WordPress.DB.DirectDatabaseQuery.DirectQuery
Direct Query
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3001 | XML Feed for Skroutz & BestPrice for WooCommerce | 57 | 12 | 50 | 600 | Input is not sanitized | ||
| #3002 | BCM Duplicate Menu | 58 | 8 | 11 | 4k+ | Nonce verification recommended | ||
| #3003 | Contact Form DB for Enfold | 58 | 21 | 14 | 700 | Output is not escaped | ||
| #3004 | Debloat – Remove Unused CSS, Optimize JS | 58 | 24 | 20 | 30k+ | Nonce verification recommended | ||
| #3005 | Error Log Viewer by BestWebSoft | 58 | 433 | 172 | 6k+ | Text Domain Mismatch | ||
| #3006 | HAL | 58 | 106 | 24 | 500 | Text Domain Mismatch | ||
| #3007 | PW WooCommerce BOGO | 58 | 30 | 8 | 400 | Unsafe printing function | ||
| #3008 | Videopack | 58 | 28 | 108 | 10k+ | Input is not sanitized | ||
| #3009 | View Admin As | 58 | 307 | 135 | 9k+ | Non Singular String Literal Domain | ||
| #3010 | Virtuaria PagBank / PagSeguro for WooCommerce | 58 | 152 | 1k+ | Non-prefixed global variable | |||
| #3011 | Social Media Auto Poster – Schedule & Publish to Buffer | 58 | 23 | 211 | 7k+ | Dynamic hook name | ||
| #3012 | Age Gator | 59 | 9 | 15 | 400 | Direct Query | ||
| #3013 | Co-Authors Plus | 59 | 2 | 76 | 20k+ | Input is not sanitized | ||
| #3014 | Custom API for WP | 59 | 173 | 16 | 1k+ | wp function not compatible with requires wp | ||
| #3015 | Display Post Types – Post Grid, post list and post sliders | 59 | 24 | 14 | 7k+ | Output is not escaped | ||
| #3016 | etracker analytics | 59 | 16 | 9 | 1k+ | Exception output is not escaped | ||
| #3017 | Fathom Analytics Conversions | 59 | 14 | 47 | 400 | Non-prefixed function | ||
| #3018 | flowpaper | 59 | 13 | 31 | 10k+ | Non-prefixed function | ||
| #3019 | Pattern Wrangler – Manage Block Patterns and Pattern Categories | 59 | 14 | 73 | 400 | Non-prefixed global variable | ||
| #3020 | pensopay Payments v2 | 59 | 413 | 32 | 1k+ | Non Singular String Literal Domain | ||
| #3021 | UltraPress – AI Assistant, Chatbot & SEO | 59 | 12 | 38 | 800 | Non-prefixed global variable | ||
| #3022 | Hide Posts | 59 | 9 | 70 | 20k+ | Direct Query | ||
| #3023 | GST Invoice for WooCommerce | 59 | 10 | 42 | 1k+ | Missing nonce verification | ||
| #3024 | Variation Swatches for WooCommerce | 59 | 11 | 64 | 300k+ | Non-prefixed global variable | ||
| #3025 | RevivePress – Keep your Old Content Evergreen | 59 | 27 | 46 | 5k+ | date date | ||
| #3026 | Accesibilidad Web con el Widget de AccedeMe | 60 | 22 | 23 | 1k+ | Text Domain Mismatch | ||
| #3027 | Post Blocks & Tools | 60 | 9 | 46 | 400 | Missing nonce verification | ||
| #3028 | EPROLO-Dropshipping | 60 | 16 | 34 | 1k+ | Missing nonce verification | ||
| #3029 | Product Labels, Quick View, Buy Now, Pre-Orders, Frequently Bought Together & More for WooCommerce – Merchant | 60 | 11 | 740 | 10k+ | Non-prefixed global variable | ||
| #3030 | Post Duplicator | 60 | 33 | 24 | 200k+ | Missing direct file access protection | ||
| #3031 | WPB Popup for Contact Form 7 – Showing Contact Form 7 Popup on Button Click | 60 | 21 | 9 | 6k+ | Output is not escaped | ||
| #3032 | WPSSO Schema Product Metadata for WooCommerce | 60 | 33 | 23 | 500 | Missing Translators Comment | ||
| #3033 | Academy LMS | 61 | 18 | 520 | 2k+ | Non-prefixed global variable | ||
| #3034 | CommerceBird – AI Command Center, ERP Integrations & B2B for WooCommerce (Zoho, Exact Online). | 61 | 3 | 162 | 400 | Direct Query | ||
| #3035 | ELEX WooCommerce Catalog Mode | 61 | 97 | 49 | 10k+ | Text Domain Mismatch | ||
| #3036 | GetPaid Stripe Payments | 61 | 206 | 44 | 2k+ | Text Domain Mismatch | ||
| #3037 | Media Library Helper — Bulk edit image ALT, caption & description | 61 | 16 | 70 | 10k+ | Non-prefixed global variable | ||
| #3038 | Reorder Posts – Quick Post Type and Page Ordering | 61 | 10 | 23 | 10k+ | Request data is not unslashed | ||
| #3039 | Powerkit – Supercharge your WordPress Site | 61 | 67 | 115 | 10k+ | Non-prefixed global variable | ||
| #3040 | PW WooCommerce Copy Coupon | 61 | 15 | 17 | 1k+ | Text Domain Mismatch | ||
| #3041 | SEOPress for MainWP | 61 | 240 | 106 | 900 | Text Domain Mismatch | ||
| #3042 | Slider Factory | 61 | 3 | 414 | 2k+ | Non-prefixed global variable | ||
| #3043 | Show Variations as Single Products for WooCommerce | 61 | 12 | 27 | 500 | Unsafe printing function | ||
| #3044 | WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce | 61 | 22 | 74 | 1k+ | Non-prefixed global variable | ||
| #3045 | AAM Protected Media Files | 62 | 13 | 10 | 500 | Direct Query | ||
| #3046 | Add Meta Tag Keywords | 62 | 6 | 15 | 1k+ | Missing nonce verification | ||
| #3047 | Contact Form 7 – Blacklist Unwanted Email | 62 | 16 | 11 | 400 | Missing direct file access protection | ||
| #3048 | Bulk Page Creator | 62 | 9 | 17 | 10k+ | Request data is not unslashed | ||
| #3049 | Carousel Slider | 62 | 71 | 30k+ | Non-prefixed global variable | |||
| #3050 | Kit (formerly ConvertKit) – Email Newsletter, Email Marketing, Membership, Subscribers and Landing Pages | 62 | 81 | 100 | 40k+ | Missing direct file access protection |