WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2651 | UTM Leads Tracker – XLPlugins | 40 | 21 | 38 | 400 | Output is not escaped | ||
| #2652 | Visibility Control for LearnDash | 40 | 55 | 23 | 1k+ | Missing Arg Domain | ||
| #2653 | Visibility Control for LearnPress | 40 | 52 | 19 | 700 | Missing Arg Domain | ||
| #2654 | WC Search Orders By Product | 40 | 47 | 66 | 800 | Nonce verification recommended | ||
| #2655 | Payment Gateway – nexi Alpha Bank for WooCommerce | 40 | 28 | 45 | 1k+ | Missing nonce verification | ||
| #2656 | Total Sales Counts for WooCommerce | 40 | 121 | 62 | 700 | SQL query is not prepared | ||
| #2657 | Word Balloon | 40 | 20 | 125 | 10k+ | Request data is not unslashed | ||
| #2658 | WP Discord Invite | 40 | 73 | 42 | 400 | Unsafe printing function | ||
| #2659 | WP All Import – Job Listing Import for WP Job Manager | 40 | 35 | 27 | 2k+ | Output is not escaped | ||
| #2660 | Media Library Categories | 40 | 29 | 49 | 20k+ | Output is not escaped | ||
| #2661 | WP Multisite Content Copier/Updater | 40 | 19 | 144 | 800 | Interpolated SQL is not prepared | ||
| #2662 | WP Reroute Email | 40 | 141 | 106 | 1k+ | Output is not escaped | ||
| #2663 | WPC Force Sells for WooCommerce | 40 | 38 | 97 | 600 | Output is not escaped | ||
| #2664 | WPC Smart Price Filter for WooCommerce | 40 | 23 | 62 | 600 | Nonce verification recommended | ||
| #2665 | WPFront Notification Bar | 40 | 222 | 44 | 50k+ | Output is not escaped | ||
| #2666 | WPS Menu Exporter | 40 | 47 | 22 | 10k+ | Output is not escaped | ||
| #2667 | Yektanet Ecommerce | 40 | 45 | 103 | 1k+ | Request data is not unslashed | ||
| #2668 | My YouTube Channel | 40 | 54 | 38 | 5k+ | Output is not escaped | ||
| #2669 | Zippy | 40 | 43 | 31 | 9k+ | Output is not escaped | ||
| #2670 | AMP for WP – Accelerated Mobile Pages | 41 | 656 | 2,401 | 80k+ | Non-prefixed global variable | ||
| #2671 | Alma – Pay in installments or later for WooCommerce | 41 | 116 | 68 | 1k+ | Exception output is not escaped | ||
| #2672 | Antispam | 41 | 11 | 41 | 400 | Missing nonce verification | ||
| #2673 | Authenticator | 41 | 59 | 44 | 1k+ | Output is not escaped | ||
| #2674 | Auto Focus Keyword for SEO | 41 | 12 | 38 | 2k+ | Input is not validated | ||
| #2675 | Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) | 41 | 175 | 26 | 100k+ | Unsafe printing function | ||
| #2676 | Beautiful Cookie Consent Banner | 41 | 33 | 76 | 40k+ | Non-prefixed global variable | ||
| #2677 | BuddyPress Xprofile Custom Field Types | 41 | 39 | 189 | 4k+ | Missing nonce verification | ||
| #2678 | Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO) | 41 | 16 | 37 | 1k+ | Missing nonce verification | ||
| #2679 | Cache control by Cacholong | 41 | 87 | 30 | 500 | Non Singular String Literal Domain | ||
| #2680 | CMS Tree Page View – Reorder Pages with a Drag-and-Drop Tree | 41 | 121 | 96 | 50k+ | Unsafe printing function | ||
| #2681 | Collapsed Archives | 41 | 54 | 4 | 1k+ | Output is not escaped | ||
| #2682 | Custom Post Type Cleanup | 41 | 70 | 12 | 1k+ | Output is not escaped | ||
| #2683 | Database for CF7 | 41 | 37 | 32 | 2k+ | Text Domain Mismatch | ||
| #2684 | DevVN Local Store | 41 | 84 | 28 | 1k+ | Unsafe printing function | ||
| #2685 | Disable Everything | 41 | 90 | 16 | 30k+ | Output is not escaped | ||
| #2686 | Duplicate Post Page Menu & Custom Post Type | 41 | 35 | 11 | 10k+ | Text Domain Mismatch | ||
| #2687 | Duplicate Page and Post | 41 | 26 | 21 | 80k+ | Unsafe printing function | ||
| #2688 | SNORDIAN's H5PxAPIkatchu | 41 | 119 | 88 | 500 | SQL query is not prepared | ||
| #2689 | Multiple Themes | 41 | 112 | 41 | 10k+ | Output is not escaped | ||
| #2690 | Log cleaner for Solid Security | 41 | 65 | 47 | 8k+ | Text Domain Mismatch | ||
| #2691 | Mobile Contact Bar | 41 | 94 | 36 | 10k+ | Unsafe printing function | ||
| #2692 | Mollie Forms | 41 | 14 | 565 | 3k+ | Request data is not unslashed | ||
| #2693 | Most Popular Categories | 41 | 67 | 2 | 600 | Output is not escaped | ||
| #2694 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #2695 | Social Login | 41 | 8 | 110 | 5k+ | Input is not sanitized | ||
| #2696 | Omnibus — show the lowest price | 41 | 35 | 37 | 10k+ | Output is not escaped | ||
| #2697 | Optimus – WordPress Image Optimizer | 41 | 52 | 20 | 30k+ | Unsafe printing function | ||
| #2698 | OSS Aliyun | 41 | 19 | 40 | 3k+ | Request data is not unslashed | ||
| #2699 | Page & Post Notes | 41 | 12 | 77 | 1k+ | Non-prefixed global variable | ||
| #2700 | Plugin Activation Tracker | 41 | 36 | 24 | 900 | Text Domain Mismatch |
