WordPress.WP.AlternativeFunctions.file_system_operations_fopen
file system operations fopen
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #501 | Perfect Brands for WooCommerce | 28 | 112 | 143 | 40k+ | Non-prefixed constant | ||
| #502 | Responsive Lightbox & Gallery | 28 | 139 | 513 | 100k+ | Non-prefixed hook name | ||
| #503 | Praison AI SEO | 28 | 643 | 306 | 1k+ | Text Domain Mismatch | ||
| #504 | Transliterator – Multilingual and Multi-script Text Conversion | 28 | 305 | 320 | 3k+ | Output is not escaped | ||
| #505 | Sparkle Demo Importer | 28 | 307 | 166 | 6k+ | Text Domain Mismatch | ||
| #506 | Temporary Login Without Password | 28 | 128 | 131 | 100k+ | wp function not compatible with requires wp | ||
| #507 | Ultimate FAQ Accordion Plugin | 28 | 386 | 227 | 30k+ | Unsafe printing function | ||
| #508 | Jetpack VaultPress | 28 | 71 | 362 | 10k+ | Missing nonce verification | ||
| #509 | 10WebSocial | 28 | 584 | 185 | 10k+ | Unsafe printing function | ||
| #510 | WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce | 28 | 173 | 226 | 5k+ | Output is not escaped | ||
| #511 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped | ||
| #512 | Alt Text AI – Automatically generate image alt text for SEO and accessibility | 29 | 72 | 280 | 20k+ | Non-prefixed global variable | ||
| #513 | aThemeArt Theme Helper | 29 | 206 | 151 | 2k+ | Non-prefixed global variable | ||
| #514 | Attribute Stock for WooCommerce – Shared Stock & Variable Quantities (Lite Version) | 29 | 481 | 313 | 2k+ | Text Domain Mismatch | ||
| #515 | Bitcoin Payments – Blockonomics | 29 | 208 | 227 | 3k+ | Output is not escaped | ||
| #516 | CloudSecure WP Security | 29 | 74 | 350 | 100k+ | Request data is not unslashed | ||
| #517 | Database Cleaner | 29 | 135 | 297 | 10k+ | Direct Query | ||
| #518 | DB Cache Reloaded Fix | 29 | 133 | 42 | 2k+ | Output is not escaped | ||
| #519 | Document Gallery | 29 | 183 | 98 | 8k+ | Output is not escaped | ||
| #520 | Interactive Image Map Plugin – Draw Attention | 29 | 620 | 227 | 20k+ | Output is not escaped | ||
| #521 | FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider | 29 | 74 | 78 | 600k+ | Missing Translators Comment | ||
| #522 | Kits, Templates and Patterns | 29 | 380 | 91 | 5k+ | Text Domain Mismatch | ||
| #523 | Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization | 29 | 80 | 162 | 200k+ | Nonce verification recommended | ||
| #524 | PhastPress | 29 | 95 | 52 | 10k+ | Exception output is not escaped | ||
| #525 | SQLite Database Integration | 29 | 161 | 89 | 3k+ | Exception output is not escaped | ||
| #526 | Visualizer – Tables & Charts Manager with Built-in AI Generator | 29 | 348 | 331 | 20k+ | Output is not escaped | ||
| #527 | Widget for Yelp Reviews | 29 | 147 | 158 | 2k+ | Output is not escaped | ||
| #528 | Woostify Sites Library | 29 | 229 | 198 | 20k+ | Text Domain Mismatch | ||
| #529 | WP-PostRatings | 29 | 425 | 384 | 30k+ | Output is not escaped | ||
| #530 | XML for Google Merchant Center | 29 | 52 | 312 | 4k+ | Non-prefixed global variable | ||
| #531 | Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance | 30 | 164 | 439 | 100k+ | Interpolated SQL is not prepared | ||
| #532 | ApplyOnline – Application Form Builder and Manager | 30 | 354 | 260 | 2k+ | Output is not escaped | ||
| #533 | Contact Form 7 Connector | 30 | 324 | 196 | 5k+ | Text Domain Mismatch | ||
| #534 | Element Invader – Template Kits for Elementor | 30 | 274 | 130 | 3k+ | Output is not escaped | ||
| #535 | Import WooCommerce Suite | 30 | 80 | 434 | 4k+ | Interpolated SQL is not prepared | ||
| #536 | Invisible reCaptcha for WordPress | 30 | 90 | 185 | 80k+ | Input is not sanitized | ||
| #537 | Jetpack Protect | 30 | 657 | 217 | 100k+ | Text Domain Mismatch | ||
| #538 | Laposta Signup Embed | 30 | 88 | 19 | 1k+ | Exception output is not escaped | ||
| #539 | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | 30 | 63 | 227 | 600k+ | Non-prefixed global variable | ||
| #540 | Popularis Extra | 30 | 237 | 141 | 7k+ | Output is not escaped | ||
| #541 | SmartCrawl SEO checker, analyzer & optimizer | 30 | 347 | 1,307 | 20k+ | Non-prefixed global variable | ||
| #542 | SMTP for Amazon SES – YaySMTP | 30 | 197 | 122 | 3k+ | Exception output is not escaped | ||
| #543 | Travelers' Map | 30 | 311 | 155 | 1k+ | Output is not escaped | ||
| #544 | Urvanov Syntax Highlighter | 30 | 221 | 87 | 3k+ | Output is not escaped | ||
| #545 | User Access Manager | 30 | 393 | 171 | 10k+ | Output is not escaped | ||
| #546 | Widgetize Pages Light | 30 | 145 | 104 | 3k+ | Output is not escaped | ||
| #547 | WooCommerce Tax (formerly WooCommerce Shipping & Tax) | 30 | 103 | 198 | 600k+ | Non-prefixed class | ||
| #548 | Yaad Sarig Payment Gateway For WC | 30 | 158 | 271 | 2k+ | Nonce verification recommended | ||
| #549 | AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization | 31 | 91 | 133 | 2k+ | Output is not escaped | ||
| #550 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended |
