WordPress.WP.AlternativeFunctions.file_system_operations_fclose
file system operations fclose
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1 | BulletProof Security | 0 | 5,048 | 4,949 | 20k+ | Output is not escaped | |
| #2 | Intercom | 0 | 60 | 71 | 6k+ | Non-prefixed function | |
| #3 | Plugin Check (PCP) | 0 | 128 | 132 | 10k+ | Exception output is not escaped | |
| #4 | Themify Builder | 9 | 5,195 | 2,096 | 5k+ | Text Domain Mismatch | |
| #5 | JetBackup – Backup, Restore & Migrate | 10 | 1,559 | 145 | 100k+ | Exception output is not escaped | |
| #6 | AnyComment | 17 | 445 | 449 | 5k+ | Output is not escaped | |
| #7 | wpForo Forum | 17 | 4,033 | 2,922 | 20k+ | Unsafe printing function | |
| #8 | WPtouch – Make your WordPress Website Mobile-Friendly | 17 | 1,466 | 325 | 50k+ | Text Domain Mismatch | |
| #9 | Podlove Podcast Publisher | 18 | 2,326 | 1,429 | 3k+ | Output is not escaped | |
| #10 | Property Hive | 18 | 1,957 | 6,027 | 3k+ | Missing nonce verification | |
| #11 | Shopping Cart & eCommerce Store | 18 | 5,459 | 17,298 | 4k+ | Non-prefixed global variable | |
| #12 | WP Import Export Lite | 18 | 738 | 979 | 40k+ | Non-prefixed global variable | |
| #13 | Download Monitor | 19 | 425 | 1,364 | 80k+ | Non-prefixed hook name | |
| #14 | Event Organiser | 19 | 1,106 | 544 | 20k+ | Text Domain Mismatch | |
| #15 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | Exception output is not escaped | |
| #16 | Matomo Analytics – Powerful, Privacy-First Insights for WordPress | 19 | 1,909 | 878 | 100k+ | Exception output is not escaped | |
| #17 | Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | 19 | 1,295 | 2,679 | 9k+ | Output is not escaped | |
| #18 | Razorpay Payment Button Plugin | 19 | 486 | 98 | 2k+ | Exception output is not escaped | |
| #19 | Realtyna Organic IDX plugin + WPL Real Estate | 19 | 947 | 3,653 | 2k+ | Non-prefixed global variable | |
| #20 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | Missing Translators Comment | |
| #21 | Membership Plugin – Kadence Memberships | 19 | 5,082 | 2,982 | 9k+ | Text Domain Mismatch | |
| #22 | SendPress Newsletters | 19 | 2,293 | 1,422 | 2k+ | Output is not escaped | |
| #23 | WP Email Template | 19 | 342 | 350 | 2k+ | Exception output is not escaped | |
| #24 | BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot | 20 | 508 | 1,406 | 30k+ | Non-prefixed global variable | |
| #25 | Brizy – Page Builder | 20 | 589 | 720 | 70k+ | Output is not escaped | |
| #26 | GiveWP – Donation Plugin and Fundraising Platform | 20 | 3,435 | 3,580 | 100k+ | Output is not escaped | |
| #27 | Link Library | 20 | 1,941 | 1,397 | 10k+ | Unsafe printing function | |
| #28 | MBE eShip | 20 | 527 | 740 | 1k+ | Non-prefixed global variable | |
| #29 | MAS Videos | 20 | 519 | 1,693 | 1k+ | Non-prefixed global variable | |
| #30 | Microthemer Lite – Visual Editor to Customize CSS | 20 | 1,004 | 1,699 | 10k+ | Non-prefixed global variable | |
| #31 | Pix por Piggly (para Woocommerce) | 20 | 547 | 195 | 4k+ | Exception output is not escaped | |
| #32 | Powered Cache – Caching and Optimization for WordPress – Easily Improve PageSpeed & Web Vitals Score | 20 | 147 | 231 | 3k+ | Exception output is not escaped | |
| #33 | Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF | 20 | 557 | 541 | 100k+ | Output is not escaped | |
| #34 | SpeakOut! Email Petitions | 20 | 850 | 994 | 3k+ | Missing nonce verification | |
| #35 | Trace My IP – Visitor IP Tracker, Stats Analytics & Page Views Counter with Email Alerts | 20 | 866 | 338 | 1k+ | wp function not compatible with requires wp | |
| #36 | Razorpay for WooCommerce | 20 | 974 | 855 | 100k+ | Non-prefixed function | |
| #37 | WPJAM Basic | 20 | 328 | 356 | 4k+ | Output is not escaped | |
| #38 | Backup Migration | 21 | 981 | 1,093 | 80k+ | Non-prefixed global variable | |
| #39 | rtMedia for WordPress, BuddyPress and bbPress | 21 | 363 | 633 | 8k+ | Non-prefixed constant | |
| #40 | CallTrackingMetrics | 21 | 923 | 286 | 3k+ | Unsafe printing function | |
| #41 | Captcha Them All | 21 | 300 | 323 | 6k+ | Output is not escaped | |
| #42 | CartFlows – Funnel Builder & Checkout Plugin for WooCommerce | 21 | 461 | 614 | 200k+ | Text Domain Mismatch | |
| #43 | Smart Grid-Layout Design for Contact Form 7 | 21 | 1,126 | 734 | 10k+ | Output is not escaped | |
| #44 | Comet Cache | 21 | 857 | 245 | 20k+ | Output is not escaped | |
| #45 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | Output is not escaped | |
| #46 | Envo Extra | 21 | 878 | 600 | 20k+ | Text Domain Mismatch | |
| #47 | EventPrime – Events Calendar, Bookings and Tickets | 21 | 872 | 4,297 | 7k+ | Non-prefixed global variable | |
| #48 | Feeds for YouTube (YouTube video, channel, and gallery plugin) | 21 | 558 | 978 | 100k+ | Output is not escaped | |
| #49 | FileOrganizer – WordPress File Manager | 21 | 536 | 241 | 200k+ | unlink unlink | |
| #50 | Formidable Forms – WordPress Form Builder for Contact Forms, Calculators, Quizzes & More | 21 | 52 | 1,959 | 300k+ | Non-prefixed global variable |
