WordPress.WP.AlternativeFunctions.file_system_operations_chmod
file system operations chmod
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #201 | DB Cache Reloaded Fix | 29 | 133 | 42 | 2k+ | Output is not escaped | ||
| #202 | Kits, Templates and Patterns | 29 | 380 | 91 | 5k+ | Text Domain Mismatch | ||
| #203 | SQLite Database Integration | 29 | 161 | 89 | 3k+ | Exception output is not escaped | ||
| #204 | Themify – WooCommerce Product Filter | 29 | 643 | 145 | 20k+ | Output is not escaped | ||
| #205 | WP Popular Posts | 29 | 77 | 300 | 100k+ | Non-prefixed global variable | ||
| #206 | Import WooCommerce Suite | 30 | 80 | 434 | 4k+ | Interpolated SQL is not prepared | ||
| #207 | SMTP for Amazon SES – YaySMTP | 30 | 197 | 122 | 3k+ | Exception output is not escaped | ||
| #208 | Travelers' Map | 30 | 311 | 155 | 1k+ | Output is not escaped | ||
| #209 | WCPOS – Point of Sale (POS) plugin for WooCommerce | 30 | 77 | 228 | 5k+ | Nonce verification recommended | ||
| #210 | AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization | 31 | 91 | 133 | 2k+ | Output is not escaped | ||
| #211 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended | ||
| #212 | Asgaros Forum | 31 | 167 | 412 | 10k+ | Output is not escaped | ||
| #213 | FastDup – Fastest WordPress Migration & Duplicator | 31 | 83 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #214 | Easy HTTPS Redirection (SSL) | 31 | 224 | 100 | 100k+ | Unsafe printing function | ||
| #215 | Login rebuilder | 31 | 406 | 226 | 20k+ | Non Singular String Literal Domain | ||
| #216 | Qode Essential Addons | 31 | 55 | 295 | 10k+ | Non-prefixed global variable | ||
| #217 | Child Theme Configurator | 32 | 442 | 267 | 300k+ | Unsafe printing function | ||
| #218 | EchBay Phonering Alo | 33 | 74 | 47 | 1k+ | Output is not escaped | ||
| #219 | Human Presence – Stop Form Spam Without ReCaptcha | 33 | 54 | 65 | 1k+ | Request data is not unslashed | ||
| #220 | WP GIF Uploader | 33 | 117 | 44 | 1k+ | Text Domain Mismatch | ||
| #221 | WP Twitter Auto Publish | 33 | 442 | 171 | 4k+ | Output is not escaped | ||
| #222 | XML Sitemaps | 33 | 65 | 62 | 2k+ | Output is not escaped | ||
| #223 | Garden Gnome Package | 34 | 116 | 51 | 4k+ | Text Domain Mismatch | ||
| #224 | Greenshift – animation and page builder blocks | 34 | 33 | 272 | 70k+ | Non-prefixed global variable | ||
| #225 | HTML Import 2 | 34 | 273 | 26 | 5k+ | Unsafe printing function | ||
| #226 | Email Template Designer – WP HTML Mail | 34 | 62 | 80 | 20k+ | badly named files | ||
| #227 | CF7 Views – Complete Entry Management for Contact Form 7 | 35 | 172 | 181 | 1k+ | Output is not escaped | ||
| #228 | Disable XML-RPC-API | 35 | 444 | 52 | 100k+ | Text Domain Mismatch | ||
| #229 | Elementor Website Builder – more than just a page builder | 35 | 46 | 428 | 10m+ | Non-prefixed global variable | ||
| #230 | Enlighter – Customizable Syntax Highlighter | 35 | 50 | 10 | 10k+ | Output is not escaped | ||
| #231 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | Direct Query | ||
| #232 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #233 | ImageMagick Engine | 35 | 63 | 29 | 60k+ | Unsafe printing function | ||
| #234 | Simple History – Track, Log, and Audit WordPress Changes | 35 | 32 | 122 | 300k+ | Non-prefixed global variable | ||
| #235 | Termageddon: Cookie Consent & Privacy Compliance | 35 | 28 | 13 | 7k+ | Exception output is not escaped | ||
| #236 | User Photo | 35 | 112 | 68 | 3k+ | Output is not escaped | ||
| #237 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #238 | WP GPX Maps | 35 | 27 | 100 | 4k+ | Non-prefixed global variable | ||
| #239 | WP-LESS | 35 | 16 | 8 | 10k+ | Missing direct file access protection | ||
| #240 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #241 | Custom PHP Settings | 36 | 153 | 76 | 10k+ | Output is not escaped | ||
| #242 | Drag and Drop Multiple File Upload for Contact Form 7 | 36 | 82 | 36 | 60k+ | wp function not compatible with requires wp | ||
| #243 | Just TinyMCE Custom Styles | 36 | 112 | 28 | 1k+ | Missing Arg Domain | ||
| #244 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 36 | 172 | 108 | 8k+ | Non Singular String Literal Domain | ||
| #245 | Shadowbox JS | 36 | 246 | 14 | 2k+ | Unsafe printing function | ||
| #246 | SMTP for SendGrid – YaySMTP | 36 | 27 | 96 | 1k+ | Non-prefixed global variable | ||
| #247 | Export Themes | 36 | 122 | 90 | 2k+ | Non-prefixed constant | ||
| #248 | Wppao Sitemap | 36 | 128 | 21 | 9k+ | Output is not escaped | ||
| #249 | Add From Server | 37 | 52 | 20 | 60k+ | Output is not escaped | ||
| #250 | Recent Posts Widget With Thumbnails | 37 | 222 | 46 | 100k+ | Output is not escaped |
