WordPress.DB.DirectDatabaseQuery.SchemaChange
Schema Change
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1001 | TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More | 37 | 878 | 59 | 800 | Output is not escaped | ||
| #1002 | XT Visitor Counter | 37 | 177 | 52 | 7k+ | Output is not escaped | ||
| #1003 | Advanced 301 and 302 Redirect | 38 | 81 | 339 | 1k+ | Non-prefixed global variable | ||
| #1004 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #1005 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #1006 | Bot Block – Stop Spam Referrals in Google Analytics | 38 | 28 | 42 | 600 | Output is not escaped | ||
| #1007 | Database for Contact Form 7 | 38 | 34 | 128 | 7k+ | Missing nonce verification | ||
| #1008 | Datafeedr WooCommerce Importer | 38 | 112 | 56 | 5k+ | Text Domain Mismatch | ||
| #1009 | Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster | 38 | 37 | 98 | 5k+ | Interpolated SQL is not prepared | ||
| #1010 | Front-end Editor | 38 | 78 | 62 | 500 | Output is not escaped | ||
| #1011 | Goal Tracker – Custom Event Tracking for GA4 | 38 | 541 | 25 | 2k+ | Output is not escaped | ||
| #1012 | Insert PHP Code Snippet | 38 | 164 | 227 | 90k+ | Output is not escaped | ||
| #1013 | Maintenance Redirect | 38 | 244 | 132 | 10k+ | Missing Arg Domain | ||
| #1014 | Jock On Air Now (JOAN) | 38 | 121 | 224 | 400 | Output is not escaped | ||
| #1015 | Lana Downloads Manager | 38 | 146 | 78 | 3k+ | Unsafe printing function | ||
| #1016 | LWS Cleaner | 38 | 81 | 129 | 20k+ | Direct Query | ||
| #1017 | YAPE A1 Tiendas | 38 | 24 | 43 | 900 | Missing nonce verification | ||
| #1018 | Invoice123 | 38 | 139 | 88 | 400 | Text Domain Mismatch | ||
| #1019 | Simple Visitor Counter | 38 | 41 | 27 | 700 | Output is not escaped | ||
| #1020 | Social Snap — Social Share Buttons & Click to Tweet | 38 | 6 | 169 | 10k+ | Direct Query | ||
| #1021 | SRS Simple Hits Counter | 38 | 43 | 98 | 8k+ | Output is not escaped | ||
| #1022 | Tag Manager – Header, Body And Footer | 38 | 97 | 319 | 20k+ | Non-prefixed global variable | ||
| #1023 | Accessibility Tools & Alt Text Finder | 38 | 36 | 56 | 3k+ | Text Domain Mismatch | ||
| #1024 | Trackserver | 38 | 17 | 356 | 400 | Input is not sanitized | ||
| #1025 | Plugin Name: Traffic Stats Widget Plugin | 38 | 69 | 107 | 600 | Output is not escaped | ||
| #1026 | Trash Duplicate and 301 Redirect | 38 | 13 | 103 | 1k+ | Nonce verification recommended | ||
| #1027 | Vertical News Scroller | 38 | 118 | 60 | 5k+ | Output is not escaped | ||
| #1028 | WishSuite – Wishlist for WooCommerce | 38 | 76 | 133 | 1k+ | Output is not escaped | ||
| #1029 | Wholesale for WooCommerce | 38 | 541 | 22 | 1k+ | Output is not escaped | ||
| #1030 | Connect WooCommerce Shop to ERP/CRM, Verifactu and EU/VAT Compliance | 38 | 23 | 104 | 1k+ | Direct Query | ||
| #1031 | WP-DraftsForFriends | 38 | 141 | 71 | 1k+ | Output is not escaped | ||
| #1032 | Native PHP Sessions | 38 | 30 | 92 | 10k+ | Direct Query | ||
| #1033 | Real-Time Post Statistics for WordPress | 38 | 63 | 68 | 2k+ | SQL query is not prepared | ||
| #1034 | Zoho Campaigns | 38 | 3 | 129 | 3k+ | Non-prefixed global variable | ||
| #1035 | Add-on Gravity Forms – MailPoet 3 | 39 | 31 | 33 | 600 | Output is not escaped | ||
| #1036 | Better User Search | 39 | 24 | 44 | 700 | SQL query is not prepared | ||
| #1037 | Billplz for WooCommerce | 39 | 289 | 65 | 6k+ | Text Domain Mismatch | ||
| #1038 | Constant Contact + WooCommerce | 39 | 27 | 91 | 1k+ | Nonce verification recommended | ||
| #1039 | Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR) | 39 | 28 | 45 | 80k+ | Missing nonce verification | ||
| #1040 | DefendWP Firewall | 39 | 16 | 203 | 3k+ | Non-prefixed global variable | ||
| #1041 | Duplicate Killer – Prevent Duplicate Form Submissions | 39 | 57 | 103 | 1k+ | Non-prefixed global variable | ||
| #1042 | Email Marketing by EmailOctopus | 39 | 43 | 62 | 3k+ | Non-prefixed global variable | ||
| #1043 | Maintenance Mode | 39 | 86 | 109 | 7k+ | Output is not escaped | ||
| #1044 | Insert Html Snippet | 39 | 159 | 205 | 20k+ | Output is not escaped | ||
| #1045 | payever – WooCommerce Gateway | 39 | 263 | 131 | 700 | Text Domain Mismatch | ||
| #1046 | Query Multiple Taxonomies | 39 | 55 | 41 | 500 | Output is not escaped | ||
| #1047 | Quform Mailchimp | 39 | 65 | 147 | 800 | Nonce verification recommended | ||
| #1048 | Quform Zapier | 39 | 60 | 123 | 1k+ | Nonce verification recommended | ||
| #1049 | Smaily for WP | 39 | 52 | 36 | 700 | Output is not escaped | ||
| #1050 | Smart Archives Reloaded | 39 | 78 | 36 | 1k+ | Non Singular String Literal Domain |