PluginCheck.CodeAnalysis.WriteFile.ABSPATHDetected
ABSPATHDetected
The plugin writes files in or near plugin-controlled directories.
Why It Shows Up
Plugin Check found file creation or modification behavior that may affect the plugin directory or executable files.
Why It Matters
Runtime writes to plugin code directories can break updates, create permission issues, or introduce supply-chain risk.
How to Fix
- Store generated data in uploads, cache, or another WordPress-approved writable location.
- Validate paths and file names against strict allowlists.
- Avoid modifying plugin source files at runtime.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #51 | SEO Plugin by Squirrly SEO | 25 | 1,130 | 222 | 40k+ | Missing Translators Comment | |
| #52 | Spectra Gutenberg Blocks – Website Builder for the Block Editor | 25 | 253 | 3,227 | 1m+ | Non-prefixed global variable | |
| #53 | WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan | 25 | 727 | 1,554 | 50k+ | Non-prefixed global variable | |
| #54 | Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | 26 | 113 | 597 | 90k+ | Non-prefixed global variable | |
| #55 | WP Events Manager | 27 | 294 | 415 | 30k+ | Output is not escaped | |
| #56 | Praison AI SEO | 28 | 643 | 306 | 1k+ | Text Domain Mismatch | |
| #57 | Shiptastic for WooCommerce | 29 | 136 | 630 | 10k+ | Non-prefixed global variable | |
| #58 | Taboola | 30 | 89 | 147 | 1k+ | Output is not escaped | |
| #59 | Widgetize Pages Light | 30 | 145 | 104 | 3k+ | Output is not escaped | |
| #60 | AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization | 31 | 91 | 133 | 2k+ | Output is not escaped | |
| #61 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended | |
| #62 | Better Robots.txt – AI-Ready Crawl Control & Bot Governance | 31 | 90 | 85 | 6k+ | Text Domain Mismatch | |
| #63 | Easy HTTPS Redirection (SSL) | 31 | 224 | 100 | 100k+ | Unsafe printing function | |
| #64 | Image Hotspot – Map Image Annotation | 31 | 95 | 283 | 3k+ | Non-prefixed global variable | |
| #65 | LWS Tools | 31 | 104 | 134 | 10k+ | Request data is not unslashed | |
| #66 | Patreon WordPress | 31 | 276 | 339 | 3k+ | Output is not escaped | |
| #67 | SpeedyCache – Cache, Optimization, Performance | 31 | 65 | 115 | 600k+ | Input is not validated | |
| #68 | ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More | 33 | 101 | 289 | 30k+ | Non-prefixed global variable | |
| #69 | LWSCache | 33 | 47 | 104 | 6k+ | Non-prefixed global variable | |
| #70 | WP EXtra – One Click Optimize | 33 | 414 | 101 | 7k+ | Missing Arg Domain | |
| #71 | Cache Enabler | 35 | 44 | 75 | 90k+ | Input is not sanitized | |
| #72 | DesignSetGo | 35 | 20 | 313 | 4k+ | Non-prefixed global variable | |
| #73 | Push Notifications by LaraPush | 35 | 32 | 76 | 4k+ | Non-prefixed global variable | |
| #74 | Debug Log Manager Tool | 37 | 33 | 108 | 3k+ | Nonce verification recommended | |
| #75 | Exploit Scanner | 37 | 25 | 130 | 8k+ | Non-prefixed global variable | |
| #76 | Images to WebP | 37 | 39 | 50 | 9k+ | curl curl setopt | |
| #77 | MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites | 38 | 3 | 136 | 700k+ | Non-prefixed hook name | |
| #78 | Monetag Official Plugin | 38 | 133 | 32 | 5k+ | Text Domain Mismatch | |
| #79 | Tag Manager – Header, Body And Footer | 38 | 97 | 319 | 20k+ | Non-prefixed global variable | |
| #80 | Alt Magic: AI Image Alt Text Generator for WP & Image Rename | 40 | 55 | 118 | 1k+ | Direct Query | |
| #81 | Far Future Expiry Header | 40 | 25 | 36 | 7k+ | Request data is not unslashed | |
| #82 | AMP for WP – Accelerated Mobile Pages | 41 | 656 | 2,401 | 80k+ | Non-prefixed global variable | |
| #83 | Heroic Favicon Generator | 41 | 104 | 7 | 6k+ | Output is not escaped | |
| #84 | Simple Cache | 41 | 33 | 59 | 1k+ | Input is not sanitized | |
| #85 | Surge | 60 | 46 | 47 | 4k+ | Non-prefixed global variable | |
| #86 | Easy PHP Settings | 66 | 34 | 48 | 2k+ | Missing Translators Comment | |
| #87 | Falcon – WordPress Optimizations & Tweaks | 69 | 29 | 21 | 2k+ | Short PHP open tag found | |
| #88 | Web Accessibility by accessiBe | 72 | 1 | 25 | 10k+ | Input is not sanitized | |
| #89 | Dash Notifier | 73 | 12 | 6 | 20k+ | Heredoc Output Not Escaped | |
| #90 | Soro – SEO Autopilot & AI Content Writer | 83 | 4 | 10 | 9k+ | Input is not sanitized | |
| #91 | WP BASIC Auth | 83 | 4 | 13 | 4k+ | Input is not sanitized | |
| #92 | Comments Import & Export | 85 | 112 | 9 | 2k+ | wp function not compatible with requires wp | |
| #93 | Trusted Shops Easy Integration for WooCommerce | 86 | 5 | 67 | 6k+ | Non-prefixed hook name | |
| #94 | LLMs.txt and LLMs-Full.txt Generator | 94 | 14 | 9 | 4k+ | Non-prefixed global variable | |
| #95 | Sucuri Security – Auditing, Malware Scanner and Security Hardening | 94 | 52 | 5 | 600k+ | Missing direct file access protection | |
| #96 | HTTP Auth | 97 | 9 | 3 | 6k+ | wp function not compatible with requires wp | |
| #97 | FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses | 98 | 7 | 2 | 8k+ | wp function not compatible with requires wp | |
| #98 | Manage XML-RPC | 98 | 3 | 1 | 6k+ | file system operations is writable | |
| #99 | Quads Ads Manager for Google AdSense | 99 | 8 | 20k+ | Non-prefixed constant | ||
| #100 | SQLite Object Cache | 99 | 6 | 2 | 9k+ | wp function not compatible with requires wp |
