WordPress.DB.RestrictedFunctions.mysql_mysqli_fetch_assoc

mysql mysqli fetch assoc

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

medium weight

Why It Shows Up

The scan found `mysql_*`, `mysqli_*`, PDO MySQL, or related database functions in plugin code.

Why It Matters

Bypassing `$wpdb` can ignore WordPress database configuration, escaping conventions, character sets, and compatibility layers.

How to Fix

  • Replace raw MySQL calls with `$wpdb` methods or higher-level WordPress APIs.
  • Use `$wpdb->prepare()` for dynamic values.
  • If a third-party library requires a database connection, isolate it and document why WordPress APIs cannot be used.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More212,5721,2771m+Output is not escaped
#2wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin211,8111,43270k+Output is not escaped
#3Prime Mover – Migrate WordPress Website & Backups221,3261,60010k+Non-prefixed global variable
#4WP STAGING – WordPress Backup, Restore, Migration & Clone231,4941,550100k+Non-prefixed global variable
#5A2 Optimized WP – Turbocharge and secure your WordPress site2427123160k+Missing Arg Domain
#6Backuply – Backup, Restore, Migrate and Clone24704551700k+Non-prefixed global variable
#7Softaculous241154910k+file system operations fread
#8WEB-Translation – eTranslation Multilingual252171,057400Non-prefixed function
#9TranslatePress – Translate Multilingual sites with AI Translation254551,545400k+Non-prefixed function
#10EZ SQL Reports Shortcode Widget and DB Backup27165158500Output is not escaped
#11User Spam Remover31115141k+Output is not escaped
#12WPPerformanceTester3594441k+Output is not escaped
#13SQL Executioner7018172k+Non-prefixed global variable
#14Run SQL Query78138600Non-prefixed global variable