WordPress.DB.DirectDatabaseQuery.SchemaChange

Schema Change

The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.

medium weight

Why It Shows Up

Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.

Why It Matters

Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.

How to Fix

  • Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
  • If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
  • Keep schema changes in activation or upgrade routines and make them idempotent.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#951Google Webfont Optimizer364549700Output is not escaped
#952Header Footer Code Manager3681180600k+Non-prefixed global variable
#953HTML Forms – Simple WordPress Forms Plugin3623116610k+Output is not escaped
#954HTTP Requests Manager3698901k+Output is not escaped
#955Lara's Google Analytics (GA4)36303579k+Unsafe printing function
#956LocalWeb All In One36342975k+Non-prefixed global variable
#957Microsoft Clarity3648163200k+Nonce verification recommended
#958NextGEN Custom Fields362151311k+SQL query is not prepared
#959Peter’s Post Notes362241023k+Output is not escaped
#960افزونه رسمی ترب36428620k+Exception output is not escaped
#961Better Find and Replace – AI-Powered Suggestions366712940k+Missing direct file access protection
#962Optimize Database after Deleting Revisions3664412760k+Output is not escaped
#963StaticPress368879500Output is not escaped
#964Subscribe to Comments3612916310k+Output is not escaped
#965Supplier Order Email3654105400Output is not escaped
#966SurveyJS: Drag & Drop Form Builder3612134500Missing Version
#967Advance Side Cart, Ajax Cart & Floating Cart for WooCommerce36371216k+Non-prefixed global variable
#968Plugin Name: Traffic Counter Widget Plugin3671107600Output is not escaped
#969Zoho ZeptoMail36321105k+Request data is not unslashed
#970Uji Countdown36284984k+Text Domain Mismatch
#971WP-EMail36340951k+Unsafe printing function
#972WP Super Edit36351852k+Nonce verification recommended
#973Database Snapshots – WPvivid36661081k+Direct Query
#974Anything Popup371641852k+Non-prefixed global variable
#975avalex – Automatisch sichere Rechtstexte3725851k+Direct Query
#976Banhammer – Monitor Site Traffic, Block Bad Users and Bots371041741k+Output is not escaped
#977Contact Zalo Report SW374439900Missing Arg Domain
#978ClickRank – Ai SEO Automation37102261k+Direct Query
#979Lightweight Subscribe To Comments37105701k+Unsafe printing function
#980Easy Testimonial Slider and Form3714144700Request data is not unslashed
#981果果推送3731561k+Nonce verification recommended
#982GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM3759269600Direct Query
#983GoPay for WooCommerce37661031k+Non-prefixed global variable
#984Horizontal scrolling announcements372151408k+Output is not escaped
#985JS Help Desk – AI-Powered Support & Ticketing System37174067k+Missing nonce verification
#986Maintenance Page3762333k+Output is not escaped
#987CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor37479040k+Dynamic hook name
#988My Post Order37100114400Output is not escaped
#989PayU CommercePro Plugin372187k+error log error log
#990Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales3759642k+SQL query is not prepared
#991Quentn WP374251500Nonce verification recommended
#992rapidmail: Newsletter & E-Mail Marketing for WooCommerce377947400Text Domain Mismatch
#993Send PDF for Contact Form 737223089k+Non-prefixed global variable
#994UsersWP – Social Login37299912k+Text Domain Mismatch
#995Virtual Classroom – Video Conferencing & Online Meeting with BigBlueButton3745140400Nonce verification recommended
#996Piraeus Bank WooCommerce Payment Gateway371461043k+Non Singular String Literal Domain
#997Wordable – Export Google Docs to WordPress3747632k+Output is not escaped
#998WPForce Logout – WordPress User Login Logout Management Plugin37567328k+Output is not escaped
#999Persistent Login373381086k+Unsafe printing function
#1000Special Text Boxes3738422k+Direct Query