WordPress.WP.AlternativeFunctions.file_system_operations_fopen

file system operations fopen

The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.

medium weight

Why It Shows Up

Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.

Why It Matters

WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.

How to Fix

  • Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
  • Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
  • Never write PHP code from user input or remote responses.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#901WP-Paginate35375520k+Input is not validated
#902WP PGP Encrypted Emails356339400Output is not escaped
#903video carousel slider with lightbox353501361k+Output is not escaped
#904WSB HUB335361091k+Missing nonce verification
#905XServer Migrator35395310k+Interpolated SQL is not prepared
#906Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts35481145k+Non-prefixed hook name
#907Year Make Model Search for WooCommerce351881621k+Output is not escaped
#908Bard Extra3615975700Text Domain Mismatch
#909Blaze Demo Importer36101948k+Output is not escaped
#910bpost shipping369743700Output is not escaped
#911Cashflows for WooCommerce3611836600Text Domain Mismatch
#912Simple SEO3616411310k+Non Singular String Literal Domain
#913Contact Form 7 Polylang Module3632455k+Output is not escaped
#914ColorMeShop WordPress Plugin3639237600Exception output is not escaped
#915Custom PHP Settings361537610k+Output is not escaped
#916Dashboard Widgets Suite362061244k+Output is not escaped
#917Drag and Drop Multiple File Upload for Contact Form 736823660k+wp function not compatible with requires wp
#918Export Variable Products367949400Text Domain Mismatch
#919HTML5 Maps361941605k+Output is not escaped
#920If-So Geolocation3650571k+Non-prefixed global variable
#921Just TinyMCE Custom Styles36112281k+Missing Arg Domain
#922Leartes TRY Exchange Rates3625027500Text Domain Mismatch
#923We’re Open!362731875k+Unsafe printing function
#924PDF Forms Filler for CF736185793k+Text Domain Mismatch
#925PDF Forms Filler for WPForms3616154600Text Domain Mismatch
#926Plugins Garbage Collector (Database Cleanup)36325110k+Missing nonce verification
#927Qubely – Advanced Gutenberg Blocks3639788k+Request data is not unslashed
#928Quick 301 Redirects36891205k+Non-prefixed global variable
#929Search & Replace365053100k+Missing nonce verification
#930Search Everything361657710k+Text Domain Mismatch
#931Speed Optimizer – The All-In-One Performance-Boosting Plugin3645961m+Non-prefixed hook name
#932Shadowbox JS36246141k+Unsafe printing function
#933SMTP for SendGrid – YaySMTP3627961k+Non-prefixed global variable
#934Sync QCloud COS3663109600Non-prefixed function
#935SuperFaktura WooCommerce36601162k+Nonce verification recommended
#936Export Themes36122902k+Non-prefixed constant
#937WP LaTeX3610312700Output is not escaped
#938Payment Button for PayPal36155864k+Unsafe printing function
#939WP Hardening (discontinued)362308510k+Text Domain Mismatch
#940WP Stripe Checkout361981181k+Unsafe printing function
#941WP Super Edit36351852k+Nonce verification recommended
#942Adaptive Images for WordPress3751753k+Output is not escaped
#943Analytics Spam Blocker377622800Unsafe printing function
#944Asesor de Cookies RGPD para normativa europea37928720k+wp function not compatible with requires wp
#945Async JavaScript373577970k+Unsafe printing function
#946authLdap3746304k+Exception output is not escaped
#947Call Now Button – The #1 Click to Call Button for WordPress371,2735200k+Exception output is not escaped
#948Checkout for PayPal3713467600Unsafe printing function
#949CookieAdmin – Cookie Consent Banner374386400k+Nonce verification recommended
#950Debug Log Viewer3726831k+Missing nonce verification