WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2501 | Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid | 39 | 65 | 72 | 6k+ | block api version too low | ||
| #2502 | Mail Subscribe List | 39 | 17 | 94 | 3k+ | Input is not validated | ||
| #2503 | Manage Enrollment for LearnDash | 39 | 48 | 79 | 400 | Unsafe printing function | ||
| #2504 | Markup by Attribute for WooCommerce | 39 | 46 | 102 | 2k+ | Direct Query | ||
| #2505 | Menubar | 39 | 171 | 46 | 1k+ | Output is not escaped | ||
| #2506 | Movable Type and TypePad Importer | 39 | 42 | 25 | 20k+ | Output is not escaped | ||
| #2507 | Social Proof Popups & Real-Time Notifications – Herd Effects | 39 | 5 | 181 | 1k+ | Non-prefixed global variable | ||
| #2508 | payever – WooCommerce Gateway | 39 | 263 | 131 | 700 | Text Domain Mismatch | ||
| #2509 | Paystack Add-On for Gravity Forms | 39 | 96 | 31 | 400 | Text Domain Mismatch | ||
| #2510 | Permalink Manager for WooCommerce | 39 | 116 | 24 | 8k+ | Short PHP open tag found | ||
| #2511 | Query Multiple Taxonomies | 39 | 55 | 41 | 500 | Output is not escaped | ||
| #2512 | Quform Mailchimp | 39 | 65 | 147 | 800 | Nonce verification recommended | ||
| #2513 | Quform Zapier | 39 | 60 | 123 | 1k+ | Nonce verification recommended | ||
| #2514 | Redirect 404 Error Page to Homepage or Custom Page with Logs | 39 | 27 | 53 | 10k+ | Nonce verification recommended | ||
| #2515 | Re Gallery – Responsive Image & Photo Gallery | 39 | 16 | 121 | 700 | Missing nonce verification | ||
| #2516 | Reorder by Term | 39 | 20 | 84 | 1k+ | Request data is not unslashed | ||
| #2517 | Responsify WP | 39 | 90 | 11 | 600 | Unsafe printing function | ||
| #2518 | REST API Helper | 39 | 108 | 85 | 500 | Unsafe printing function | ||
| #2519 | RioVizual — Table Blocks for Comparison, Pricing and Pros & Cons | 39 | 32 | 75 | 1k+ | Nonce verification recommended | ||
| #2520 | Serial Number for Contact Form 7 | 39 | 105 | 53 | 2k+ | Non Singular String Literal Domain | ||
| #2521 | Taxonomy Thumbnail | 39 | 27 | 58 | 3k+ | Non-prefixed function | ||
| #2522 | Shared Files – File Upload & Download Manager | 39 | 5 | 184 | 4k+ | Nonce verification recommended | ||
| #2523 | Shipping Simulator for WooCommerce | 39 | 120 | 39 | 5k+ | Text Domain Mismatch | ||
| #2524 | Show All Comments | 39 | 108 | 92 | 400 | Nonce verification recommended | ||
| #2525 | Simple Membership WP user Import | 39 | 22 | 46 | 4k+ | Request data is not unslashed | ||
| #2526 | Simple Posts Ticker – Easy, Lightweight & Flexible | 39 | 151 | 28 | 2k+ | Output is not escaped | ||
| #2527 | Smaily for WP | 39 | 52 | 36 | 700 | Output is not escaped | ||
| #2528 | Smart Archives Reloaded | 39 | 78 | 36 | 1k+ | Non Singular String Literal Domain | ||
| #2529 | Solid Post Likes | 39 | 96 | 52 | 500 | Text Domain Mismatch | ||
| #2530 | Stock Ticker | 39 | 92 | 49 | 2k+ | Output is not escaped | ||
| #2531 | Substack Importer | 39 | 33 | 33 | 1k+ | Missing nonce verification | ||
| #2532 | Easy Category Icons | 39 | 50 | 43 | 600 | Text Domain Mismatch | ||
| #2533 | ThemeKit For WordPress | 39 | 149 | 49 | 700 | Output is not escaped | ||
| #2534 | TomS reCAPTCHA | 39 | 128 | 256 | 500 | Missing nonce verification | ||
| #2535 | Traffic Monitor | 39 | 6 | 143 | 1k+ | Direct Query | ||
| #2536 | User Blocker | 39 | 6 | 276 | 3k+ | Nonce verification recommended | ||
| #2537 | Accessibility by UserWay | 39 | 22 | 35 | 80k+ | Direct Query | ||
| #2538 | Smart Variation Swatches and Attribute Filters for WooCommerce | 39 | 39 | 50 | 3k+ | Output is not escaped | ||
| #2539 | Virtuaria Correios – Frete, Etiqueta, Rastreio e Declaração | 39 | 18 | 81 | 500 | Nonce verification recommended | ||
| #2540 | Smart COD for WooCommerce | 39 | 50 | 28 | 30k+ | Output is not escaped | ||
| #2541 | Website LLMs.txt | 39 | 13 | 145 | 40k+ | Non-prefixed global variable | ||
| #2542 | Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types | 39 | 89 | 117 | 20k+ | Unsafe printing function | ||
| #2543 | Combo Offers WooCommerce | 39 | 38 | 89 | 2k+ | Missing nonce verification | ||
| #2544 | Eurobank WooCommerce Payment Gateway | 39 | 62 | 63 | 2k+ | Non Singular String Literal Domain | ||
| #2545 | Wallet for WooCommerce | 39 | 36 | 524 | 20k+ | Non-prefixed hook name | ||
| #2546 | WooCommerce Product Dependencies | 39 | 44 | 60 | 3k+ | Missing nonce verification | ||
| #2547 | WP Accessibility | 39 | 199 | 104 | 60k+ | Unsafe printing function | ||
| #2548 | WP Attachments | 39 | 49 | 44 | 3k+ | Output is not escaped | ||
| #2549 | WPEPP – Essential Security, Password Protect & Login Page Customizer | 39 | 34 | 29 | 3k+ | Unsupported Identifier Placeholder | ||
| #2550 | WP Limit Login Attempts | 39 | 26 | 67 | 10k+ | Direct Query |