WordPress.DB.DirectDatabaseQuery.SchemaChange
Schema Change
The plugin runs a direct database query instead of using a higher-level WordPress API or cache-aware pattern.
Why It Shows Up
Plugin Check found `$wpdb` access that queries the database directly, changes schema, or bypasses normal caching expectations.
Why It Matters
Direct queries can be correct, but they are easier to make unsafe, slower at scale, and harder for WordPress to cache or filter.
How to Fix
- Use WordPress APIs such as post, term, metadata, option, or user functions when they fit the task.
- If direct SQL is necessary, prepare dynamic values and add a clear caching strategy for repeated reads.
- Keep schema changes in activation or upgrade routines and make them idempotent.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #101 | Events Manager – Calendar, Bookings, Tickets, and more! | 22 | 4,722 | 5,621 | 70k+ | Output is not escaped | ||
| #102 | FireBox Popups – Increase Sales and Grow Your Email List | 22 | 153 | 812 | 7k+ | Non-prefixed global variable | ||
| #103 | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | 22 | 409 | 236 | 700k+ | Text Domain Mismatch | ||
| #104 | Notification Bar, Announcement and Cookie Notice WordPress Plugin – FooBar | 22 | 1,321 | 1,371 | 3k+ | Non-prefixed global variable | ||
| #105 | GeoDirectory – WP Business Directory Plugin and Classified Listings Directory | 22 | 4,466 | 3,972 | 10k+ | Output is not escaped | ||
| #106 | HeadSpace2 SEO | 22 | 940 | 360 | 3k+ | Text Domain Mismatch | ||
| #107 | Hesabfa Accounting | 22 | 467 | 718 | 400 | Text Domain Mismatch | ||
| #108 | History Log by click5 | 22 | 675 | 1,290 | 400 | Direct Query | ||
| #109 | IMPress for IDX Broker | 22 | 1,085 | 636 | 7k+ | Text Domain Mismatch | ||
| #110 | Insert or Embed Articulate Content into WordPress | 22 | 659 | 1,437 | 2k+ | Non-prefixed global variable | ||
| #111 | The Innovative Form Builder – IvyForms | 22 | 713 | 250 | 400 | Exception output is not escaped | ||
| #112 | InfiniteWP Client | 22 | 2,286 | 1,812 | 200k+ | Exception output is not escaped | ||
| #113 | Import WP – Export and Import CSV and XML files to WordPress | 22 | 580 | 330 | 4k+ | Exception output is not escaped | ||
| #114 | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | 22 | 2,346 | 3,341 | 70k+ | Non-prefixed global variable | ||
| #115 | Leyka | 22 | 253 | 3,445 | 2k+ | Request data is not unslashed | ||
| #116 | Custom Login Page Customizer – Login Designer | 22 | 588 | 1,455 | 30k+ | Non-prefixed global variable | ||
| #117 | Mail Baby SMTP | 22 | 385 | 699 | 600 | SQL query is not prepared | ||
| #118 | MailOptin – Popup, Optin Forms & Email Newsletters for Mailchimp, HubSpot, AWeber Etc. | 22 | 2,619 | 2,453 | 10k+ | Output is not escaped | ||
| #119 | Modula Image Gallery – Photo Grid & Video Gallery | 22 | 474 | 436 | 100k+ | Text Domain Mismatch | ||
| #120 | Moloni | 22 | 902 | 356 | 2k+ | Missing Arg Domain | ||
| #121 | Newsletters | 22 | 2,968 | 2,248 | 2k+ | Text Domain Mismatch | ||
| #122 | WP OAuth Server (OAuth Authentication) | 22 | 189 | 347 | 3k+ | Non-prefixed function | ||
| #123 | PagBank / PagSeguro Connect para WooCommerce | 22 | 504 | 743 | 4k+ | Non-prefixed global variable | ||
| #124 | PAYCOMET for WooCommerce | 22 | 1,206 | 423 | 2k+ | Text Domain Mismatch | ||
| #125 | Smart Popup by Supsystic | 22 | 3,172 | 503 | 10k+ | Non Singular String Literal Domain | ||
| #126 | Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | 22 | 1,581 | 2,326 | 300k+ | Non-prefixed global variable | ||
| #127 | Prime Mover – Migrate WordPress Website & Backups | 22 | 1,326 | 1,600 | 10k+ | Non-prefixed global variable | ||
| #128 | Pronamic Pay | 22 | 258 | 1,077 | 2k+ | Non-prefixed global variable | ||
| #129 | PageSpeed Ninja – Cache, Minify, Defer CSS JavaScript, Critical CSS, Optimize Images, Convert WebP | 22 | 984 | 407 | 5k+ | Unsafe printing function | ||
| #130 | Restrict User Access – Ultimate Membership & Content Protection | 22 | 977 | 1,840 | 10k+ | Non-prefixed global variable | ||
| #131 | Salon Booking System – Free Version | 22 | 655 | 620 | 2k+ | Missing direct file access protection | ||
| #132 | Seraphinite Accelerator | 22 | 594 | 255 | 50k+ | Output is not escaped | ||
| #133 | SSL Zen — SSL Certificate Installer & HTTPS Redirects | 22 | 779 | 1,575 | 10k+ | Non-prefixed global variable | ||
| #134 | SVG Flags – Beautiful Scalable Flags For All Countries! | 22 | 755 | 1,251 | 2k+ | Non-prefixed global variable | ||
| #135 | Swift Performance Lite | 22 | 2,346 | 1,325 | 7k+ | Text Domain Mismatch | ||
| #136 | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | 22 | 225 | 519 | 8k+ | error log error log | ||
| #137 | Ultimate Carousel For Divi | 22 | 590 | 1,566 | 800 | Non-prefixed global variable | ||
| #138 | Ultimeter | 22 | 751 | 1,344 | 1k+ | Non-prefixed global variable | ||
| #139 | Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin | 22 | 530 | 2,334 | 40k+ | Direct Query | ||
| #140 | Unlimited Elements Blocks Library | 22 | 708 | 1,822 | 400 | Non-prefixed global variable | ||
| #141 | RapidLoad AI – Optimize Web Vitals Automatically | 22 | 81 | 840 | 800 | Nonce verification recommended | ||
| #142 | Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links | 22 | 1,044 | 1,797 | 20k+ | Non-prefixed global variable | ||
| #143 | URL Shortify – Simple and Easy URL Shortener | 22 | 1,520 | 2,689 | 10k+ | Non-prefixed global variable | ||
| #144 | Welcart e-Commerce | 22 | 10,377 | 10,896 | 10k+ | Text Domain Mismatch | ||
| #145 | UserFeedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds | 22 | 444 | 243 | 200k+ | Text Domain Mismatch | ||
| #146 | Walker Core | 22 | 1,351 | 1,436 | 800 | Non-prefixed global variable | ||
| #147 | Fraud Prevention For WooCommerce and EDD | 22 | 572 | 1,394 | 5k+ | Non-prefixed global variable | ||
| #148 | WooCommerce | 22 | 1,359 | 6,171 | 7m+ | Non-prefixed global variable | ||
| #149 | Advanced AJAX Product Filters | 22 | 2,683 | 1,205 | 50k+ | Text Domain Mismatch | ||
| #150 | WP Affiliate Disclosure | 22 | 1,358 | 1,504 | 1k+ | Non-prefixed global variable |
