WordPress.WP.AlternativeFunctions.file_system_operations_fopen
file system operations fopen
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #51 | Razorpay for WooCommerce | 20 | 974 | 855 | 100k+ | Non-prefixed function | ||
| #52 | WP Minify Fix | 20 | 306 | 380 | 800 | Output is not escaped | ||
| #53 | WPJAM Basic | 20 | 328 | 356 | 4k+ | Output is not escaped | ||
| #54 | Backup Migration | 21 | 981 | 1,093 | 80k+ | Non-prefixed global variable | ||
| #55 | rtMedia for WordPress, BuddyPress and bbPress | 21 | 363 | 633 | 8k+ | Non-prefixed constant | ||
| #56 | CallTrackingMetrics | 21 | 923 | 286 | 3k+ | Unsafe printing function | ||
| #57 | Captcha Them All | 21 | 300 | 323 | 6k+ | Output is not escaped | ||
| #58 | CartFlows – Funnel Builder & Checkout Plugin for WooCommerce | 21 | 462 | 654 | 200k+ | Text Domain Mismatch | ||
| #59 | Smart Grid-Layout Design for Contact Form 7 | 21 | 1,126 | 734 | 10k+ | Output is not escaped | ||
| #60 | SMS Extension for Contact Form 7 | 21 | 720 | 1,387 | 400 | Non-prefixed global variable | ||
| #61 | Comet Cache | 21 | 857 | 245 | 20k+ | Output is not escaped | ||
| #62 | Daily Prayer Time | 21 | 947 | 1,780 | 1k+ | Non-prefixed global variable | ||
| #63 | DELUCKS SEO | 21 | 362 | 1,171 | 400 | Missing nonce verification | ||
| #64 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | Output is not escaped | ||
| #65 | Ebook Store | 21 | 666 | 1,087 | 700 | Non-prefixed global variable | ||
| #66 | Envo Extra | 21 | 878 | 600 | 20k+ | Text Domain Mismatch | ||
| #67 | EventPrime – Events Calendar, Bookings and Tickets | 21 | 872 | 4,297 | 7k+ | Non-prefixed global variable | ||
| #68 | FACTO – Facturación Electrónica | 21 | 220 | 245 | 400 | Request data is not unslashed | ||
| #69 | Feeds for YouTube (YouTube video, channel, and gallery plugin) | 21 | 558 | 978 | 100k+ | Output is not escaped | ||
| #70 | FileOrganizer – WordPress File Manager | 21 | 536 | 241 | 200k+ | unlink unlink | ||
| #71 | Formidable Forms – WordPress Form Builder for Contact Forms, Calculators, Quizzes & More | 21 | 52 | 1,959 | 300k+ | Non-prefixed global variable | ||
| #72 | Campaign Monitor for WordPress | 21 | 386 | 461 | 2k+ | Non-prefixed global variable | ||
| #73 | Front End Users | 21 | 719 | 2,759 | 400 | Non-prefixed global variable | ||
| #74 | Frontend Dashboard | 21 | 384 | 945 | 500 | Non-prefixed function | ||
| #75 | JCH Optimize | 21 | 953 | 133 | 4k+ | Output is not escaped | ||
| #76 | Modular DS: Monitor, update, and backup multiple websites | 21 | 161 | 81 | 40k+ | Exception output is not escaped | ||
| #77 | Mooberry Book Manager | 21 | 1,040 | 399 | 1k+ | Text Domain Mismatch | ||
| #78 | MotoPress Hotel Booking | 21 | 3,061 | 1,037 | 10k+ | Text Domain Mismatch | ||
| #79 | Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred | 21 | 1,469 | 3,333 | 10k+ | Non-prefixed global variable | ||
| #80 | Packeta | 21 | 802 | 333 | 8k+ | Exception output is not escaped | ||
| #81 | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | 21 | 1,918 | 5,065 | 10k+ | Non-prefixed hook name | ||
| #82 | User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor | 21 | 696 | 1,483 | 50k+ | Nonce verification recommended | ||
| #83 | Razorpay for Gravity Forms | 21 | 411 | 47 | 600 | Exception output is not escaped | ||
| #84 | Razorpay Quick Payments | 21 | 399 | 63 | 3k+ | Exception output is not escaped | ||
| #85 | Five Star Restaurant Reservations – WordPress Booking Plugin | 21 | 1,099 | 1,147 | 10k+ | Output is not escaped | ||
| #86 | Royal Addons for Elementor – Addons and Templates Kit for Elementor | 21 | 13,011 | 2,530 | 600k+ | Text Domain Mismatch | ||
| #87 | Seamless Donations is Sunset | 21 | 600 | 514 | 2k+ | Text Domain Mismatch | ||
| #88 | SeatReg | 21 | 312 | 1,637 | 400 | Missing nonce verification | ||
| #89 | Smart Forms – when you need more than just a contact form | 21 | 776 | 574 | 5k+ | Output is not escaped | ||
| #90 | Accept Stripe Payments | 21 | 373 | 882 | 20k+ | Missing nonce verification | ||
| #91 | TotalPoll for Polls and Contests | 21 | 1,366 | 155 | 1k+ | Text Domain Mismatch | ||
| #92 | Revive Social – Social Media Auto Post and Scheduling Automation Plugin | 21 | 255 | 425 | 20k+ | Non-prefixed hook name | ||
| #93 | UPC/EAN/GTIN Barcode Generator/Importer | 21 | 776 | 311 | 500 | Exception output is not escaped | ||
| #94 | Buckaroo Woocommerce Payments Plugin | 21 | 584 | 326 | 2k+ | Exception output is not escaped | ||
| #95 | WCFM – Frontend Manager for WooCommerce | 21 | 4,721 | 5,067 | 20k+ | Non-prefixed global variable | ||
| #96 | WebP Express | 21 | 160 | 427 | 300k+ | Non-prefixed global variable | ||
| #97 | Wise Chat | 21 | 470 | 506 | 5k+ | Output is not escaped | ||
| #98 | Paysera Payment Gateway for WooCommerce | 21 | 1,866 | 195 | 7k+ | Exception output is not escaped | ||
| #99 | Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools | 21 | 786 | 3,395 | 30k+ | Non-prefixed global variable | ||
| #100 | PPOM – Product Addons & Custom Fields for WooCommerce | 21 | 336 | 1,322 | 20k+ | Non-prefixed global variable |
