WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2951 | Customizable Post Listings | 54 | 42 | 13 | 700 | Deprecated parameter: the_author parameter 1 | ||
| #2952 | Cyr-To-Lat | 54 | 16 | 48 | 300k+ | Dynamic hook name | ||
| #2953 | Expanding Archives | 54 | 37 | 9 | 3k+ | Output is not escaped | ||
| #2954 | Extended User Search In WP-Admin | 54 | 14 | 17 | 1k+ | SQL query is not prepared | ||
| #2955 | Helpie FAQ — Accordion, Docs & Knowledge Base | 54 | 96 | 89 | 9k+ | Nonce verification recommended | ||
| #2956 | MSN Partner Hub | 54 | 21 | 25 | 1k+ | Missing direct file access protection | ||
| #2957 | WP Call Button – Easy Click to Call Button for WordPress | 54 | 21 | 38 | 40k+ | Non-prefixed global variable | ||
| #2958 | WP Menu Icons | 54 | 68 | 52 | 20k+ | Text Domain Mismatch | ||
| #2959 | Accordions | 55 | 1 | 101 | 20k+ | slow db query meta query | ||
| #2960 | Quick Buy Now Button for WooCommerce | 55 | 37 | 39 | 5k+ | Output is not escaped | ||
| #2961 | Clean Archives Reloaded | 55 | 25 | 6 | 600 | Unsafe printing function | ||
| #2962 | Easy Quotes | 55 | 11 | 31 | 700 | Direct Query | ||
| #2963 | Enhanced Category Pages | 55 | 23 | 25 | 2k+ | Direct Query | ||
| #2964 | Go Live Update Urls | 55 | 11 | 49 | 80k+ | Non-prefixed hook name | ||
| #2965 | Hide Admin Menu | 55 | 18 | 27 | 20k+ | Non-prefixed function | ||
| #2966 | JetWidgets For Elementor | 55 | 99 | 279 | 10k+ | Non-prefixed global variable | ||
| #2967 | LoginPress | wp-login Custom Login Page Customizer | 55 | 124 | 301 | 200k+ | Non-prefixed function | ||
| #2968 | Fast Page & Post Duplicator | 55 | 12 | 25 | 60k+ | Direct Query | ||
| #2969 | Page Tagger | 55 | 30 | 10 | 2k+ | Output is not escaped | ||
| #2970 | ProductFrame – Curated products from affiliate feeds | 55 | 3 | 85 | 400 | Direct Query | ||
| #2971 | Subscription & Recurring Payment for WooCommerce | 55 | 9 | 447 | 800 | Non-prefixed global variable | ||
| #2972 | Themeflection Numbers – Number Counter and Animated Numbers | 55 | 224 | 73 | 3k+ | Text Domain Mismatch | ||
| #2973 | VS Contact Form | 55 | 3 | 318 | 7k+ | Non-prefixed global variable | ||
| #2974 | VK Block Patterns | 55 | 8 | 61 | 100k+ | Non-prefixed function | ||
| #2975 | AI Copilot – ChatGPT Chatbot & AI Engine for Post Automation | 56 | 65 | 20 | 1k+ | Text Domain Mismatch | ||
| #2976 | All in One SEO Pack Importer | 56 | 17 | 25 | 500 | Direct Query | ||
| #2977 | SMTP by BestWebSoft | 56 | 486 | 175 | 1k+ | Text Domain Mismatch | ||
| #2978 | Fluent Connect – Connect ThriveCart with your WordPress and FluentCRM | 56 | 37 | 54 | 600 | curl curl setopt | ||
| #2979 | CIELO API PIX, credit card, debit payment for WooCommerce | 56 | 11 | 121 | 700 | Nonce verification recommended | ||
| #2980 | PuzzleMe – Interactive Puzzles for WordPress – Easily publish crosswords, quizzes, word searches and more | 56 | 36 | 15 | 1k+ | Output is not escaped | ||
| #2981 | Replace Protected Password | 56 | 6 | 18 | 600 | Input is not sanitized | ||
| #2982 | TableKit: Table Builder Blocks for Gutenberg | 56 | 80 | 20 | 2k+ | Missing Translators Comment | ||
| #2983 | WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance | 56 | 5 | 769 | 1m+ | Non-prefixed global variable | ||
| #2984 | Social Chat – Click To Chat App Button | 56 | 81 | 45 | 200k+ | Text Domain Mismatch | ||
| #2985 | Pantheon Migrations | 57 | 15 | 26 | 1k+ | Output is not escaped | ||
| #2986 | BestWebSoft’s Pinterest | 57 | 490 | 176 | 500 | Text Domain Mismatch | ||
| #2987 | Delete Pending Comments | 57 | 16 | 11 | 10k+ | Unsafe printing function | ||
| #2988 | APG Google Image Sitemap Feed | 57 | 36 | 33 | 900 | Non-prefixed global variable | ||
| #2989 | iConvert Promoter | 57 | 98 | 217 | 1k+ | Non-prefixed global variable | ||
| #2990 | Internal Link Juicer: SEO Auto Linker for WordPress | 57 | 12 | 61 | 90k+ | Database parameter is not escaped | ||
| #2991 | iZooto – Web Push Notifications | 57 | 26 | 25 | 1k+ | wp function not compatible with requires wp | ||
| #2992 | JSON API User | 57 | 17 | 34 | 1k+ | Non-prefixed hook name | ||
| #2993 | Longer Permalinks | 57 | 27 | 21 | 8k+ | Missing Arg Domain | ||
| #2994 | MC4WP: Mailchimp for WordPress | 57 | 238 | 1m+ | Non-prefixed global variable | |||
| #2995 | Remove admin menus by role | 57 | 5 | 54 | 8k+ | Input is not validated | ||
| #2996 | Search Exclude | 57 | 73 | 40 | 50k+ | Text Domain Mismatch | ||
| #2997 | Ultimate Member – Terms & Conditions | 57 | 19 | 9 | 4k+ | Output is not escaped | ||
| #2998 | Filter Orders by Product for WooCommerce | 57 | 9 | 21 | 4k+ | Nonce verification recommended | ||
| #2999 | Sequential Order Numbers for WooCommerce | 57 | 9 | 24 | 10k+ | Interpolated SQL is not prepared | ||
| #3000 | WP Adsterra Dashboard | 57 | 22 | 21 | 400 | wp function not compatible with requires wp |
