WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2551 | WP Accessibility | 39 | 199 | 104 | 60k+ | Unsafe printing function | ||
| #2552 | WP Attachments | 39 | 49 | 44 | 3k+ | Output is not escaped | ||
| #2553 | WPEPP – Essential Security, Password Protect & Login Page Customizer | 39 | 34 | 29 | 3k+ | Unsupported Identifier Placeholder | ||
| #2554 | WP Limit Login Attempts | 39 | 26 | 67 | 10k+ | Direct Query | ||
| #2555 | WP Most Popular | 39 | 50 | 35 | 2k+ | Output is not escaped | ||
| #2556 | WP Server Health Stats | 39 | 66 | 31 | 10k+ | Output is not escaped | ||
| #2557 | WP Sitemaps Config | 39 | 88 | 37 | 700 | Output is not escaped | ||
| #2558 | SEO Auto Linker | 39 | 97 | 62 | 3k+ | Unsafe printing function | ||
| #2559 | Categories to Tags Converter | 39 | 86 | 38 | 50k+ | Output is not escaped | ||
| #2560 | WPS Limit Login | 39 | 152 | 76 | 100k+ | Output is not escaped | ||
| #2561 | YITH Custom Login | 39 | 86 | 33 | 6k+ | Output is not escaped | ||
| #2562 | Zotpress | 39 | 80 | 403 | 2k+ | Non-prefixed global variable | ||
| #2563 | 404 Notifier | 40 | 39 | 41 | 700 | Output is not escaped | ||
| #2564 | ACF Theme Code for Advanced Custom Fields | 40 | 478 | 40 | 10k+ | Output is not escaped | ||
| #2565 | ACF to Custom Database Tables | 40 | 36 | 64 | 600 | Nonce verification recommended | ||
| #2566 | Add & Replace Affiliate Links for Amazon | 40 | 39 | 52 | 600 | Output is not escaped | ||
| #2567 | Admin Search | 40 | 31 | 47 | 1k+ | Output is not escaped | ||
| #2568 | Advanced Admin Search | 40 | 79 | 48 | 600 | Non Singular String Literal Text | ||
| #2569 | Advanced Country Blocker | 40 | 23 | 77 | 2k+ | Exception output is not escaped | ||
| #2570 | Advanced IP Blocker | 40 | 94 | 43 | 2k+ | Exception output is not escaped | ||
| #2571 | Advanced WPLink | 40 | 67 | 19 | 1k+ | Text Domain Mismatch | ||
| #2572 | AJAX Thumbnail Rebuild | 40 | 38 | 14 | 30k+ | Unsafe printing function | ||
| #2573 | Allow Multiple Accounts | 40 | 115 | 19 | 9k+ | Non Singular String Literal Domain | ||
| #2574 | Alt Magic: AI Image Alt Text Generator for WP & Image Rename | 40 | 55 | 118 | 1k+ | Direct Query | ||
| #2575 | Atomic Edge Security – Firewall, Malware Scan and Login Security | 40 | 12 | 184 | 600 | Non-prefixed global variable | ||
| #2576 | Attachment Importer | 40 | 24 | 76 | 3k+ | Input is not sanitized | ||
| #2577 | Autocomplete Google Address | 40 | 22 | 67 | 2k+ | Nonce verification recommended | ||
| #2578 | AutoConvert Greeklish Permalinks | 40 | 116 | 13 | 30k+ | Text Domain Mismatch | ||
| #2579 | AxiaChat AI – Free AI Chatbot (Answers Customers Automatically) | 40 | 2 | 135 | 2k+ | Interpolated SQL is not prepared | ||
| #2580 | Better Internal Link Search | 40 | 23 | 48 | 1k+ | strip tags strip tags | ||
| #2581 | Broken Link Notifier | 40 | 11 | 193 | 1k+ | Non-prefixed global variable | ||
| #2582 | Bubble Menu – Floating Button Menu with Sticky Navigation | 40 | 2 | 216 | 1k+ | Nonce verification recommended | ||
| #2583 | BuddyPress Profile Completion | 40 | 28 | 30 | 500 | Output is not escaped | ||
| #2584 | Bulk Delete Comments | 40 | 16 | 61 | 5k+ | Direct Query | ||
| #2585 | Bulk Move | 40 | 85 | 44 | 9k+ | Unsafe printing function | ||
| #2586 | Coming soon Page | 40 | 24 | 18 | 500 | Text Domain Mismatch | ||
| #2587 | Contact Form 7 to Mailjet | 40 | 70 | 39 | 600 | Output is not escaped | ||
| #2588 | Complete Image Sitemap | 40 | 55 | 18 | 1k+ | Output is not escaped | ||
| #2589 | Database Addon for Contact Form 7 – CFDB7 | 40 | 35 | 56 | 600k+ | Nonce verification recommended | ||
| #2590 | Copyscape Premium | 40 | 148 | 133 | 800 | SQL query is not prepared | ||
| #2591 | Country State City Dropdown CF7 | 40 | 35 | 54 | 5k+ | Direct Query | ||
| #2592 | Coupon Generator for WooCommerce | 40 | 39 | 28 | 10k+ | Unsafe printing function | ||
| #2593 | Cron Logger | 40 | 49 | 36 | 1k+ | Output is not escaped | ||
| #2594 | Cryptocurrency Widgets Pack | 40 | 222 | 52 | 700 | Unsafe printing function | ||
| #2595 | Delete Me | 40 | 116 | 17 | 7k+ | Output is not escaped | ||
| #2596 | Easy Image Collage | 40 | 96 | 18 | 4k+ | Unsafe printing function | ||
| #2597 | Enhanced Custom Permalinks | 40 | 51 | 82 | 1k+ | Nonce verification recommended | ||
| #2598 | Eventer | 40 | 61 | 55 | 1k+ | Output is not escaped | ||
| #2599 | Expiring Posts | 40 | 52 | 20 | 800 | Missing Arg Domain | ||
| #2600 | FameTheme Demo Importer | 40 | 8 | 74 | 30k+ | Nonce verification recommended |
