WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2851 | Simple Client Dashboard | 47 | 38 | 36 | 2k+ | Missing direct file access protection | ||
| #2852 | Website Article Monetization By MageNet | 47 | 17 | 24 | 10k+ | Output is not escaped | ||
| #2853 | FedaPay Gateway for WooCommerce | 47 | 24 | 11 | 700 | Output is not escaped | ||
| #2854 | WP Prefix Changer | 47 | 27 | 16 | 900 | Missing Arg Domain | ||
| #2855 | QuadLayers TikTok Feed | 47 | 78 | 52 | 7k+ | Text Domain Mismatch | ||
| #2856 | Post Status Notifications | 47 | 98 | 41 | 1k+ | Text Domain Mismatch | ||
| #2857 | Compress, Resize & Lazy Load Images – WPvivid Image Optimization | 47 | 107 | 58 | 10k+ | Missing direct file access protection | ||
| #2858 | XML Sitemap & Google News | 47 | 270 | 224 | 100k+ | Non-prefixed global variable | ||
| #2859 | Add-on WooCommerce – MailPoet 3 | 48 | 30 | 21 | 600 | Output is not escaped | ||
| #2860 | AffiliateWP – Store Credit | 48 | 47 | 21 | 400 | Output is not escaped | ||
| #2861 | AnWP Post Grid and Post Carousel Slider for Elementor | 48 | 758 | 171 | 20k+ | Text Domain Mismatch | ||
| #2862 | Comment Notifier | 48 | 10 | 55 | 400 | Non-prefixed global variable | ||
| #2863 | Better Badge – Custom Product Badges for WooCommerce | 48 | 21 | 47 | 500 | Non Singular String Literal Domain | ||
| #2864 | Disable Author Pages | 48 | 23 | 5 | 6k+ | Unsafe printing function | ||
| #2865 | Maps Plugin using Google Maps for WordPress – WP Google Map | 48 | 289 | 38 | 10k+ | wp function not compatible with requires wp | ||
| #2866 | Jetpack Social | 48 | 829 | 254 | 30k+ | Text Domain Mismatch | ||
| #2867 | Library Bookshelves | 48 | 12 | 59 | 500 | Nonce verification recommended | ||
| #2868 | Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | 48 | 63 | 273 | 100k+ | Non-prefixed global variable | ||
| #2869 | Seznam Webmaster | 48 | 47 | 8 | 700 | Output is not escaped | ||
| #2870 | Simple Custom Post Order | 48 | 10 | 77 | 300k+ | Direct Query | ||
| #2871 | FlexStock – Product Stock Sync with Google Sheets for WooCommerce | 48 | 11 | 239 | 700 | Direct Query | ||
| #2872 | Easy Updates Manager | 48 | 13 | 182 | 300k+ | Non-prefixed global variable | ||
| #2873 | Tako Movable Comments | 48 | 18 | 39 | 1k+ | Input is not sanitized | ||
| #2874 | WPC Smart Wishlist for WooCommerce | 48 | 44 | 38 | 100k+ | Output is not escaped | ||
| #2875 | WP Attachment Export | 48 | 16 | 25 | 600 | Input is not sanitized | ||
| #2876 | wp-Monalisa | 48 | 56 | 94 | 700 | Direct Query | ||
| #2877 | WP Remote Users Sync | 48 | 355 | 117 | 6k+ | Text Domain Mismatch | ||
| #2878 | WS Action Scheduler Cleaner | 48 | 13 | 80 | 2k+ | error log error log | ||
| #2879 | SiteEase Bulk Delete Manager | 49 | 50 | 72 | 900 | Direct Query | ||
| #2880 | Analytics by BestWebSoft – Google Analytics Dashboard and Statistic Plugin for WordPress | 49 | 478 | 176 | 1k+ | Text Domain Mismatch | ||
| #2881 | CIO Custom Fields Importer | 49 | 23 | 8 | 500 | Output is not escaped | ||
| #2882 | Download Media Library | 49 | 22 | 40 | 1k+ | Text Domain Mismatch | ||
| #2883 | Drag and Drop Multiple File Upload for WooCommerce | 49 | 114 | 29 | 5k+ | Text Domain Mismatch | ||
| #2884 | GDPR Tools: comment ip removement | 49 | 18 | 13 | 2k+ | Unsafe printing function | ||
| #2885 | Easy Property Listings | 49 | 60 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #2886 | Import into Easy Property Listings | 49 | 335 | 24 | 1k+ | Text Domain Mismatch | ||
| #2887 | Anti-Spam Protection – No API Key, GDPR Friendly | 49 | 2 | 106 | 1k+ | Direct Query | ||
| #2888 | GamiPress – Multimedia Content | 49 | 11 | 25 | 500 | Nonce verification recommended | ||
| #2889 | OneClick Chat to Order | 49 | 677 | 41 | 40k+ | Text Domain Mismatch | ||
| #2890 | Plugins Last Updated Column | 49 | 21 | 14 | 700 | Output is not escaped | ||
| #2891 | PostmagThemes Demo Import | 49 | 192 | 114 | 1k+ | Text Domain Mismatch | ||
| #2892 | ReCrawler | 49 | 10 | 40 | 4k+ | Direct Query | ||
| #2893 | Search in Place | 49 | 74 | 57 | 3k+ | wp function not compatible with requires wp | ||
| #2894 | Secondary Product Image for WooCommerce | 49 | 25 | 29 | 2k+ | Output is not escaped | ||
| #2895 | Simple MyISAM to InnoDB | 49 | 11 | 22 | 1k+ | Output is not escaped | ||
| #2896 | SKT Themes Demo Import | 49 | 218 | 104 | 4k+ | Text Domain Mismatch | ||
| #2897 | Taxonomy Images | 49 | 38 | 50 | 9k+ | Output is not escaped | ||
| #2898 | Users by Date Registered | 49 | 13 | 20 | 1k+ | Nonce verification recommended | ||
| #2899 | Was This Helpful? | 49 | 19 | 28 | 1k+ | Output is not escaped | ||
| #2900 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 3k+ | Non-prefixed global variable |
