WordPress.WP.AlternativeFunctions.file_system_operations_fopen
file system operations fopen
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #801 | Advanced Custom Fields: Typography Field | 33 | 445 | 57 | 4k+ | Text Domain Mismatch | ||
| #802 | Affiliate Program & Referral Tracking for WooCommerce & WordPress – Affilia | 33 | 80 | 172 | 500 | Nonce verification recommended | ||
| #803 | Activity Plus Reloaded for BuddyPress | 33 | 88 | 93 | 1k+ | Output is not escaped | ||
| #804 | Cargus | 33 | 48 | 64 | 700 | Input is not sanitized | ||
| #805 | Century ToolKit | 33 | 118 | 78 | 800 | Output is not escaped | ||
| #806 | Contact List – Online Staff Directory & Address Book | 33 | 118 | 342 | 1k+ | Nonce verification recommended | ||
| #807 | EchBay Phonering Alo | 33 | 74 | 47 | 1k+ | Output is not escaped | ||
| #808 | Human Presence – Stop Form Spam Without ReCaptcha | 33 | 54 | 65 | 1k+ | Request data is not unslashed | ||
| #809 | WP GIF Uploader | 33 | 117 | 44 | 1k+ | Text Domain Mismatch | ||
| #810 | IP2Location Redirection | 33 | 194 | 115 | 7k+ | Output is not escaped | ||
| #811 | Janolaw AGB Hosting | 33 | 198 | 11 | 1k+ | Short PHP open tag found | ||
| #812 | LWSCache | 33 | 47 | 104 | 6k+ | Non-prefixed global variable | ||
| #813 | Membership For WooCommerce | 33 | 40 | 659 | 800 | Non-prefixed global variable | ||
| #814 | Merge + Minify + Refresh | 33 | 78 | 26 | 4k+ | date date | ||
| #815 | More Types | 33 | 227 | 198 | 800 | Non-prefixed global variable | ||
| #816 | PeproDev WooCommerce Receipt Uploader | 33 | 325 | 49 | 1k+ | Non Singular String Literal Domain | ||
| #817 | Picture Gallery – Frontend Image Uploads, AJAX Photo List | 33 | 112 | 150 | 400 | Request data is not unslashed | ||
| #818 | QNAP NAS Backup | 33 | 374 | 70 | 2k+ | Non Singular String Literal Domain | ||
| #819 | Save as PDF Plugin by PDFCrowd | 33 | 299 | 254 | 1k+ | Non-prefixed global variable | ||
| #820 | Social Rocket – Social Sharing Plugin | 33 | 1,016 | 255 | 1k+ | Unsafe printing function | ||
| #821 | Multi-Carrier EasyPost Shipping Methods & Address Validation for WooCommerce | 33 | 424 | 69 | 400 | Non Singular String Literal Domain | ||
| #822 | Multi-Carrier Shippo Shipping Rates & Address Validation for WooCommerce | 33 | 411 | 73 | 3k+ | Non Singular String Literal Domain | ||
| #823 | PostNL for WooCommerce | 33 | 598 | 108 | 3k+ | Text Domain Mismatch | ||
| #824 | WP EXtra – One Click Optimize | 33 | 414 | 101 | 7k+ | Missing Arg Domain | ||
| #825 | EasyMedia – Increase Media Upload File Size | Role-Based Upload Limit | Increase Execution Time | 33 | 82 | 138 | 70k+ | Non-prefixed global variable | ||
| #826 | XML Sitemaps | 33 | 65 | 62 | 2k+ | Output is not escaped | ||
| #827 | affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display | 34 | 326 | 75 | 2k+ | Output is not escaped | ||
| #828 | AGCA – Custom Dashboard & Login Page | 34 | 350 | 44 | 20k+ | Unsafe printing function | ||
| #829 | All-in-One WP Migration and Backup | 34 | 47 | 69 | 5m+ | Missing nonce verification | ||
| #830 | AyeCode Connect | 34 | 178 | 253 | 10k+ | Nonce verification recommended | ||
| #831 | Cache Master | 34 | 371 | 27 | 400 | Output is not escaped | ||
| #832 | Debug Log Manager Tool | 34 | 44 | 143 | 3k+ | Nonce verification recommended | ||
| #833 | Download After Email – Subscribe & Download Form Plugin | 34 | 22 | 356 | 7k+ | Input is not validated | ||
| #834 | Dr. Flex | 34 | 83 | 51 | 1k+ | Output is not escaped | ||
| #835 | Einsatzverwaltung | 34 | 152 | 128 | 1k+ | Output is not escaped | ||
| #836 | Empik for Woocommerce | 34 | 70 | 259 | 400 | Missing nonce verification | ||
| #837 | Export Customers Data | 34 | 109 | 49 | 500 | Text Domain Mismatch | ||
| #838 | FV Gravatar Cache | 34 | 50 | 42 | 700 | Output is not escaped | ||
| #839 | Garden Gnome Package | 34 | 116 | 51 | 4k+ | Text Domain Mismatch | ||
| #840 | Geolocation IP Detection | 34 | 227 | 167 | 20k+ | Output is not escaped | ||
| #841 | Gitium | 34 | 149 | 57 | 400 | Output is not escaped | ||
| #842 | Image Cleanup | 34 | 52 | 94 | 1k+ | Nonce verification recommended | ||
| #843 | HTML Import 2 | 34 | 273 | 26 | 5k+ | Unsafe printing function | ||
| #844 | IP2Location Country Blocker | 34 | 295 | 88 | 30k+ | Output is not escaped | ||
| #845 | MantraBrain Starter Sites | MantraBrain Theme Demo Importer | 34 | 117 | 61 | 1k+ | Output is not escaped | ||
| #846 | Meow Lightbox | 34 | 77 | 52 | 10k+ | Non Singular String Literal Domain | ||
| #847 | Montonio for WooCommerce | 34 | 44 | 257 | 10k+ | Non-prefixed global variable | ||
| #848 | NextGEN Gallery Optimizer | 34 | 128 | 92 | 2k+ | Output is not escaped | ||
| #849 | Payoneer Checkout | 34 | 168 | 41 | 5k+ | Exception output is not escaped | ||
| #850 | PDF Invoices and Packing Slips For WooCommerce | 34 | 108 | 284 | 1k+ | Non-prefixed global variable |
