WordPress.WP.AlternativeFunctions.file_system_operations_fclose
file system operations fclose
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1101 | Gelato Integration for WooCommerce | 42 | 36 | 32 | 5k+ | Output is not escaped | ||
| #1102 | Mailster Cool Captcha | 42 | 65 | 28 | 400 | Text Domain Mismatch | ||
| #1103 | WP Post Redirect | 42 | 29 | 17 | 3k+ | Unsafe printing function | ||
| #1104 | WP QuickLaTeX | 42 | 41 | 60 | 4k+ | Non-prefixed global variable | ||
| #1105 | WP SmartCrop | 43 | 43 | 12 | 4k+ | Output is not escaped | ||
| #1106 | SmartVideo – Video Player and CDN | 44 | 295 | 44 | 1k+ | Text Domain Mismatch | ||
| #1107 | WP Club Manager – WordPress Sports Club Plugin | 44 | 171 | 682 | 600 | Non-prefixed global variable | ||
| #1108 | Contact Form 7 Signature Addon | 45 | 147 | 44 | 6k+ | Text Domain Mismatch | ||
| #1109 | Evergreen Countdown Timer | 45 | 193 | 35 | 2k+ | wp function not compatible with requires wp | ||
| #1110 | JetHost Total Care – Security & Enhancements | 45 | 10 | 85 | 800 | Direct Query | ||
| #1111 | reCAPTCHA for Asgaros Forum | 45 | 21 | 36 | 4k+ | Input is not validated | ||
| #1112 | Better image sizes | 46 | 45 | 23 | 2k+ | Text Domain Mismatch | ||
| #1113 | Official CleverReach® Plugin for WooCommerce | 46 | 37 | 98 | 400 | Non-prefixed global variable | ||
| #1114 | Gravity Forms Constant Contact | 46 | 36 | 27 | 3k+ | Non-prefixed class | ||
| #1115 | 404 Image Redirection (Replace Broken Images) | 47 | 118 | 85 | 500 | Text Domain Mismatch | ||
| #1116 | Import Users from CSV | 47 | 33 | 12 | 10k+ | Unsafe printing function | ||
| #1117 | Tabby Checkout | 47 | 33 | 46 | 4k+ | Non-prefixed class | ||
| #1118 | The Tribal Plugin | 47 | 43 | 62 | 800 | Non-prefixed function | ||
| #1119 | iControlWP | 47 | 45 | 59 | 1k+ | Missing direct file access protection | ||
| #1120 | WP Prefix Changer | 47 | 27 | 16 | 900 | Missing Arg Domain | ||
| #1121 | Compress, Resize & Lazy Load Images – WPvivid Image Optimization | 47 | 107 | 58 | 10k+ | Missing direct file access protection | ||
| #1122 | Ansar Import – One Click Starter Sites – for Elementor & Themes | 48 | 27 | 116 | 10k+ | Non-prefixed global variable | ||
| #1123 | Tag Pilot FREE – Google Tag Manager Integration for WooCommerce | 48 | 35 | 19 | 1k+ | Output is not escaped | ||
| #1124 | wp-Monalisa | 48 | 56 | 94 | 700 | Direct Query | ||
| #1125 | Drag and Drop Multiple File Upload for WooCommerce | 49 | 114 | 29 | 5k+ | Text Domain Mismatch | ||
| #1126 | SpinupWP | 49 | 43 | 38 | 30k+ | Non-prefixed function | ||
| #1127 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 4k+ | Non-prefixed global variable | ||
| #1128 | Event Organiser CSV | 50 | 28 | 27 | 600 | Output is not escaped | ||
| #1129 | Veeqo for WooCommerce | 50 | 30 | 17 | 700 | Missing direct file access protection | ||
| #1130 | Easy Search Replace – Find & Replace Text/HTML/URLs, Remove Footer Credit | 51 | 6 | 61 | 500 | Input is not sanitized | ||
| #1131 | Fullscreen Galleria | 52 | 37 | 10 | 800 | Output is not escaped | ||
| #1132 | Price Based on Country for WooCommerce | 52 | 43 | 126 | 20k+ | Non-prefixed hook name | ||
| #1133 | Connect Contact Form 7 and Mailchimp | 53 | 236 | 52 | 40k+ | Text Domain Mismatch | ||
| #1134 | 워드프레스 결제 심플페이 – 우커머스 결제 플러그인 | 53 | 79 | 92 | 1k+ | Missing direct file access protection | ||
| #1135 | Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely | 53 | 34 | 90 | 20k+ | Database parameter is not escaped | ||
| #1136 | CSV Importer | 54 | 24 | 11 | 3k+ | Missing direct file access protection | ||
| #1137 | AI Agent by SiteGround | 54 | 28 | 6 | 1m+ | Exception output is not escaped | ||
| #1138 | Yext Plugin | 55 | 16 | 23 | 700 | Non-prefixed function | ||
| #1139 | Review Stream | 56 | 41 | 42 | 400 | Non-prefixed global variable | ||
| #1140 | Known Agents – Track AI Bots and Crawlers, Block Scrapers, Analyze LLM Referral Traffic | 57 | 37 | 12 | 1k+ | Setting is missing a sanitization callback | ||
| #1141 | Gravity PDF | 57 | 116 | 152 | 20k+ | Non-prefixed global variable | ||
| #1142 | WP Table Builder – Drag & Drop Table Builder | 57 | 63 | 39 | 50k+ | Not Allowed | ||
| #1143 | PDF invoice for WP ERP | 58 | 96 | 134 | 2k+ | Non-prefixed global variable | ||
| #1144 | Videopack | 58 | 28 | 108 | 10k+ | Input is not sanitized | ||
| #1145 | Co-Authors Plus | 59 | 2 | 76 | 20k+ | Input is not sanitized | ||
| #1146 | flowpaper | 59 | 13 | 31 | 10k+ | Non-prefixed function | ||
| #1147 | Resize Image After Upload | 59 | 15 | 11 | 80k+ | Output is not escaped | ||
| #1148 | WC Korkmaz Contract – Contracts for WooCommerce | 59 | 7 | 38 | 600 | Non-prefixed global variable | ||
| #1149 | Mailster AmazonSES Integration | 60 | 52 | 25 | 2k+ | Missing Arg Domain | ||
| #1150 | Surge | 60 | 46 | 47 | 4k+ | Non-prefixed global variable |