WordPress.WP.AlternativeFunctions.file_system_operations_fopen
file system operations fopen
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1001 | Heroic Favicon Generator | 41 | 104 | 7 | 6k+ | Output is not escaped | ||
| #1002 | iCount Payment Gateway | 41 | 153 | 22 | 500 | Text Domain Mismatch | ||
| #1003 | Multiple Domain | 41 | 42 | 17 | 10k+ | Output is not escaped | ||
| #1004 | Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More | 41 | 43 | 61 | 100k+ | Request data is not unslashed | ||
| #1005 | Threat Scan Plugin | 41 | 29 | 17 | 400 | Output is not escaped | ||
| #1006 | Spam Protect for Contact Form 7 | 41 | 16 | 61 | 10k+ | Request data is not unslashed | ||
| #1007 | WP Media folders | 41 | 19 | 74 | 3k+ | Direct Query | ||
| #1008 | Gelato Integration for WooCommerce | 42 | 36 | 32 | 5k+ | Output is not escaped | ||
| #1009 | Mailster Cool Captcha | 42 | 65 | 28 | 400 | Text Domain Mismatch | ||
| #1010 | WP QuickLaTeX | 42 | 41 | 60 | 4k+ | Non-prefixed global variable | ||
| #1011 | WP SmartCrop | 43 | 43 | 12 | 4k+ | Output is not escaped | ||
| #1012 | SmartVideo – Video Player and CDN | 44 | 295 | 44 | 1k+ | Text Domain Mismatch | ||
| #1013 | WP Club Manager – WordPress Sports Club Plugin | 44 | 171 | 682 | 600 | Non-prefixed global variable | ||
| #1014 | Contact Form 7 Signature Addon | 45 | 147 | 44 | 6k+ | Text Domain Mismatch | ||
| #1015 | Evergreen Countdown Timer | 45 | 193 | 35 | 2k+ | wp function not compatible with requires wp | ||
| #1016 | JetHost Total Care – Security & Enhancements | 45 | 10 | 85 | 800 | Direct Query | ||
| #1017 | Better image sizes | 46 | 45 | 23 | 2k+ | Text Domain Mismatch | ||
| #1018 | Official CleverReach® Plugin for WooCommerce | 46 | 37 | 98 | 400 | Non-prefixed global variable | ||
| #1019 | Export Import Menus | 46 | 23 | 28 | 10k+ | Missing nonce verification | ||
| #1020 | Gravity Forms Constant Contact | 46 | 36 | 27 | 3k+ | Non-prefixed class | ||
| #1021 | 404 Image Redirection (Replace Broken Images) | 47 | 118 | 85 | 500 | Text Domain Mismatch | ||
| #1022 | Import Users from CSV | 47 | 33 | 12 | 10k+ | Unsafe printing function | ||
| #1023 | Tabby Checkout | 47 | 33 | 46 | 4k+ | Non-prefixed class | ||
| #1024 | The Tribal Plugin | 47 | 43 | 62 | 800 | Non-prefixed function | ||
| #1025 | iControlWP | 47 | 45 | 59 | 1k+ | Missing direct file access protection | ||
| #1026 | WP Prefix Changer | 47 | 27 | 16 | 900 | Missing Arg Domain | ||
| #1027 | Compress, Resize & Lazy Load Images – WPvivid Image Optimization | 47 | 107 | 58 | 10k+ | Missing direct file access protection | ||
| #1028 | Ansar Import – One Click Starter Sites – for Elementor & Themes | 48 | 27 | 116 | 10k+ | Non-prefixed global variable | ||
| #1029 | Tag Pilot FREE – Google Tag Manager Integration for WooCommerce | 48 | 35 | 19 | 1k+ | Output is not escaped | ||
| #1030 | Instamojo for WooCommerce | 48 | 72 | 44 | 5k+ | Text Domain Mismatch | ||
| #1031 | wp-Monalisa | 48 | 56 | 94 | 700 | Direct Query | ||
| #1032 | Drag and Drop Multiple File Upload for WooCommerce | 49 | 114 | 29 | 5k+ | Text Domain Mismatch | ||
| #1033 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 4k+ | Non-prefixed global variable | ||
| #1034 | Event Organiser CSV | 50 | 28 | 27 | 600 | Output is not escaped | ||
| #1035 | Veeqo for WooCommerce | 50 | 30 | 17 | 700 | Missing direct file access protection | ||
| #1036 | Fullscreen Galleria | 52 | 37 | 10 | 800 | Output is not escaped | ||
| #1037 | Price Based on Country for WooCommerce | 52 | 43 | 126 | 20k+ | Non-prefixed hook name | ||
| #1038 | Connect Contact Form 7 and Mailchimp | 53 | 290 | 52 | 40k+ | Text Domain Mismatch | ||
| #1039 | CSV Importer | 54 | 24 | 11 | 3k+ | Missing direct file access protection | ||
| #1040 | Review Stream | 56 | 41 | 42 | 400 | Non-prefixed global variable | ||
| #1041 | ThemeinWP Import Companion | 56 | 17 | 14 | 4k+ | Unsafe printing function | ||
| #1042 | Known Agents – Track AI Bots and Crawlers, Block Scrapers, Analyze LLM Referral Traffic | 57 | 37 | 12 | 1k+ | Setting is missing a sanitization callback | ||
| #1043 | Gravity PDF | 57 | 116 | 152 | 20k+ | Non-prefixed global variable | ||
| #1044 | PDF invoice for WP ERP | 58 | 96 | 134 | 2k+ | Non-prefixed global variable | ||
| #1045 | Videopack | 58 | 28 | 108 | 10k+ | Input is not sanitized | ||
| #1046 | flowpaper | 59 | 13 | 31 | 10k+ | Non-prefixed function | ||
| #1047 | Resize Image After Upload | 59 | 15 | 11 | 80k+ | Output is not escaped | ||
| #1048 | WC Korkmaz Contract – Contracts for WooCommerce | 59 | 7 | 38 | 600 | Non-prefixed global variable | ||
| #1049 | Surge | 60 | 46 | 47 | 4k+ | Non-prefixed global variable | ||
| #1050 | WoowGallery | 60 | 15 | 178 | 1k+ | Non-prefixed global variable |