WordPress.WP.AlternativeFunctions.file_system_operations_chmod
file system operations chmod
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #251 | Di Themes Demo Site Importer | 29 | 343 | 183 | 1k+ | Text Domain Mismatch | ||
| #252 | Easy HTTPS Redirection (SSL) | 29 | 266 | 152 | 100k+ | Unsafe printing function | ||
| #253 | Kits, Templates and Patterns | 29 | 380 | 91 | 5k+ | Text Domain Mismatch | ||
| #254 | SQLite Database Integration | 29 | 161 | 89 | 3k+ | Exception output is not escaped | ||
| #255 | Themify – WooCommerce Product Filter | 29 | 643 | 145 | 20k+ | Output is not escaped | ||
| #256 | WP Popular Posts | 29 | 77 | 300 | 100k+ | Non-prefixed global variable | ||
| #257 | Blockons – Gutenberg blocks for WordPress and WooCommerce websites | 30 | 69 | 205 | 700 | Non-prefixed global variable | ||
| #258 | EDI – Обмен данными между WooCommerce и 1С | 30 | 284 | 101 | 600 | Text Domain Mismatch | ||
| #259 | Export Plugins and Templates | 30 | 143 | 33 | 1k+ | file system operations fread | ||
| #260 | PiWeb Export Customers Users & Guest customer to CSV for WooCommerce | 30 | 173 | 75 | 1k+ | Text Domain Mismatch | ||
| #261 | Import WooCommerce Suite for Products, Orders, Coupons, Reviews, and Customers | WP Ultimate CSV Importer | 30 | 80 | 434 | 4k+ | Interpolated SQL is not prepared | ||
| #262 | Operation Demo Importer – Demo Importer For WPoperation Themes | 30 | 245 | 104 | 1k+ | Text Domain Mismatch | ||
| #263 | SMTP for Amazon SES – YaySMTP | 30 | 197 | 122 | 3k+ | Exception output is not escaped | ||
| #264 | Travelers' Map | 30 | 311 | 155 | 1k+ | Output is not escaped | ||
| #265 | WCPOS – Point of Sale (POS) plugin for WooCommerce | 30 | 77 | 228 | 5k+ | Nonce verification recommended | ||
| #266 | AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization | 31 | 91 | 133 | 2k+ | Output is not escaped | ||
| #267 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended | ||
| #268 | Asgaros Forum | 31 | 167 | 412 | 10k+ | Output is not escaped | ||
| #269 | Easy Upload Files During Checkout | 31 | 220 | 208 | 500 | Unsafe printing function | ||
| #270 | FastDup – Fastest WordPress Migration & Duplicator | 31 | 83 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #271 | Kindeditor For WordPress | 31 | 63 | 130 | 500 | Non-prefixed global variable | ||
| #272 | Login rebuilder | 31 | 406 | 226 | 20k+ | Non Singular String Literal Domain | ||
| #273 | Qode Essential Addons | 31 | 55 | 295 | 10k+ | Non-prefixed global variable | ||
| #274 | WPDoctor Malware Scanner & Vulnerability Checker & IP blocker with Hack monitor Lite | 31 | 133 | 438 | 600 | Non-prefixed global variable | ||
| #275 | Child Theme Configurator | 32 | 442 | 267 | 300k+ | Unsafe printing function | ||
| #276 | CSV Import and Exporter | 32 | 83 | 138 | 1k+ | Non-prefixed global variable | ||
| #277 | Enter Addons – Ultimate Template Builder for Elementor | 32 | 82 | 72 | 1k+ | Output is not escaped | ||
| #278 | Tumult Hype Animations | 32 | 56 | 117 | 1k+ | Output is not escaped | ||
| #279 | Sola Payment Gateway for WooCommerce | 32 | 112 | 115 | 700 | Missing Translators Comment | ||
| #280 | EchBay Phonering Alo | 33 | 74 | 47 | 1k+ | Output is not escaped | ||
| #281 | Human Presence – Stop Form Spam Without ReCaptcha | 33 | 54 | 65 | 1k+ | Request data is not unslashed | ||
| #282 | WP GIF Uploader | 33 | 117 | 44 | 1k+ | Text Domain Mismatch | ||
| #283 | WP Twitter Auto Publish | 33 | 442 | 171 | 4k+ | Output is not escaped | ||
| #284 | XML Sitemaps | 33 | 65 | 62 | 2k+ | Output is not escaped | ||
| #285 | All-in-One WP Migration and Backup | 34 | 47 | 69 | 5m+ | Missing nonce verification | ||
| #286 | EasyIndex | 34 | 74 | 135 | 1k+ | Missing nonce verification | ||
| #287 | Garden Gnome Package | 34 | 116 | 51 | 4k+ | Text Domain Mismatch | ||
| #288 | Gitium | 34 | 149 | 57 | 400 | Output is not escaped | ||
| #289 | Greenshift – animation and page builder blocks | 34 | 33 | 272 | 70k+ | Non-prefixed global variable | ||
| #290 | HTML Import 2 | 34 | 273 | 26 | 5k+ | Unsafe printing function | ||
| #291 | Security Safe | 34 | 193 | 164 | 700 | Missing Translators Comment | ||
| #292 | Email Template Designer – WP HTML Mail | 34 | 62 | 80 | 20k+ | badly named files | ||
| #293 | CF7 Views – Complete Entry Management for Contact Form 7 | 35 | 172 | 181 | 1k+ | Output is not escaped | ||
| #294 | Cryptex | E-Mail Address Protection | 35 | 62 | 10 | 900 | Output is not escaped | ||
| #295 | Disable XML-RPC-API | 35 | 444 | 52 | 100k+ | Text Domain Mismatch | ||
| #296 | Elementor Website Builder – more than just a page builder | 35 | 46 | 428 | 10m+ | Non-prefixed global variable | ||
| #297 | Enlighter – Customizable Syntax Highlighter | 35 | 50 | 10 | 10k+ | Output is not escaped | ||
| #298 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | Direct Query | ||
| #299 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #300 | ImageMagick Engine | 35 | 63 | 29 | 60k+ | Unsafe printing function |