WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2301 | Time Clock – A WordPress Employee & Volunteer Time Clock Plugin | 37 | 166 | 107 | 500 | Output is not escaped | ||
| #2302 | Tracking Code Manager | 37 | 55 | 42 | 90k+ | Output is not escaped | ||
| #2303 | Tracking Script Manager | 37 | 82 | 57 | 2k+ | Non Singular String Literal Domain | ||
| #2304 | Ultimate WordPress Auction Plugin | 37 | 623 | 146 | 1k+ | Text Domain Mismatch | ||
| #2305 | User Meta Display | 37 | 78 | 74 | 500 | Output is not escaped | ||
| #2306 | UsersWP – Social Login | 37 | 299 | 91 | 2k+ | Text Domain Mismatch | ||
| #2307 | ValidateCertify Free | 37 | 123 | 97 | 1k+ | Text Domain Mismatch | ||
| #2308 | Featured Video for WordPress – VideographyWP | 37 | 287 | 93 | 1k+ | Unsafe printing function | ||
| #2309 | Views for WPForms – Display & Edit WPForms Entries on your site frontend | 37 | 80 | 64 | 1k+ | Output is not escaped | ||
| #2310 | Weather Atlas Widget | 37 | 630 | 111 | 9k+ | Output is not escaped | ||
| #2311 | Affiliate Sales in Google Analytics and other tools | 37 | 24 | 84 | 1k+ | Request data is not unslashed | ||
| #2312 | Widget Box Lite | 37 | 318 | 17 | 900 | Output is not escaped | ||
| #2313 | Conditional Discounts for WooCommerce – A simple yet complete woocommerce dynamic pricing plugin | 37 | 99 | 33 | 10k+ | Text Domain Mismatch | ||
| #2314 | Piraeus Bank WooCommerce Payment Gateway | 37 | 146 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #2315 | Viva Payments – Viva Wallet WooCommerce Payment Gateway | 37 | 33 | 33 | 1k+ | curl curl setopt | ||
| #2316 | Variation Swatches for WooCommerce | 37 | 92 | 103 | 10k+ | Output is not escaped | ||
| #2317 | Xendit Payment | 37 | 3 | 197 | 3k+ | Missing nonce verification | ||
| #2318 | Amazon Pay for WooCommerce | 37 | 29 | 117 | 20k+ | Non-prefixed class | ||
| #2319 | WP WooCommerce Mailchimp | 37 | 62 | 85 | 6k+ | Non-prefixed hook name | ||
| #2320 | WooCommerce PayPal Payments | 37 | 194 | 110 | 800k+ | Exception output is not escaped | ||
| #2321 | Quickpay for WooCommerce | 37 | 66 | 56 | 4k+ | Nonce verification recommended | ||
| #2322 | Wordable – Export Google Docs to WordPress | 37 | 47 | 63 | 2k+ | Output is not escaped | ||
| #2323 | Hustle – Email Marketing, Lead Generation, Optins, Popups | 37 | 4,874 | 5,942 | 90k+ | Non-prefixed global variable | ||
| #2324 | Fix Media Library | 37 | 53 | 71 | 1k+ | Output is not escaped | ||
| #2325 | WP Category Permalink | 37 | 75 | 31 | 2k+ | Output is not escaped | ||
| #2326 | WP-Cron Control | 37 | 54 | 22 | 1k+ | Output is not escaped | ||
| #2327 | WP Export Categories & Taxonomies | 37 | 169 | 35 | 500 | Output is not escaped | ||
| #2328 | WPForce Logout – WordPress User Login Logout Management Plugin | 37 | 567 | 32 | 8k+ | Output is not escaped | ||
| #2329 | WP Flow Plus | 37 | 175 | 146 | 800 | Output is not escaped | ||
| #2330 | Persistent Login | 37 | 338 | 108 | 6k+ | Unsafe printing function | ||
| #2331 | WP Plugin Info Card | 37 | 53 | 376 | 500 | Nonce verification recommended | ||
| #2332 | WP Show Stats | 37 | 197 | 103 | 400 | Output is not escaped | ||
| #2333 | Special Text Boxes | 37 | 39 | 42 | 2k+ | Direct Query | ||
| #2334 | TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More | 37 | 878 | 59 | 800 | Output is not escaped | ||
| #2335 | WP VR – 360 Panorama and Virtual Tour Builder | 37 | 3 | 275 | 10k+ | Non-prefixed hook name | ||
| #2336 | XT Visitor Counter | 37 | 177 | 52 | 7k+ | Output is not escaped | ||
| #2337 | Yada Wiki | 37 | 207 | 45 | 2k+ | Text Domain Mismatch | ||
| #2338 | YOURLS Link Creator | 37 | 196 | 39 | 500 | Text Domain Mismatch | ||
| #2339 | Zoho Marketing Automation | 37 | 24 | 194 | 1k+ | Non-prefixed global variable | ||
| #2340 | Accessibility | 38 | 66 | 61 | 1k+ | Non-prefixed global variable | ||
| #2341 | Action Scheduler | 38 | 92 | 134 | 20k+ | Exception output is not escaped | ||
| #2342 | Admin Management Xtended | 38 | 280 | 161 | 5k+ | Output is not escaped | ||
| #2343 | Advanced 301 and 302 Redirect | 38 | 81 | 339 | 1k+ | Non-prefixed global variable | ||
| #2344 | Alphabetic Pagination | 38 | 144 | 117 | 500 | Unsafe printing function | ||
| #2345 | Anant Sites — Elementor & Gutenberg Readymade Template Library Free & Pro Templates | 38 | 20 | 156 | 1k+ | Non-prefixed global variable | ||
| #2346 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #2347 | Ashe Extra | 38 | 109 | 54 | 3k+ | Text Domain Mismatch | ||
| #2348 | Autologin Links | 38 | 73 | 74 | 8k+ | Output is not escaped | ||
| #2349 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #2350 | Blogger Importer | 38 | 44 | 39 | 50k+ | Output is not escaped |
