WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2701 | Product Expiry for WooCommerce | 41 | 31 | 85 | 2k+ | Request data is not unslashed | ||
| #2702 | Simple Product Options for WooCommerce | 41 | 62 | 41 | 3k+ | Output is not escaped | ||
| #2703 | Simple Google Photos Grid | 41 | 48 | 2 | 1k+ | Output is not escaped | ||
| #2704 | Simple Lightbox | 41 | 21 | 48 | 100k+ | Nonce verification recommended | ||
| #2705 | Simple Page Access Restriction | 41 | 66 | 51 | 6k+ | Unsafe printing function | ||
| #2706 | Simple Revision Control | 41 | 34 | 43 | 1k+ | Dynamic hook name | ||
| #2707 | Smoove connector for Elementor forms | 41 | 22 | 60 | 600 | Nonce verification recommended | ||
| #2708 | SQL Chart Builder | 41 | 38 | 52 | 600 | Text Domain Mismatch | ||
| #2709 | Squeeze – Image Optimization & Compression, WEBP Conversion | 41 | 20 | 70 | 2k+ | Nonce verification recommended | ||
| #2710 | StifLi Flex MCP – MCP Server with undo for ChatGPT, Claude & Gemini | 41 | 2 | 111 | 1k+ | Interpolated SQL is not prepared | ||
| #2711 | Taxonomy Converter | 41 | 54 | 24 | 600 | Output is not escaped | ||
| #2712 | Feedback Company | 41 | 63 | 36 | 800 | Output is not escaped | ||
| #2713 | Threat Scan Plugin | 41 | 29 | 17 | 400 | Output is not escaped | ||
| #2714 | Visibility Logic for Elementor | 41 | 27 | 43 | 30k+ | Output is not escaped | ||
| #2715 | Abandoned Cart Recovery for WooCommerce | 41 | 20 | 202 | 4k+ | Request data is not unslashed | ||
| #2716 | M-Pesa(Kenya) Checkout for Woocommerce | 41 | 46 | 38 | 1k+ | Text Domain Mismatch | ||
| #2717 | WPC Product Bundles for WooCommerce | 41 | 21 | 93 | 30k+ | Missing nonce verification | ||
| #2718 | Country Based Restrictions for WooCommerce | 41 | 27 | 67 | 5k+ | Request data is not unslashed | ||
| #2719 | WP Lorem ipsum | 41 | 37 | 29 | 500 | Unsafe printing function | ||
| #2720 | WP Media folders | 41 | 19 | 74 | 3k+ | Direct Query | ||
| #2721 | WP Test Email | 41 | 32 | 28 | 20k+ | Unsafe printing function | ||
| #2722 | WPS Hide Login | 41 | 34 | 72 | 2m+ | Nonce verification recommended | ||
| #2723 | Agoda Affiliate Partners Text Link Generator | 42 | 4 | 40 | 500 | Interpolated SQL is not prepared | ||
| #2724 | Post Grid Master — Post Grids & AJAX Filters | 42 | 44 | 115 | 1k+ | Non-prefixed global variable | ||
| #2725 | BP Auto Group Join | 42 | 55 | 55 | 700 | Output is not escaped | ||
| #2726 | Comment Reply Email | 42 | 21 | 23 | 500 | Unsafe printing function | ||
| #2727 | Companion Revision Manager – Revision Control | 42 | 18 | 28 | 4k+ | Unsafe printing function | ||
| #2728 | Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin | 42 | 472 | 181 | 400 | Text Domain Mismatch | ||
| #2729 | Custom Fields for Gutenberg | 42 | 24 | 24 | 1k+ | Output is not escaped | ||
| #2730 | Custom Taxonomy Order | 42 | 20 | 56 | 50k+ | Output is not escaped | ||
| #2731 | Delete Expired Transients | 42 | 49 | 65 | 5k+ | Direct Query | ||
| #2732 | Enable Classic Editor & Widgets | 42 | 106 | 6 | 3k+ | Non Singular String Literal Domain | ||
| #2733 | Etsy Shop | 42 | 58 | 21 | 3k+ | Unsafe printing function | ||
| #2734 | Exclude Pages | 42 | 31 | 14 | 30k+ | Non Singular String Literal Domain | ||
| #2735 | FormCraft – Form Builder | 42 | 186 | 156 | 2k+ | Text Domain Mismatch | ||
| #2736 | Gelato Integration for WooCommerce | 42 | 36 | 32 | 5k+ | Output is not escaped | ||
| #2737 | Geo Blocker – Control Site Access by Region and IP | 42 | 10 | 64 | 800 | Direct Query | ||
| #2738 | Hide Cart Functions | 42 | 12 | 50 | 3k+ | Nonce verification recommended | ||
| #2739 | Image Uploader for Welcart | 42 | 27 | 24 | 3k+ | Output is not escaped | ||
| #2740 | WP All Import – Import SEO Settings for Rank Math SEO | 42 | 18 | 44 | 7k+ | Nonce verification recommended | ||
| #2741 | LeadSnap | 42 | 14 | 84 | 1k+ | Input is not validated | ||
| #2742 | Manage User Columns | 42 | 15 | 27 | 1k+ | Request data is not unslashed | ||
| #2743 | Mass Delete Unused Tags | 42 | 21 | 9 | 900 | Output is not escaped | ||
| #2744 | Nav Menu Collapse | 42 | 17 | 39 | 3k+ | Missing nonce verification | ||
| #2745 | PDF Thumbnail Generator | 42 | 26 | 16 | 2k+ | Output is not escaped | ||
| #2746 | Post Types Order | 42 | 45 | 43 | 600k+ | wp function not compatible with requires wp | ||
| #2747 | WP Email Log – PostBox | 42 | 2 | 81 | 700 | Nonce verification recommended | ||
| #2748 | Product Price History for WooCommerce | 42 | 101 | 800 | Nonce verification recommended | |||
| #2749 | Rename wp-admin login | 42 | 23 | 38 | 8k+ | Output is not escaped | ||
| #2750 | Republish Old Posts | 42 | 83 | 24 | 2k+ | Output is not escaped |