WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2251 | Get Custom Field Values | 37 | 40 | 44 | 1k+ | Output is not escaped | ||
| #2252 | 果果推送 | 37 | 31 | 56 | 1k+ | Nonce verification recommended | ||
| #2253 | GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM | 37 | 59 | 269 | 600 | Direct Query | ||
| #2254 | Google for WooCommerce | 37 | 328 | 121 | 800k+ | Exception output is not escaped | ||
| #2255 | XML Sitemap Generator for Google | 37 | 43 | 79 | 1m+ | Input is not validated | ||
| #2256 | GoPay for WooCommerce | 37 | 66 | 103 | 1k+ | Non-prefixed global variable | ||
| #2257 | GS Portfolio for Envato | 37 | 155 | 75 | 4k+ | Text Domain Mismatch | ||
| #2258 | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder | 37 | 83 | 113 | 20k+ | SQL query is not prepared | ||
| #2259 | HandL UTM Grabber / Tracker | 37 | 27 | 141 | 10k+ | Missing nonce verification | ||
| #2260 | Horizontal scrolling announcements | 37 | 215 | 140 | 8k+ | Output is not escaped | ||
| #2261 | Humans TXT | 37 | 159 | 86 | 400 | Output is not escaped | ||
| #2262 | Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs | 37 | 37 | 102 | 1k+ | Non-prefixed global variable | ||
| #2263 | JS Help Desk – AI-Powered Support & Ticketing System | 37 | 17 | 406 | 7k+ | Missing nonce verification | ||
| #2264 | Language Switcher | 37 | 81 | 105 | 1k+ | Missing Translators Comment | ||
| #2265 | LearnPress – Course Review | 37 | 67 | 43 | 20k+ | Output is not escaped | ||
| #2266 | Lightbox with PhotoSwipe | 37 | 179 | 24 | 20k+ | Output is not escaped | ||
| #2267 | LiveJournal Importer | 37 | 86 | 67 | 8k+ | Output is not escaped | ||
| #2268 | MailMunch – Grow your Email List | 37 | 82 | 84 | 6k+ | Output is not escaped | ||
| #2269 | Maintenance Page | 37 | 62 | 33 | 3k+ | Output is not escaped | ||
| #2270 | Media Sweep – WordPress Media Cleaner | 37 | 56 | 137 | 1k+ | Interpolated SQL is not prepared | ||
| #2271 | Metorik – Reports & Email Automation for WooCommerce | 37 | 75 | 70 | 10k+ | Output is not escaped | ||
| #2272 | CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor | 37 | 46 | 95 | 40k+ | Dynamic hook name | ||
| #2273 | My Post Order | 37 | 100 | 114 | 400 | Output is not escaped | ||
| #2274 | news ticker benaceur | 37 | 1,097 | 31 | 1k+ | Output is not escaped | ||
| #2275 | NextGEN Scroll Gallery | 37 | 33 | 28 | 1k+ | Output is not escaped | ||
| #2276 | Ninja Van (MY) | 37 | 21 | 258 | 1k+ | Non-prefixed global variable | ||
| #2277 | Sendle Shipping Plugin | 37 | 91 | 64 | 800 | wp function not compatible with requires wp | ||
| #2278 | Oliver POS – WooCommerce POS for iPhone, iPad & Android | 37 | 15 | 242 | 800 | Interpolated SQL is not prepared | ||
| #2279 | WP All Export – Order Export for WooCommerce | 37 | 109 | 111 | 3k+ | Text Domain Mismatch | ||
| #2280 | OSM – OpenStreetMap | 37 | 130 | 64 | 10k+ | Output is not escaped | ||
| #2281 | Page scroll to id | 37 | 38 | 120 | 100k+ | Missing nonce verification | ||
| #2282 | Panda Pods Repeater Field | 37 | 9 | 260 | 600 | Non-prefixed global variable | ||
| #2283 | Phoenix Media Rename | 37 | 175 | 104 | 50k+ | Output is not escaped | ||
| #2284 | PNG to JPG | 37 | 130 | 173 | 9k+ | Interpolated SQL is not prepared | ||
| #2285 | Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales | 37 | 59 | 64 | 2k+ | SQL query is not prepared | ||
| #2286 | Product Image Hover Effects WOOC – WPSHARE247 | 37 | 161 | 94 | 800 | Output is not escaped | ||
| #2287 | Publish to Schedule | 37 | 195 | 43 | 4k+ | Text Domain Mismatch | ||
| #2288 | Quentn WP | 37 | 4 | 251 | 500 | Nonce verification recommended | ||
| #2289 | Recent Posts Widget With Thumbnails | 37 | 222 | 46 | 100k+ | Output is not escaped | ||
| #2290 | RSS Image Feed | 37 | 147 | 16 | 2k+ | Output is not escaped | ||
| #2291 | Ryviu – Review Importer & Product Reviews | 37 | 72 | 95 | 1k+ | Output is not escaped | ||
| #2292 | Invoice123 | 37 | 138 | 98 | 400 | Text Domain Mismatch | ||
| #2293 | Send PDF for Contact Form 7 | 37 | 22 | 308 | 9k+ | Non-prefixed global variable | ||
| #2294 | Sensei LMS Certificates | 37 | 97 | 362 | 4k+ | Non-prefixed global variable | ||
| #2295 | Sezzle Woocommerce Payment | 37 | 108 | 105 | 1k+ | Text Domain Mismatch | ||
| #2296 | Snippet Shortcodes | 37 | 359 | 133 | 4k+ | Non Singular String Literal Domain | ||
| #2297 | Simple Image XML Sitemap | 37 | 119 | 16 | 1k+ | Output is not escaped | ||
| #2298 | Lightbox slider – Responsive Lightbox Gallery | 37 | 36 | 173 | 3k+ | Non-prefixed global variable | ||
| #2299 | Time Clock – A WordPress Employee & Volunteer Time Clock Plugin | 37 | 166 | 107 | 500 | Output is not escaped | ||
| #2300 | Tracking Code Manager | 37 | 55 | 42 | 90k+ | Output is not escaped |