WordPress.DB.DirectDatabaseQuery.SchemaChange
Schema Change
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1051 | Stock Ticker | 39 | 92 | 49 | 2k+ | Output is not escaped | ||
| #1052 | Easy Category Icons | 39 | 50 | 43 | 600 | Text Domain Mismatch | ||
| #1053 | Traffic Monitor | 39 | 6 | 143 | 1k+ | Direct Query | ||
| #1054 | Eurobank WooCommerce Payment Gateway | 39 | 62 | 63 | 2k+ | Non Singular String Literal Domain | ||
| #1055 | Wallet for WooCommerce | 39 | 36 | 524 | 20k+ | Non-prefixed hook name | ||
| #1056 | WP Limit Login Attempts | 39 | 26 | 67 | 10k+ | Direct Query | ||
| #1057 | WP Most Popular | 39 | 50 | 35 | 2k+ | Output is not escaped | ||
| #1058 | Zotpress | 39 | 80 | 403 | 2k+ | Non-prefixed global variable | ||
| #1059 | 404 Notifier | 40 | 39 | 41 | 700 | Output is not escaped | ||
| #1060 | Atomic Edge Security – Firewall, Malware Scan and Login Security | 40 | 12 | 184 | 700 | Non-prefixed global variable | ||
| #1061 | AxiaChat AI – Free AI Chatbot (Answers Customers Automatically) | 40 | 2 | 135 | 2k+ | Interpolated SQL is not prepared | ||
| #1062 | Broken Link Notifier | 40 | 11 | 193 | 1k+ | Non-prefixed global variable | ||
| #1063 | Copyscape Premium | 40 | 148 | 133 | 800 | SQL query is not prepared | ||
| #1064 | Country State City Dropdown CF7 | 40 | 35 | 54 | 5k+ | Direct Query | ||
| #1065 | Cron Logger | 40 | 49 | 36 | 1k+ | Output is not escaped | ||
| #1066 | Cryptocurrency Widgets Pack | 40 | 222 | 52 | 700 | Unsafe printing function | ||
| #1067 | Eventer | 40 | 61 | 55 | 1k+ | Output is not escaped | ||
| #1068 | LLM Bot Tracker – AI Crawler Detection & Analytics | 40 | 18 | 90 | 700 | Database parameter is not escaped | ||
| #1069 | Random Banner | 40 | 59 | 125 | 1k+ | Output is not escaped | ||
| #1070 | Role Based Redirect | 40 | 20 | 96 | 2k+ | Non-prefixed global variable | ||
| #1071 | Simple Statistics for Feeds | 40 | 64 | 131 | 800 | Nonce verification recommended | ||
| #1072 | Payment Gateway – nexi Alpha Bank for WooCommerce | 40 | 28 | 45 | 1k+ | Missing nonce verification | ||
| #1073 | Database for CF7 | 41 | 37 | 32 | 2k+ | Text Domain Mismatch | ||
| #1074 | SNORDIAN's H5PxAPIkatchu | 41 | 119 | 88 | 500 | SQL query is not prepared | ||
| #1075 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #1076 | Page & Post Notes | 41 | 12 | 77 | 1k+ | Non-prefixed global variable | ||
| #1077 | Simple Product Options for WooCommerce | 41 | 62 | 41 | 3k+ | Output is not escaped | ||
| #1078 | Smoove connector for Elementor forms | 41 | 22 | 60 | 600 | Nonce verification recommended | ||
| #1079 | StifLi Flex MCP – MCP Server with undo for ChatGPT, Claude & Gemini | 41 | 2 | 111 | 1k+ | Interpolated SQL is not prepared | ||
| #1080 | Abandoned Cart Recovery for WooCommerce | 41 | 20 | 202 | 4k+ | Request data is not unslashed | ||
| #1081 | WP Media folders | 41 | 19 | 74 | 3k+ | Direct Query | ||
| #1082 | Agoda Affiliate Partners Text Link Generator | 42 | 4 | 40 | 500 | Interpolated SQL is not prepared | ||
| #1083 | Comment Reply Email | 42 | 21 | 23 | 500 | Unsafe printing function | ||
| #1084 | Custom Taxonomy Order | 42 | 20 | 56 | 50k+ | Output is not escaped | ||
| #1085 | FormCraft – Form Builder | 42 | 186 | 156 | 2k+ | Text Domain Mismatch | ||
| #1086 | Geo Blocker – Control Site Access by Region and IP | 42 | 10 | 64 | 800 | Direct Query | ||
| #1087 | WP Email Log – PostBox | 42 | 2 | 81 | 700 | Nonce verification recommended | ||
| #1088 | Sendcloud Shipping | 42 | 78 | 56 | 5k+ | Output is not escaped | ||
| #1089 | Simple Googlebot Visit | 42 | 32 | 67 | 1k+ | Non Singular String Literal Domain | ||
| #1090 | Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) | 42 | 2,583 | 1,823 | 10k+ | Text Domain Mismatch | ||
| #1091 | I Order Terms | 44 | 40 | 24 | 1k+ | Output is not escaped | ||
| #1092 | Super Blank | 45 | 131 | 56 | 10k+ | Missing direct file access protection | ||
| #1093 | Easy Subscribe | 46 | 132 | 700 | Direct Query | |||
| #1094 | GetAutoSEO AI Tool | 46 | 10 | 250 | 1k+ | Direct Query | ||
| #1095 | Gravity Forms Constant Contact | 46 | 36 | 27 | 3k+ | Non-prefixed class | ||
| #1096 | Updater by BestWebSoft | 46 | 494 | 219 | 2k+ | Text Domain Mismatch | ||
| #1097 | Delete Duplicate Posts | 47 | 9 | 50 | 10k+ | Direct Query | ||
| #1098 | Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator | 47 | 44 | 83 | 10k+ | Missing direct file access protection | ||
| #1099 | Real Media Library: Media Library Folder & File Manager | 47 | 1 | 365 | 100k+ | Direct Query | ||
| #1100 | AffiliateWP – Store Credit | 48 | 47 | 21 | 400 | Output is not escaped |