PluginScore

WordPress.DB.RestrictedFunctions.mysql_mysqli_num_rows

mysql mysqli num rows

The plugin uses a raw MySQL extension or class instead of WordPress database APIs.

medium weight

Why It Shows Up

The scan found `mysql_*`, `mysqli_*`, PDO MySQL, or related database functions in plugin code.

Why It Matters

Bypassing `$wpdb` can ignore WordPress database configuration, escaping conventions, character sets, and compatibility layers.

How to Fix

  • Replace raw MySQL calls with `$wpdb` methods or higher-level WordPress APIs.
  • Use `$wpdb->prepare()` for dynamic values.
  • If a third-party library requires a database connection, isolate it and document why WordPress APIs cannot be used.

References

WordPress database access

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More212,5721,2771m+Output is not escaped
#2wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin211,8111,43270k+Output is not escaped
#3Prime Mover – Migrate WordPress Website & Backups221,3261,60010k+Non-prefixed global variable
#4File Manager227405201m+Unsafe printing function
#5Softaculous231164910k+file system operations fread
#6WP STAGING – WordPress Backup, Migration, Clone & Duplicate231,4891,549100k+Non-prefixed global variable
#7Backuply – Backup, Restore, Migrate and Clone24704551700k+Non-prefixed global variable
#8WEB-Translation – eTranslation Multilingual252171,057400Non-prefixed function
#9TranslatePress – Translate Multilingual sites with AI Translation254521,541400k+Non-prefixed hook name
#10WPvivid Backup for MainWP258181,79410k+Missing nonce verification
#11EZ SQL Reports Shortcode Widget and DB Backup27165158500Output is not escaped
#12User Spam Remover31115141k+Output is not escaped
#13PW WooCommerce Bulk Edit3421914920k+Unsafe printing function