WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2401 | Taxonomy Images | 49 | 38 | 50 | 9k+ | Output is not escaped | ||
| #2402 | Users by Date Registered | 49 | 13 | 20 | 1k+ | Nonce verification recommended | ||
| #2403 | Was This Helpful? | 49 | 19 | 28 | 1k+ | Output is not escaped | ||
| #2404 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 3k+ | Non-prefixed global variable | ||
| #2405 | Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit | 49 | 5 | 145 | 1k+ | Missing nonce verification | ||
| #2406 | WP Sitemap Page | 49 | 43 | 14 | 200k+ | Missing Translators Comment | ||
| #2407 | Auto Ping Booster Free | 50 | 18 | 21 | 900 | Setting is missing a sanitization callback | ||
| #2408 | File Manager | 50 | 42 | 72 | 10k+ | Missing direct file access protection | ||
| #2409 | Send Emails with Mandrill | 50 | 36 | 141 | 6k+ | Non-prefixed global variable | ||
| #2410 | Server Info – System Health & Diagnostics Suite | 50 | 15 | 46 | 3k+ | Input is not sanitized | ||
| #2411 | Simple User Listing | 50 | 27 | 56 | 900 | Non-prefixed global variable | ||
| #2412 | Table Addons for Elementor | 50 | 92 | 29 | 20k+ | wp function not compatible with requires wp | ||
| #2413 | Theme Demo Import | 50 | 101 | 95 | 5k+ | Non-prefixed hook name | ||
| #2414 | BestWebSoft's Twitter | 50 | 477 | 174 | 900 | Text Domain Mismatch | ||
| #2415 | WPML Multilingual for BuddyPress and BuddyBoss | 51 | 18 | 21 | 6k+ | SQL query is not prepared | ||
| #2416 | Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress | 51 | 3 | 116 | 1k+ | Missing nonce verification | ||
| #2417 | Firelight Lightbox | 51 | 78 | 97 | 200k+ | Non-prefixed global variable | ||
| #2418 | Lite Video Embed | 51 | 35 | 7 | 1k+ | Output is not escaped | ||
| #2419 | OnSale Page for WooCommerce | 51 | 30 | 44 | 2k+ | Text Domain Mismatch | ||
| #2420 | Quotes and Tips by BestWebSoft | 51 | 485 | 190 | 1k+ | Text Domain Mismatch | ||
| #2421 | SePay Gateway | 51 | 12 | 39 | 2k+ | Nonce verification recommended | ||
| #2422 | Popular Brand Icons – Simple Icons | 51 | 20 | 12 | 3k+ | Output is not escaped | ||
| #2423 | Trustpilot Reviews | 51 | 14 | 52 | 30k+ | Missing nonce verification | ||
| #2424 | User Activity Tracking and Log | 51 | 28 | 237 | 3k+ | Non-prefixed global variable | ||
| #2425 | Swift SMTP (formerly Welcome Email Editor) | 51 | 12 | 62 | 7k+ | Missing nonce verification | ||
| #2426 | WP Counter Up – Animated Number Counter & Milestone Showcase | 51 | 18 | 239 | 1k+ | Non-prefixed global variable | ||
| #2427 | REST API Log | 51 | 44 | 95 | 5k+ | Non-prefixed hook name | ||
| #2428 | YayMail – WooCommerce Email Customizer | 51 | 163 | 788 | 50k+ | Non-prefixed global variable | ||
| #2429 | Fullscreen Galleria | 52 | 37 | 10 | 800 | Output is not escaped | ||
| #2430 | MB Custom Post Types & Custom Taxonomies | 52 | 9 | 49 | 10k+ | Nonce verification recommended | ||
| #2431 | Metronet Tag Manager | 52 | 17 | 36 | 20k+ | Input is not validated | ||
| #2432 | Post Notification by Email | 52 | 36 | 13 | 2k+ | Output is not escaped | ||
| #2433 | SEOWriting | 52 | 10 | 24 | 30k+ | Output is not escaped | ||
| #2434 | SKU Generator for WooCommerce | 52 | 29 | 12 | 2k+ | Output is not escaped | ||
| #2435 | Stealth Publish | 52 | 7 | 22 | 900 | Missing nonce verification | ||
| #2436 | Notiqoo – Order Notification & Customer Chat for WooCommerce | 52 | 11 | 187 | 1k+ | Non-prefixed global variable | ||
| #2437 | Wenprise Pinyin Slug | 52 | 30 | 34 | 4k+ | Text Domain Mismatch | ||
| #2438 | Price Based on Country for WooCommerce | 52 | 43 | 126 | 20k+ | Non-prefixed hook name | ||
| #2439 | Automattic For Agencies Client | 53 | 249 | 184 | 20k+ | Text Domain Mismatch | ||
| #2440 | Connect Contact Form 7 and Mailchimp | 53 | 236 | 52 | 40k+ | Text Domain Mismatch | ||
| #2441 | Export Custom Pages | 53 | 22 | 19 | 700 | Output is not escaped | ||
| #2442 | FakerPress | 53 | 66 | 152 | 10k+ | Non-prefixed global variable | ||
| #2443 | LearnPress – bbPress Integration | 53 | 19 | 14 | 2k+ | Output is not escaped | ||
| #2444 | Multiple Post Thumbnails | 53 | 25 | 18 | 20k+ | Output is not escaped | ||
| #2445 | Pinterest for WooCommerce | 53 | 44 | 30 | 300k+ | Exception output is not escaped | ||
| #2446 | Preserved HTML Editor Markup Plus | 53 | 12 | 22 | 3k+ | Output is not escaped | ||
| #2447 | Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely | 53 | 34 | 90 | 20k+ | Database parameter is not escaped | ||
| #2448 | Texty – SMS Notification for WordPress, WooCommerce, Dokan and more | 53 | 31 | 34 | 8k+ | Output is not escaped | ||
| #2449 | Morning for WooCommerce | 53 | 7 | 59 | 1k+ | Non-prefixed global variable | ||
| #2450 | Cyr-To-Lat | 54 | 16 | 48 | 300k+ | Dynamic hook name |
