WordPress.DB.DirectDatabaseQuery.SchemaChange
Schema Change
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #901 | CompressX — AVIF & WebP Converter, Media Replacement | 35 | 26 | 423 | 40k+ | Missing nonce verification | ||
| #902 | Core Framework | 35 | 70 | 62 | 10k+ | Text Domain Mismatch | ||
| #903 | Custom 404 Pro | 35 | 50 | 27 | 7k+ | wp function not compatible with requires wp | ||
| #904 | Datafeedr Product Sets | 35 | 602 | 206 | 5k+ | Output is not escaped | ||
| #905 | DOOFINDER Search and Discovery for WP & WooCommerce | 35 | 151 | 120 | 2k+ | Text Domain Mismatch | ||
| #906 | Easy Social Icons | 35 | 182 | 158 | 20k+ | Output is not escaped | ||
| #907 | Email Validator for Contact Form 7 | 35 | 111 | 74 | 500 | SQL query is not prepared | ||
| #908 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | Direct Query | ||
| #909 | Extendify | 35 | 117 | 168 | 500k+ | Non-prefixed global variable | ||
| #910 | External Links Overview | 35 | 57 | 200 | 800 | Non-prefixed global variable | ||
| #911 | Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery | 35 | 50 | 199 | 10k+ | Non-prefixed global variable | ||
| #912 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #913 | Imsanity | 35 | 32 | 29 | 200k+ | Direct Query | ||
| #914 | iPages – FlipBook Image & PDF Viewer | 35 | 467 | 177 | 2k+ | Text Domain Mismatch | ||
| #915 | Kirki – Freeform Page Builder, Website Builder & Customizer | 35 | 1 | 773 | 500k+ | Nonce verification recommended | ||
| #916 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output is not escaped | ||
| #917 | Mail Queue | 35 | 22 | 77 | 900 | Direct Query | ||
| #918 | MapSVG – Vector maps, Image maps, Google Maps | 35 | 74 | 47 | 1k+ | Missing direct file access protection | ||
| #919 | Marquee image crawler | 35 | 168 | 136 | 700 | Non-prefixed global variable | ||
| #920 | Mechanic Visitor Counter | 35 | 240 | 66 | 7k+ | Output is not escaped | ||
| #921 | Nginx Cache Controller | 35 | 79 | 96 | 1k+ | Text Domain Mismatch | ||
| #922 | Orderable – Restaurant & Food Ordering System | 35 | 12 | 324 | 5k+ | Non-prefixed global variable | ||
| #923 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | SQL query is not prepared | ||
| #924 | Popup with fancybox | 35 | 196 | 168 | 1k+ | Unsafe printing function | ||
| #925 | Presto Player | 35 | 37 | 77 | 100k+ | Missing Arg Domain | ||
| #926 | Quran multilanguage Text & Audio | 35 | 177 | 166 | 500 | Output is not escaped | ||
| #927 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output is not escaped | ||
| #928 | WP Responsive Tabs horizontal vertical and accordion Tabs | 35 | 598 | 212 | 2k+ | Output is not escaped | ||
| #929 | sCode (Easy Shortcodes) | 35 | 157 | 97 | 400 | Text Domain Mismatch | ||
| #930 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output is not escaped | ||
| #931 | FlexTable – Data Table Sync with Google Sheets | 35 | 20 | 78 | 4k+ | Direct Query | ||
| #932 | SHOPVOTE | 35 | 64 | 58 | 400 | curl curl setopt | ||
| #933 | Uptime Robot Plugin for WordPress | 35 | 398 | 324 | 600 | Text Domain Mismatch | ||
| #934 | Spreadconnect | 35 | 128 | 126 | 700 | Output is not escaped | ||
| #935 | DPD Baltic Shipping | 35 | 91 | 202 | 2k+ | Text Domain Mismatch | ||
| #936 | Access Areas for WordPress | 35 | 17 | 95 | 400 | Direct Query | ||
| #937 | WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets | 35 | 35 | 20 | 100k+ | Missing direct file access protection | ||
| #938 | WP Dark Mode – Improve Accessibility with AI Powered Dark Theme | 35 | 20 | 160 | 20k+ | Non-prefixed global variable | ||
| #939 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #940 | WP-PageNavi | 35 | 84 | 95 | 500k+ | Non Singular String Literal Domain | ||
| #941 | Integration for WooCommerce and QuickBooks | 35 | 263 | 125 | 1k+ | Output is not escaped | ||
| #942 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #943 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #944 | Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder | 36 | 3 | 321 | 10k+ | Nonce verification recommended | ||
| #945 | Custom Category Post Order | 36 | 80 | 83 | 500 | Text Domain Mismatch | ||
| #946 | Desktop Mode | 36 | 1 | 579 | 2k+ | Direct Query | ||
| #947 | Dynamic Copyright Year | 36 | 972 | 43 | 800 | Output is not escaped | ||
| #948 | Dynamic Front-End Heartbeat Control | 36 | 217 | 111 | 1k+ | Text Domain Mismatch | ||
| #949 | WP CTA – Call Now Button, Sticky Button & Call to Action Builder | 36 | 1 | 433 | 2k+ | Non-prefixed global variable | ||
| #950 | GetPaid > Wallet | 36 | 149 | 174 | 700 | Text Domain Mismatch |