WordPress.DB.DirectDatabaseQuery.SchemaChange

Schema Change

The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.

medium weight

Why It Shows Up

Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.

Why It Matters

Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.

How to Fix

  • Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
  • If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
  • Keep schema changes in activation or upgrade routines and make them idempotent.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1001TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More3787859800Output is not escaped
#1002XT Visitor Counter37177527k+Output is not escaped
#1003Advanced 301 and 302 Redirect38813391k+Non-prefixed global variable
#1004Activity Log – Monitor & Record User Changes3881149200k+Nonce verification recommended
#1005Automatic Post Tagger385923072k+Output is not escaped
#1006Bot Block – Stop Spam Referrals in Google Analytics382842600Output is not escaped
#1007Database for Contact Form 738341287k+Missing nonce verification
#1008Datafeedr WooCommerce Importer38112565k+Text Domain Mismatch
#1009Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster3837985k+Interpolated SQL is not prepared
#1010Front-end Editor387862500Output is not escaped
#1011Goal Tracker – Custom Event Tracking for GA438541252k+Output is not escaped
#1012Insert PHP Code Snippet3816422790k+Output is not escaped
#1013Maintenance Redirect3824413210k+Missing Arg Domain
#1014Jock On Air Now (JOAN)38121224400Output is not escaped
#1015Lana Downloads Manager38146783k+Unsafe printing function
#1016LWS Cleaner388112920k+Direct Query
#1017YAPE A1 Tiendas382443900Missing nonce verification
#1018Invoice1233813988400Text Domain Mismatch
#1019Simple Visitor Counter384127700Output is not escaped
#1020Social Snap — Social Share Buttons & Click to Tweet38616910k+Direct Query
#1021SRS Simple Hits Counter3843988k+Output is not escaped
#1022Tag Manager – Header, Body And Footer389731920k+Non-prefixed global variable
#1023Accessibility Tools & Alt Text Finder3836563k+Text Domain Mismatch
#1024Trackserver3817356400Input is not sanitized
#1025Plugin Name: Traffic Stats Widget Plugin3869107600Output is not escaped
#1026Trash Duplicate and 301 Redirect38131031k+Nonce verification recommended
#1027Vertical News Scroller38118605k+Output is not escaped
#1028WishSuite – Wishlist for WooCommerce38761331k+Output is not escaped
#1029Wholesale for WooCommerce38541221k+Output is not escaped
#1030Connect WooCommerce Shop to ERP/CRM, Verifactu and EU/VAT Compliance38231041k+Direct Query
#1031WP-DraftsForFriends38141711k+Output is not escaped
#1032Native PHP Sessions38309210k+Direct Query
#1033Real-Time Post Statistics for WordPress3863682k+SQL query is not prepared
#1034Zoho Campaigns3831293k+Non-prefixed global variable
#1035Add-on Gravity Forms – MailPoet 3393133600Output is not escaped
#1036Better User Search392444700SQL query is not prepared
#1037Billplz for WooCommerce39289656k+Text Domain Mismatch
#1038Constant Contact + WooCommerce3927911k+Nonce verification recommended
#1039Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)39284580k+Missing nonce verification
#1040DefendWP Firewall39162033k+Non-prefixed global variable
#1041Duplicate Killer – Prevent Duplicate Form Submissions39571031k+Non-prefixed global variable
#1042Email Marketing by EmailOctopus3943623k+Non-prefixed global variable
#1043Maintenance Mode39861097k+Output is not escaped
#1044Insert Html Snippet3915920520k+Output is not escaped
#1045payever – WooCommerce Gateway39263131700Text Domain Mismatch
#1046Query Multiple Taxonomies395541500Output is not escaped
#1047Quform Mailchimp3965147800Nonce verification recommended
#1048Quform Zapier39601231k+Nonce verification recommended
#1049Smaily for WP395236700Output is not escaped
#1050Smart Archives Reloaded3978361k+Non Singular String Literal Domain