WordPress.DB.DirectDatabaseQuery.SchemaChange
Schema Change
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #851 | Books Gallery – Book Showcase, Library & Affiliate Plugin | 33 | 1,753 | 178 | 2k+ | Output is not escaped | ||
| #852 | Connector for Gravity Forms and Google Sheets | 33 | 692 | 155 | 3k+ | Text Domain Mismatch | ||
| #853 | WP-UserOnline | 33 | 111 | 161 | 10k+ | Output is not escaped | ||
| #854 | WPReplace内容字符替换插件 | 33 | 209 | 195 | 800 | Non Singular String Literal Domain | ||
| #855 | Advanced Coupons for WooCommerce Coupons & Store Credit | 34 | 74 | 214 | 20k+ | Non-prefixed global variable | ||
| #856 | Audit Trail | 34 | 90 | 107 | 10k+ | Unsafe printing function | ||
| #857 | Campi Moduli Italiani | 34 | 72 | 363 | 500 | Unquoted Complex Placeholder | ||
| #858 | CSS JS Manager, Async JavaScript, Defer Render Blocking CSS | 34 | 76 | 106 | 1k+ | Input is not validated | ||
| #859 | Download After Email – Subscribe & Download Form Plugin | 34 | 22 | 356 | 7k+ | Input is not validated | ||
| #860 | Dr. Flex | 34 | 83 | 51 | 1k+ | Output is not escaped | ||
| #861 | Easy Social Sharing | 34 | 16 | 240 | 1k+ | Non-prefixed global variable | ||
| #862 | Reviews Widgets for Google, Yelp & TripAdvisor | 34 | 274 | 212 | 10k+ | Output is not escaped | ||
| #863 | FluentAuth – The Ultimate Authorization & Security Plugin for WordPress | 34 | 44 | 229 | 10k+ | Nonce verification recommended | ||
| #864 | FV Gravatar Cache | 34 | 50 | 42 | 700 | Output is not escaped | ||
| #865 | HollerBox — Fast & Effective Popups & Lead-Generation | 34 | 78 | 92 | 2k+ | Output is not escaped | ||
| #866 | Inavii Social Feed – Live Social Proof Gallery | 34 | 532 | 180 | 9k+ | Text Domain Mismatch | ||
| #867 | Lenix Leads Collector | 34 | 414 | 242 | 10k+ | Text Domain Mismatch | ||
| #868 | Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin | 34 | 36 | 459 | 3k+ | Input is not sanitized | ||
| #869 | Mass Ping Tool for SEO – WordPress ping list to get indexed faster on Google, Yandex, … | 34 | 77 | 96 | 500 | Output is not escaped | ||
| #870 | Montonio for WooCommerce | 34 | 44 | 257 | 10k+ | Non-prefixed global variable | ||
| #871 | PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget | 34 | 46 | 298 | 9k+ | Missing nonce verification | ||
| #872 | PW WooCommerce Bulk Edit | 34 | 219 | 149 | 20k+ | Unsafe printing function | ||
| #873 | Redirection | 34 | 32 | 293 | 2m+ | Non-prefixed class | ||
| #874 | Search Meter | 34 | 191 | 94 | 20k+ | Output is not escaped | ||
| #875 | Student Result or Employee Database | 34 | 89 | 98 | 1k+ | Direct Query | ||
| #876 | SuperFrete | 34 | 84 | 242 | 1k+ | Request data is not unslashed | ||
| #877 | TaxJar – Sales Tax Automation for WooCommerce | 34 | 236 | 170 | 5k+ | Text Domain Mismatch | ||
| #878 | Testimonial Slider | 34 | 448 | 262 | 3k+ | Unsafe printing function | ||
| #879 | Throws SPAM Away | 34 | 327 | 123 | 10k+ | Missing Arg Domain | ||
| #880 | Tools for Twitter | 34 | 135 | 87 | 1k+ | Output is not escaped | ||
| #881 | Visual Form Builder | 34 | 82 | 329 | 20k+ | Direct Query | ||
| #882 | Simple Discount Rules for Woocommerce | 34 | 175 | 214 | 5k+ | Nonce verification recommended | ||
| #883 | Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin | 34 | 230 | 154 | 2k+ | Output is not escaped | ||
| #884 | WP-Cron Status Checker | 34 | 277 | 111 | 5k+ | Text Domain Mismatch | ||
| #885 | Wp Default Sender Email by IT Pixelz | 34 | 682 | 25 | 500 | Output is not escaped | ||
| #886 | WP Mail Logging | 34 | 76 | 258 | 300k+ | Nonce verification recommended | ||
| #887 | WP Popup Builder – Popup Forms and Marketing Lead Generation | 34 | 357 | 143 | 3k+ | Text Domain Mismatch | ||
| #888 | Thumbnail Slider With Lightbox | 34 | 244 | 141 | 700 | Output is not escaped | ||
| #889 | Live Visitor Counter | 34 | 108 | 114 | 4k+ | Interpolated SQL is not prepared | ||
| #890 | Xml Sitemap Generator | 34 | 72 | 47 | 400 | SQL query is not prepared | ||
| #891 | Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades | 34 | 571 | 195 | 100k+ | Output is not escaped | ||
| #892 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #893 | Abandoned Checkout Recovery & Order Notifications for WooCommerce | 35 | 108 | 77 | 800 | Text Domain Mismatch | ||
| #894 | SOOZ – AI for SEO – Bulk Generate Focus Keyphrases, Metadata, Alt Text (SEO Autopilot) | 35 | 44 | 394 | 2k+ | Nonce verification recommended | ||
| #895 | Tuskcode Map Pro for Bing Maps | 35 | 59 | 359 | 600 | Direct Query | ||
| #896 | Automatic Internal Links for SEO by Pagup | 35 | 34 | 215 | 1k+ | error log error log | ||
| #897 | Automatic YouTube Gallery | 35 | 83 | 59 | 9k+ | Output is not escaped | ||
| #898 | BORICA Payments by BORICA AD | 35 | 537 | 196 | 500 | Text Domain Mismatch | ||
| #899 | BotWriter – AI Writer & SEO Content Generator | 35 | 16 | 503 | 3k+ | Direct Query | ||
| #900 | BSK Forms Blacklist | 35 | 831 | 550 | 1k+ | Output is not escaped |