | 10k+ | Unsafe printing function | ||
| #2248 | Get Custom Field Values | 37 | 40 | 44 | 1k+ | Output is not escaped | ||
| #2249 | 果果推送 | 37 | 31 | 56 | 1k+ | Nonce verification recommended | ||
| #2250 | GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM | 37 | 59 | 269 | 600 | Direct Query |