WordPress.DB.DirectDatabaseQuery.SchemaChange
Schema Change
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #951 | Google Webfont Optimizer | 36 | 45 | 49 | 700 | Output is not escaped | ||
| #952 | Header Footer Code Manager | 36 | 81 | 180 | 600k+ | Non-prefixed global variable | ||
| #953 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | Output is not escaped | ||
| #954 | HTTP Requests Manager | 36 | 98 | 90 | 1k+ | Output is not escaped | ||
| #955 | Lara's Google Analytics (GA4) | 36 | 303 | 57 | 9k+ | Unsafe printing function | ||
| #956 | LocalWeb All In One | 36 | 34 | 297 | 5k+ | Non-prefixed global variable | ||
| #957 | Microsoft Clarity | 36 | 48 | 163 | 200k+ | Nonce verification recommended | ||
| #958 | NextGEN Custom Fields | 36 | 215 | 131 | 1k+ | SQL query is not prepared | ||
| #959 | Peter’s Post Notes | 36 | 224 | 102 | 3k+ | Output is not escaped | ||
| #960 | افزونه رسمی ترب | 36 | 42 | 86 | 20k+ | Exception output is not escaped | ||
| #961 | Better Find and Replace – AI-Powered Suggestions | 36 | 67 | 129 | 40k+ | Missing direct file access protection | ||
| #962 | Optimize Database after Deleting Revisions | 36 | 644 | 127 | 60k+ | Output is not escaped | ||
| #963 | StaticPress | 36 | 88 | 79 | 500 | Output is not escaped | ||
| #964 | Subscribe to Comments | 36 | 129 | 163 | 10k+ | Output is not escaped | ||
| #965 | Supplier Order Email | 36 | 54 | 105 | 400 | Output is not escaped | ||
| #966 | SurveyJS: Drag & Drop Form Builder | 36 | 12 | 134 | 500 | Missing Version | ||
| #967 | Advance Side Cart, Ajax Cart & Floating Cart for WooCommerce | 36 | 37 | 121 | 6k+ | Non-prefixed global variable | ||
| #968 | Plugin Name: Traffic Counter Widget Plugin | 36 | 71 | 107 | 600 | Output is not escaped | ||
| #969 | Zoho ZeptoMail | 36 | 32 | 110 | 5k+ | Request data is not unslashed | ||
| #970 | Uji Countdown | 36 | 284 | 98 | 4k+ | Text Domain Mismatch | ||
| #971 | WP-EMail | 36 | 340 | 95 | 1k+ | Unsafe printing function | ||
| #972 | WP Super Edit | 36 | 35 | 185 | 2k+ | Nonce verification recommended | ||
| #973 | Database Snapshots – WPvivid | 36 | 66 | 108 | 1k+ | Direct Query | ||
| #974 | Anything Popup | 37 | 164 | 185 | 2k+ | Non-prefixed global variable | ||
| #975 | avalex – Automatisch sichere Rechtstexte | 37 | 25 | 85 | 1k+ | Direct Query | ||
| #976 | Banhammer – Monitor Site Traffic, Block Bad Users and Bots | 37 | 104 | 174 | 1k+ | Output is not escaped | ||
| #977 | Contact Zalo Report SW | 37 | 44 | 39 | 900 | Missing Arg Domain | ||
| #978 | ClickRank – Ai SEO Automation | 37 | 10 | 226 | 1k+ | Direct Query | ||
| #979 | Lightweight Subscribe To Comments | 37 | 105 | 70 | 1k+ | Unsafe printing function | ||
| #980 | Easy Testimonial Slider and Form | 37 | 14 | 144 | 700 | Request data is not unslashed | ||
| #981 | 果果推送 | 37 | 31 | 56 | 1k+ | Nonce verification recommended | ||
| #982 | GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM | 37 | 59 | 269 | 600 | Direct Query | ||
| #983 | GoPay for WooCommerce | 37 | 66 | 103 | 1k+ | Non-prefixed global variable | ||
| #984 | Horizontal scrolling announcements | 37 | 215 | 140 | 8k+ | Output is not escaped | ||
| #985 | JS Help Desk – AI-Powered Support & Ticketing System | 37 | 17 | 406 | 7k+ | Missing nonce verification | ||
| #986 | Maintenance Page | 37 | 62 | 33 | 3k+ | Output is not escaped | ||
| #987 | CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor | 37 | 47 | 90 | 40k+ | Dynamic hook name | ||
| #988 | My Post Order | 37 | 100 | 114 | 400 | Output is not escaped | ||
| #989 | PayU CommercePro Plugin | 37 | 218 | 7k+ | error log error log | |||
| #990 | Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales | 37 | 59 | 64 | 2k+ | SQL query is not prepared | ||
| #991 | Quentn WP | 37 | 4 | 251 | 500 | Nonce verification recommended | ||
| #992 | rapidmail: Newsletter & E-Mail Marketing for WooCommerce | 37 | 79 | 47 | 400 | Text Domain Mismatch | ||
| #993 | Send PDF for Contact Form 7 | 37 | 22 | 308 | 9k+ | Non-prefixed global variable | ||
| #994 | UsersWP – Social Login | 37 | 299 | 91 | 2k+ | Text Domain Mismatch | ||
| #995 | Virtual Classroom – Video Conferencing & Online Meeting with BigBlueButton | 37 | 45 | 140 | 400 | Nonce verification recommended | ||
| #996 | Piraeus Bank WooCommerce Payment Gateway | 37 | 146 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #997 | Wordable – Export Google Docs to WordPress | 37 | 47 | 63 | 2k+ | Output is not escaped | ||
| #998 | WPForce Logout – WordPress User Login Logout Management Plugin | 37 | 567 | 32 | 8k+ | Output is not escaped | ||
| #999 | Persistent Login | 37 | 338 | 108 | 6k+ | Unsafe printing function | ||
| #1000 | Special Text Boxes | 37 | 38 | 42 | 2k+ | Direct Query |