WordPress.WP.AlternativeFunctions.file_system_operations_fopen
file system operations fopen
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #701 | Pósturinn\'s Shipping with WooCommerce | 29 | 713 | 551 | 500 | Text Domain Mismatch | ||
| #702 | Social Engine | 29 | 133 | 90 | 600 | Exception output is not escaped | ||
| #703 | SQLite Database Integration | 29 | 161 | 89 | 3k+ | Exception output is not escaped | ||
| #704 | Tilda-publishing | 29 | 219 | 78 | 700 | Output is not escaped | ||
| #705 | Visualizer – Tables & Charts Manager with Built-in AI Generator | 29 | 348 | 331 | 20k+ | Output is not escaped | ||
| #706 | Widget for Yelp Reviews | 29 | 147 | 158 | 2k+ | Output is not escaped | ||
| #707 | Sofortueberweisung Gateway for Woocommerce | 29 | 104 | 71 | 700 | Output is not escaped | ||
| #708 | Woostify Sites Library | 29 | 229 | 198 | 20k+ | Text Domain Mismatch | ||
| #709 | WP-PostRatings | 29 | 425 | 384 | 30k+ | Output is not escaped | ||
| #710 | XML for Google Merchant Center | 29 | 52 | 312 | 3k+ | Non-prefixed global variable | ||
| #711 | Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance | 30 | 164 | 439 | 100k+ | Interpolated SQL is not prepared | ||
| #712 | ApplyOnline – Application Form Builder and Manager | 30 | 345 | 244 | 2k+ | Output is not escaped | ||
| #713 | Contact Form 7 Connector | 30 | 324 | 196 | 5k+ | Text Domain Mismatch | ||
| #714 | BrightEdge Autopilot | 30 | 108 | 31 | 500 | curl curl setopt | ||
| #715 | EDI – Обмен данными между WooCommerce и 1С | 30 | 284 | 101 | 600 | Text Domain Mismatch | ||
| #716 | Element Invader – Template Kits for Elementor | 30 | 274 | 130 | 3k+ | Output is not escaped | ||
| #717 | Eway Payment Gateway | 30 | 509 | 92 | 800 | Missing Translators Comment | ||
| #718 | Export Plugins and Templates | 30 | 143 | 33 | 1k+ | file system operations fread | ||
| #719 | PiWeb Export Customers Users & Guest customer to CSV for WooCommerce | 30 | 173 | 75 | 1k+ | Text Domain Mismatch | ||
| #720 | Import WooCommerce Suite for Products, Orders, Coupons, Reviews, and Customers | WP Ultimate CSV Importer | 30 | 80 | 434 | 4k+ | Interpolated SQL is not prepared | ||
| #721 | Invisible reCaptcha for WordPress | 30 | 90 | 185 | 80k+ | Input is not sanitized | ||
| #722 | Jetpack Protect | 30 | 657 | 217 | 100k+ | Text Domain Mismatch | ||
| #723 | Laposta Signup Embed | 30 | 88 | 19 | 1k+ | Exception output is not escaped | ||
| #724 | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | 30 | 63 | 227 | 600k+ | Non-prefixed global variable | ||
| #725 | Novelist | 30 | 475 | 158 | 1k+ | Output is not escaped | ||
| #726 | Operation Demo Importer – Demo Importer For WPoperation Themes | 30 | 245 | 104 | 1k+ | Text Domain Mismatch | ||
| #727 | Popularis Extra | 30 | 237 | 141 | 7k+ | Output is not escaped | ||
| #728 | Pubjet | پابجت | 30 | 91 | 172 | 1k+ | Output is not escaped | ||
| #729 | Rublon Multi-Factor Authentication (MFA) | 30 | 216 | 160 | 500 | Output is not escaped | ||
| #730 | StoreBuild – Online Store Builder for WooCommerce | 30 | 120 | 211 | 600 | Non-prefixed global variable | ||
| #731 | SmartCrawl SEO checker, analyzer & optimizer | 30 | 347 | 1,307 | 20k+ | Non-prefixed global variable | ||
| #732 | SMTP for Amazon SES – YaySMTP | 30 | 197 | 122 | 3k+ | Exception output is not escaped | ||
| #733 | Travelers' Map | 30 | 311 | 155 | 1k+ | Output is not escaped | ||
| #734 | Urvanov Syntax Highlighter | 30 | 221 | 87 | 3k+ | Output is not escaped | ||
| #735 | User Access Manager | 30 | 393 | 171 | 10k+ | Output is not escaped | ||
| #736 | Widget Manager Light | 30 | 233 | 83 | 600 | Text Domain Mismatch | ||
| #737 | Widgetize Pages Light | 30 | 145 | 104 | 3k+ | Output is not escaped | ||
| #738 | WooCommerce Tax (formerly WooCommerce Shipping & Tax) | 30 | 103 | 198 | 600k+ | Non-prefixed class | ||
| #739 | Photo Gallery Slideshow & Masonry Tiled Gallery | 30 | 806 | 352 | 1k+ | Output is not escaped | ||
| #740 | Yaad Sarig Payment Gateway For WC | 30 | 158 | 271 | 2k+ | Nonce verification recommended | ||
| #741 | AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization | 31 | 91 | 133 | 2k+ | Output is not escaped | ||
| #742 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended | ||
| #743 | Asgaros Forum | 31 | 167 | 412 | 10k+ | Output is not escaped | ||
| #744 | Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam | 31 | 598 | 70 | 700 | Text Domain Mismatch | ||
| #745 | Newsletter Sign-Up for CleverReach | 31 | 174 | 72 | 2k+ | Output is not escaped | ||
| #746 | CleverReach® WP | 31 | 103 | 93 | 4k+ | Non-prefixed global variable | ||
| #747 | Codeless Page Builder | 31 | 415 | 258 | 900 | Text Domain Mismatch | ||
| #748 | Download Plugin | 31 | 78 | 102 | 60k+ | Output is not escaped | ||
| #749 | Up2pay e-Transactions WooCommerce Payment Gateway | 31 | 459 | 175 | 4k+ | Text Domain Mismatch | ||
| #750 | Easy Upload Files During Checkout | 31 | 220 | 208 | 500 | Unsafe printing function |