WordPress.WP.AlternativeFunctions.file_system_operations_chmod
file system operations chmod
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #301 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #302 | Simple History – Track, Log, and Audit WordPress Changes | 35 | 32 | 122 | 300k+ | Non-prefixed global variable | ||
| #303 | Image Quality Control | Still BE | 35 | 54 | 44 | 400 | Missing Translators Comment | ||
| #304 | Termageddon: Cookie Consent & Privacy Compliance | 35 | 28 | 13 | 7k+ | Exception output is not escaped | ||
| #305 | User Photo | 35 | 112 | 68 | 3k+ | Output is not escaped | ||
| #306 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #307 | WP GPX Maps | 35 | 27 | 100 | 4k+ | Non-prefixed global variable | ||
| #308 | WP-LESS | 35 | 16 | 8 | 10k+ | Missing direct file access protection | ||
| #309 | Bard Extra | 36 | 159 | 75 | 700 | Text Domain Mismatch | ||
| #310 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #311 | Cashflows for WooCommerce | 36 | 118 | 36 | 600 | Text Domain Mismatch | ||
| #312 | Custom PHP Settings | 36 | 153 | 76 | 10k+ | Output is not escaped | ||
| #313 | Drag and Drop Multiple File Upload for Contact Form 7 | 36 | 82 | 36 | 60k+ | wp function not compatible with requires wp | ||
| #314 | Just TinyMCE Custom Styles | 36 | 112 | 28 | 1k+ | Missing Arg Domain | ||
| #315 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 36 | 172 | 108 | 8k+ | Non Singular String Literal Domain | ||
| #316 | Shadowbox JS | 36 | 246 | 14 | 1k+ | Unsafe printing function | ||
| #317 | SMTP for SendGrid – YaySMTP | 36 | 27 | 96 | 1k+ | Non-prefixed global variable | ||
| #318 | Rabo Smart Pay for WooCommerce | 36 | 147 | 54 | 600 | Text Domain Mismatch | ||
| #319 | Export Themes | 36 | 122 | 90 | 2k+ | Non-prefixed constant | ||
| #320 | WP LaTeX | 36 | 103 | 12 | 700 | Output is not escaped | ||
| #321 | WPAvatar | 36 | 425 | 45 | 700 | Unsafe printing function | ||
| #322 | Wppao Sitemap | 36 | 128 | 21 | 9k+ | Output is not escaped | ||
| #323 | Add From Server | 37 | 52 | 20 | 60k+ | Output is not escaped | ||
| #324 | Debug Log Viewer | 37 | 26 | 83 | 1k+ | Missing nonce verification | ||
| #325 | Images Optimize and Upload CF7 | 37 | 130 | 36 | 600 | Non Singular String Literal Domain | ||
| #326 | Recent Posts Widget With Thumbnails | 37 | 222 | 46 | 100k+ | Output is not escaped | ||
| #327 | Simple Image XML Sitemap | 37 | 119 | 16 | 1k+ | Output is not escaped | ||
| #328 | Theme Builder For Elementor | 37 | 477 | 28 | 2k+ | Text Domain Mismatch | ||
| #329 | Anant Sites — Elementor & Gutenberg Readymade Template Library Free & Pro Templates | 38 | 20 | 156 | 1k+ | Non-prefixed global variable | ||
| #330 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #331 | HashThemes Demo Importer | 38 | 71 | 44 | 6k+ | Output is not escaped | ||
| #332 | MultiLine Files for Contact Form 7 | 38 | 98 | 40 | 9k+ | Text Domain Mismatch | ||
| #333 | Author Image | 38 | 51 | 33 | 1k+ | Output is not escaped | ||
| #334 | GS Only PDF Preview | 39 | 46 | 36 | 1k+ | Output is not escaped | ||
| #335 | Wallet for WooCommerce | 39 | 36 | 524 | 20k+ | Non-prefixed hook name | ||
| #336 | Complete Image Sitemap | 40 | 55 | 18 | 1k+ | Output is not escaped | ||
| #337 | Far Future Expiry Header | 40 | 25 | 36 | 7k+ | Request data is not unslashed | ||
| #338 | Search with Typesense | 40 | 81 | 122 | 700 | Non-prefixed global variable | ||
| #339 | Heroic Favicon Generator | 41 | 104 | 7 | 6k+ | Output is not escaped | ||
| #340 | Asesor de Cookies RGPD para normativa europea | 42 | 27 | 32 | 20k+ | Missing nonce verification | ||
| #341 | Contact Form 7 Signature Addon | 45 | 147 | 44 | 6k+ | Text Domain Mismatch | ||
| #342 | 404 Image Redirection (Replace Broken Images) | 47 | 118 | 85 | 500 | Text Domain Mismatch | ||
| #343 | WP Prefix Changer | 47 | 27 | 16 | 900 | Missing Arg Domain | ||
| #344 | Ansar Import – One Click Starter Sites – for Elementor & Themes | 48 | 27 | 116 | 10k+ | Non-prefixed global variable | ||
| #345 | Drag and Drop Multiple File Upload for WooCommerce | 49 | 114 | 29 | 5k+ | Text Domain Mismatch | ||
| #346 | Veeqo for WooCommerce | 50 | 30 | 17 | 700 | Missing direct file access protection | ||
| #347 | AVIF Uploader | 51 | 49 | 44 | 4k+ | Missing Arg Domain | ||
| #348 | Easy GDPR Consent Forms – MailChimp | 57 | 72 | 22 | 500 | Text Domain Mismatch | ||
| #349 | Image Sitemap | 63 | 11 | 14 | 400 | Output is not escaped | ||
| #350 | CV Demo Importer | 64 | 21 | 95 | 400 | Non-prefixed global variable |