WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2601 | Flamingo | 40 | 15 | 228 | 800k+ | Nonce verification recommended | ||
| #2602 | GetPaid > Item Inventory | 40 | 112 | 52 | 400 | Text Domain Mismatch | ||
| #2603 | Product Enquiry for WooCommerce | 40 | 57 | 41 | 3k+ | Output is not escaped | ||
| #2604 | Hostinger Reach – AI-Powered Email Marketing for WordPress | 40 | 9 | 46 | 1m+ | Direct Query | ||
| #2605 | Image Alt Text | 40 | 79 | 97 | 9k+ | Non Singular String Literal Domain | ||
| #2606 | iNext Woo Pincode Checker | 40 | 36 | 82 | 700 | Missing nonce verification | ||
| #2607 | Internal Linking of Related Contents | 40 | 714 | 47 | 1k+ | Output is not escaped | ||
| #2608 | Invite Anyone | 40 | 32 | 130 | 1k+ | Non-prefixed hook name | ||
| #2609 | JSM Show Order Metadata for WooCommerce HPOS | 40 | 17 | 64 | 700 | Nonce verification recommended | ||
| #2610 | JSM Show Post Metadata | 40 | 15 | 66 | 10k+ | Nonce verification recommended | ||
| #2611 | JSM Show Term Metadata | 40 | 14 | 64 | 900 | Nonce verification recommended | ||
| #2612 | JSM Show User Metadata | 40 | 14 | 64 | 3k+ | Nonce verification recommended | ||
| #2613 | La Sentinelle antispam | 40 | 88 | 46 | 3k+ | Output is not escaped | ||
| #2614 | Links shortcode | 40 | 73 | 13 | 900 | Unsafe printing function | ||
| #2615 | Listdomer Core | 40 | 45 | 92 | 500 | Non-prefixed global variable | ||
| #2616 | WP All Import – Listings Import for Listify | 40 | 34 | 27 | 400 | Output is not escaped | ||
| #2617 | LJ Multi Column Archive | 40 | 17 | 25 | 1k+ | Output is not escaped | ||
| #2618 | LLM Bot Tracker – AI Crawler Detection & Analytics | 40 | 18 | 90 | 700 | Database parameter is not escaped | ||
| #2619 | Logbook | 40 | 33 | 59 | 2k+ | Nonce verification recommended | ||
| #2620 | Mass Email To Users | 40 | 84 | 81 | 800 | Output is not escaped | ||
| #2621 | Modal Window – create popup modal window | 40 | 4 | 170 | 10k+ | Non-prefixed global variable | ||
| #2622 | Multiple Featured Images | 40 | 50 | 22 | 5k+ | Output is not escaped | ||
| #2623 | Customize My Account for WooCommerce – Custom Tabs, Login, Registration, 2FA & Design | 40 | 77 | 167 | 800 | Non-prefixed global variable | ||
| #2624 | NextGEN Gallery Sidebar Widget | 40 | 59 | 10 | 600 | Output is not escaped | ||
| #2625 | Page Comments Off Please | 40 | 17 | 29 | 1k+ | Nonce verification recommended | ||
| #2626 | Paystack MemberPress | 40 | 71 | 76 | 400 | Output is not escaped | ||
| #2627 | Plugin Load Filter | 40 | 76 | 112 | 7k+ | Text Domain Mismatch | ||
| #2628 | Requirements Checklist | 40 | 200 | 22 | 900 | Output is not escaped | ||
| #2629 | Private Google Calendars | 40 | 227 | 37 | 1k+ | Output is not escaped | ||
| #2630 | Quiz Cat – WordPress Quiz Plugin | 40 | 151 | 69 | 4k+ | Output is not escaped | ||
| #2631 | Random Banner | 40 | 59 | 125 | 1k+ | Output is not escaped | ||
| #2632 | Redirector | 40 | 48 | 32 | 7k+ | Output is not escaped | ||
| #2633 | Responsive Plus – Elementor Templates & Starter Sites | 40 | 46 | 305 | 10k+ | Non-prefixed global variable | ||
| #2634 | REST API Custom Fields | 40 | 44 | 16 | 800 | Text Domain Mismatch | ||
| #2635 | Role Based Redirect | 40 | 20 | 96 | 2k+ | Non-prefixed global variable | ||
| #2636 | Sales Tax Reports For WooCommerce | 40 | 50 | 65 | 900 | Output is not escaped | ||
| #2637 | Search Live | 40 | 132 | 71 | 600 | Output is not escaped | ||
| #2638 | Select Post Export | 40 | 51 | 18 | 500 | Output is not escaped | ||
| #2639 | Serviceform Pixel | 40 | 18 | 22 | 400 | Output is not escaped | ||
| #2640 | Multipage | 40 | 72 | 28 | 900 | Unsafe printing function | ||
| #2641 | Shortcodes Finder | 40 | 22 | 188 | 4k+ | Nonce verification recommended | ||
| #2642 | Show Pages URL List | 40 | 29 | 234 | 1k+ | Non-prefixed global variable | ||
| #2643 | Simple Statistics for Feeds | 40 | 64 | 131 | 800 | Nonce verification recommended | ||
| #2644 | Simple Page Sidebars | 40 | 55 | 65 | 20k+ | Output is not escaped | ||
| #2645 | Statify Widget | 40 | 52 | 13 | 4k+ | Output is not escaped | ||
| #2646 | Tealium | 40 | 73 | 19 | 700 | Unsafe printing function | ||
| #2647 | Thin Out Revisions | 40 | 93 | 35 | 800 | Non Singular String Literal Domain | ||
| #2648 | Timeline History | 40 | 31 | 17 | 500 | Output is not escaped | ||
| #2649 | Track Geolocation Of Users Using Contact Form 7 | 40 | 17 | 173 | 900 | Nonce verification recommended | ||
| #2650 | Ultimate Member – ForumWP forum integration | 40 | 31 | 73 | 500 | Nonce verification recommended |
