WordPress.WP.AlternativeFunctions.file_system_operations_fopen
file system operations fopen
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #601 | OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) | 26 | 272 | 576 | 6k+ | Request data is not unslashed | ||
| #602 | Open User Map – Interactive Leaflet Maps | 26 | 893 | 986 | 10k+ | Non-prefixed global variable | ||
| #603 | Paytium: Mollie payment forms & donations | 26 | 506 | 551 | 3k+ | Unsafe printing function | ||
| #604 | Pressidium Cookie Consent | 26 | 203 | 95 | 10k+ | Exception output is not escaped | ||
| #605 | Send Users Email – Email Subscribers, Email Marketing Newsletter | 26 | 188 | 415 | 5k+ | Non-prefixed global variable | ||
| #606 | SP Move Login | 26 | 881 | 215 | 6k+ | Text Domain Mismatch | ||
| #607 | Sliced Invoices – WordPress Invoice Plugin | 26 | 684 | 455 | 5k+ | Output is not escaped | ||
| #608 | URL Image Importer | 26 | 142 | 239 | 700 | Missing nonce verification | ||
| #609 | User Avatar | 26 | 104 | 173 | 4k+ | Non-prefixed constant | ||
| #610 | VikWidgetsLoader – Collection of Widgets | 26 | 1,211 | 530 | 1k+ | Output is not escaped | ||
| #611 | Visitors Online by BestWebSoft | 26 | 512 | 269 | 1k+ | Text Domain Mismatch | ||
| #612 | Polls CP | 27 | 399 | 500 | 400 | Output is not escaped | ||
| #613 | Custom Scrollbar | 27 | 184 | 191 | 2k+ | Output is not escaped | ||
| #614 | Cyrlitera – Transliteration of Links and File Names | 27 | 453 | 204 | 40k+ | Output is not escaped | ||
| #615 | EZ SQL Reports Shortcode Widget and DB Backup | 27 | 165 | 158 | 500 | Output is not escaped | ||
| #616 | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin | 27 | 122 | 135 | 3k+ | Non-prefixed global variable | ||
| #617 | Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin | 27 | 213 | 495 | 2k+ | Non-prefixed global variable | ||
| #618 | Login for Google Apps | 27 | 139 | 85 | 10k+ | Exception output is not escaped | ||
| #619 | GSpeech TTS – WordPress Text To Speech Plugin | 27 | 842 | 333 | 3k+ | Output is not escaped | ||
| #620 | Hester Core | 27 | 253 | 103 | 10k+ | Output is not escaped | ||
| #621 | ImageRecycle pdf & image compression | 27 | 329 | 204 | 1k+ | Text Domain Mismatch | ||
| #622 | iQ Block Country | 27 | 164 | 245 | 20k+ | Request data is not unslashed | ||
| #623 | Login Security Solution | 27 | 216 | 154 | 4k+ | Output is not escaped | ||
| #624 | MLSImport – Download and synchronize real estate data from various MLS (Multiple Listing Services) | 27 | 154 | 551 | 5k+ | Non-prefixed global variable | ||
| #625 | MW WP Form | 27 | 334 | 219 | 200k+ | Output is not escaped | ||
| #626 | Nextend Social Login and Register | 27 | 1,668 | 243 | 200k+ | Output is not escaped | ||
| #627 | Tussendoor – Open RDW | 27 | 301 | 140 | 600 | Text Domain Mismatch | ||
| #628 | Packlink PRO for WooCommerce | 27 | 130 | 154 | 20k+ | Non-prefixed global variable | ||
| #629 | Rate My Post – Star Rating Plugin by FeedbackWP | 27 | 222 | 360 | 20k+ | Output is not escaped | ||
| #630 | Robokassa payment gateway for Woocommerce | 27 | 95 | 211 | 3k+ | Non-prefixed global variable | ||
| #631 | Simple Download Monitor | 27 | 218 | 273 | 20k+ | Output is not escaped | ||
| #632 | Social Web Suite – Social Media Auto Post, Social Media Auto Publish | 27 | 74 | 164 | 500 | Non-prefixed global variable | ||
| #633 | Speed Booster Pack ⚡ PageSpeed Optimization Suite | 27 | 108 | 187 | 9k+ | Missing Translators Comment | ||
| #634 | Stream Video Player | 27 | 220 | 135 | 600 | Output is not escaped | ||
| #635 | Theme One Click Demo Importer | 27 | 210 | 157 | 500 | Text Domain Mismatch | ||
| #636 | Verge3D Publishing and E-Commerce | 27 | 245 | 298 | 400 | Nonce verification recommended | ||
| #637 | Watu Quiz | 27 | 1,089 | 1,014 | 3k+ | Output is not escaped | ||
| #638 | Mihdan: Ajax Edit Comments | 27 | 1,300 | 523 | 500 | Text Domain Mismatch | ||
| #639 | Content Pilot – Autoblogging & Affiliate Marketing Suite | 27 | 299 | 269 | 900 | Output is not escaped | ||
| #640 | WP-DBManager | 27 | 386 | 304 | 60k+ | Non-prefixed global variable | ||
| #641 | WP Events Manager | 27 | 294 | 415 | 30k+ | Output is not escaped | ||
| #642 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | Input is not sanitized | ||
| #643 | wp-mpdf | 27 | 123 | 382 | 1k+ | Non-prefixed global variable | ||
| #644 | WP Activity Log | 27 | 96 | 230 | 300k+ | Nonce verification recommended | ||
| #645 | Worthy – VG WORT Integration für WordPress | 27 | 1,343 | 773 | 1k+ | Output is not escaped | ||
| #646 | Redirection for Contact Form 7 | 27 | 34 | 374 | 200k+ | Non-prefixed global variable | ||
| #647 | Code Engine – PHP Snippets, AI Functions & Automation for WordPress | 28 | 124 | 101 | 700 | Non Singular String Literal Domain | ||
| #648 | Database Cleaner | 28 | 137 | 297 | 10k+ | Direct Query | ||
| #649 | Dynamic User Directory | 28 | 403 | 256 | 1k+ | Output is not escaped | ||
| #650 | Educare – Students & Result Management System | 28 | 1,114 | 1,043 | 800 | Missing nonce verification |