WordPress.DB.DirectDatabaseQuery.SchemaChange

Schema Change

The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.

medium weight

Why It Shows Up

Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.

Why It Matters

Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.

How to Fix

  • Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
  • If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
  • Keep schema changes in activation or upgrade routines and make them idempotent.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#901CompressX — AVIF & WebP Converter, Media Replacement352642340k+Missing nonce verification
#902Core Framework35706210k+Text Domain Mismatch
#903Custom 404 Pro3550277k+wp function not compatible with requires wp
#904Datafeedr Product Sets356022065k+Output is not escaped
#905DOOFINDER Search and Discovery for WP & WooCommerce351511202k+Text Domain Mismatch
#906Easy Social Icons3518215820k+Output is not escaped
#907Email Validator for Contact Form 73511174500SQL query is not prepared
#908EWWW Image Optimizer352257291m+Direct Query
#909Extendify35117168500k+Non-prefixed global variable
#910External Links Overview3557200800Non-prefixed global variable
#911Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery355019910k+Non-prefixed global variable
#912GeoTargeting Lite – WordPress Geolocation3566791k+Output is not escaped
#913Imsanity353229200k+Direct Query
#914iPages – FlipBook Image & PDF Viewer354671772k+Text Domain Mismatch
#915Kirki – Freeform Page Builder, Website Builder & Customizer351773500k+Nonce verification recommended
#916Lead Form Builder & Contact Form354003459k+Output is not escaped
#917Mail Queue352277900Direct Query
#918MapSVG – Vector maps, Image maps, Google Maps3574471k+Missing direct file access protection
#919Marquee image crawler35168136700Non-prefixed global variable
#920Mechanic Visitor Counter35240667k+Output is not escaped
#921Nginx Cache Controller3579961k+Text Domain Mismatch
#922Orderable – Restaurant & Food Ordering System35123245k+Non-prefixed global variable
#923Perfecty Push Notifications352042134k+SQL query is not prepared
#924Popup with fancybox351961681k+Unsafe printing function
#925Presto Player353777100k+Missing Arg Domain
#926Quran multilanguage Text & Audio35177166500Output is not escaped
#927Related Posts for WordPress3520718010k+Output is not escaped
#928WP Responsive Tabs horizontal vertical and accordion Tabs355982122k+Output is not escaped
#929sCode (Easy Shortcodes)3515797400Text Domain Mismatch
#930Internal Links Manager3518812110k+Output is not escaped
#931FlexTable – Data Table Sync with Google Sheets3520784k+Direct Query
#932SHOPVOTE356458400curl curl setopt
#933Uptime Robot Plugin for WordPress35398324600Text Domain Mismatch
#934Spreadconnect35128126700Output is not escaped
#935DPD Baltic Shipping35912022k+Text Domain Mismatch
#936Access Areas for WordPress351795400Direct Query
#937WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets353520100k+Missing direct file access protection
#938WP Dark Mode – Improve Accessibility with AI Powered Dark Theme352016020k+Non-prefixed global variable
#939Database Backup for WordPress351288870k+Output is not escaped
#940WP-PageNavi358495500k+Non Singular String Literal Domain
#941Integration for WooCommerce and QuickBooks352631251k+Output is not escaped
#942WPFront User Role Editor3533357830k+Output is not escaped
#943Year Make Model Search for WooCommerce351881621k+Output is not escaped
#944Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder36332110k+Nonce verification recommended
#945Custom Category Post Order368083500Text Domain Mismatch
#946Desktop Mode3615792k+Direct Query
#947Dynamic Copyright Year3697243800Output is not escaped
#948Dynamic Front-End Heartbeat Control362171111k+Text Domain Mismatch
#949WP CTA – Call Now Button, Sticky Button & Call to Action Builder3614332k+Non-prefixed global variable
#950GetPaid > Wallet36149174700Text Domain Mismatch