WordPress.WP.AlternativeFunctions.file_system_operations_fopen
file system operations fopen
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #851 | Thumbnail Slider With Lightbox | 34 | 244 | 141 | 700 | Output is not escaped | ||
| #852 | Thumbnail carousel slider | 34 | 277 | 143 | 2k+ | Output is not escaped | ||
| #853 | Vertical Image Slider | 34 | 264 | 138 | 1k+ | Output is not escaped | ||
| #854 | Xml Sitemap Generator | 34 | 72 | 47 | 400 | SQL query is not prepared | ||
| #855 | Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades | 34 | 571 | 195 | 100k+ | Output is not escaped | ||
| #856 | Abandoned Checkout Recovery & Order Notifications for WooCommerce | 35 | 108 | 77 | 800 | Text Domain Mismatch | ||
| #857 | Air WP Sync – Airtable to WordPress | 35 | 37 | 45 | 1k+ | Non-prefixed hook name | ||
| #858 | Avif Express | 35 | 26 | 167 | 400 | Input is not validated | ||
| #859 | Awin – Advertiser Tracking for WooCommerce | 35 | 46 | 39 | 1k+ | Non Singular String Literal Domain | ||
| #860 | CatFolders – WordPress Media Library Folders & Categories | 35 | 35 | 76 | 6k+ | Direct Query | ||
| #861 | CompressX — AVIF & WebP Converter, Media Replacement | 35 | 26 | 423 | 40k+ | Missing nonce verification | ||
| #862 | Cookies and Content Security Policy | 35 | 261 | 412 | 10k+ | Output is not escaped | ||
| #863 | Create Block Theme | 35 | 43 | 5 | 20k+ | unlink unlink | ||
| #864 | Currency Converter | 35 | 104 | 4 | 400 | Output is not escaped | ||
| #865 | Custom CSS and JavaScript | 35 | 38 | 91 | 10k+ | Input is not sanitized | ||
| #866 | Easy Noindex And Nofollow | 35 | 55 | 18 | 400 | Output is not escaped | ||
| #867 | Editorial Calendar | 35 | 127 | 160 | 20k+ | Output is not escaped | ||
| #868 | Elementor Website Builder – more than just a page builder | 35 | 46 | 428 | 10m+ | Non-prefixed global variable | ||
| #869 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | Direct Query | ||
| #870 | Windows Compatibility Fix | 35 | 13 | 6 | 1k+ | Plugin Directory Write | ||
| #871 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #872 | g-FFL Cockpit | 35 | 18 | 224 | 500 | Direct Query | ||
| #873 | Image Watermark | 35 | 85 | 181 | 40k+ | Missing nonce verification | ||
| #874 | Import Users & Customers with Meta | WP Ultimate CSV Importer Add-on | 35 | 27 | 140 | 5k+ | Interpolated SQL is not prepared | ||
| #875 | Imsanity | 35 | 32 | 29 | 200k+ | Direct Query | ||
| #876 | Instant CSS | 35 | 25 | 25 | 3k+ | Output is not escaped | ||
| #877 | IP Based Login | 35 | 179 | 146 | 600 | Output is not escaped | ||
| #878 | Static Site Exporter | 35 | 54 | 25 | 500 | file system operations mkdir | ||
| #879 | Kargo Takip | 35 | 84 | 142 | 3k+ | Missing nonce verification | ||
| #880 | Movylo Marketing Automation | 35 | 38 | 88 | 700 | error log print r | ||
| #881 | NS Cloner – Site Cloner and Multisite Duplicator | 35 | 29 | 16 | 7k+ | Missing direct file access protection | ||
| #882 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | ||
| #883 | Planyo online reservation system | 35 | 64 | 90 | 400 | Output is not escaped | ||
| #884 | Plausible Analytics | 35 | 244 | 61 | 10k+ | Exception output is not escaped | ||
| #885 | Post List Featured Image | 35 | 112 | 100 | 900 | Output is not escaped | ||
| #886 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 35 | 225 | 110 | 8k+ | Non Singular String Literal Domain | ||
| #887 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output is not escaped | ||
| #888 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 86 | 1m+ | Input is not sanitized | ||
| #889 | Solid Performance – Your No-Code Caching, Performance, & Page Speed Solution | 35 | 75 | 61 | 4k+ | Exception output is not escaped | ||
| #890 | String locator | 35 | 52 | 319 | 100k+ | Non-prefixed global variable | ||
| #891 | Taxonomy CSV Import Export | 35 | 5 | 30 | 700 | Missing nonce verification | ||
| #892 | The Courier Guy Shipping for WooCommerce | 35 | 57 | 107 | 3k+ | Missing nonce verification | ||
| #893 | Video Grid | 35 | 253 | 106 | 1k+ | Output is not escaped | ||
| #894 | Video Gallery | 35 | 336 | 178 | 600 | Output is not escaped | ||
| #895 | ShipStation Live Rates for WooCommerce | 35 | 402 | 73 | 900 | Non Singular String Literal Domain | ||
| #896 | Converter for Media – Optimize images | Convert WebP & AVIF | 35 | 133 | 53 | 500k+ | curl curl setopt | ||
| #897 | Easy Accept Payments via PayPal | 35 | 322 | 128 | 7k+ | Text Domain Mismatch | ||
| #898 | WP Compiler | 35 | 33 | 20 | 1k+ | Output is not escaped | ||
| #899 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #900 | WP-Paginate | 35 | 37 | 55 | 20k+ | Input is not validated |