WordPress.WP.AlternativeFunctions.file_system_operations_fopen
file system operations fopen
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #151 | NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall | 22 | 1,266 | 2,059 | 100k+ | Non-prefixed global variable | ||
| #152 | NinjaScanner – Virus & Malware scan | 22 | 596 | 551 | 30k+ | Non-prefixed global variable | ||
| #153 | oik | 22 | 489 | 180 | 2k+ | Non Singular String Literal Domain | ||
| #154 | Packeta | 22 | 801 | 333 | 8k+ | Exception output is not escaped | ||
| #155 | PDF Builder for WPForms | 22 | 321 | 266 | 900 | SQL query is not prepared | ||
| #156 | Smart Popup by Supsystic | 22 | 3,172 | 503 | 10k+ | Non Singular String Literal Domain | ||
| #157 | Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | 22 | 1,581 | 2,326 | 300k+ | Non-prefixed global variable | ||
| #158 | Prime Mover – Migrate WordPress Website & Backups | 22 | 1,326 | 1,600 | 10k+ | Non-prefixed global variable | ||
| #159 | Product Catalog Feed by PixelYourSite | 22 | 581 | 357 | 8k+ | Output is not escaped | ||
| #160 | PageSpeed Ninja – Cache, Minify, Defer CSS JavaScript, Critical CSS, Optimize Images, Convert WebP | 22 | 984 | 407 | 5k+ | Unsafe printing function | ||
| #161 | RealPress – Real Estate Plugin | 22 | 604 | 1,167 | 500 | Non-prefixed global variable | ||
| #162 | Social Sharing Plugin – Sassy Social Share | 22 | 1,689 | 233 | 100k+ | wp function not compatible with requires wp | ||
| #163 | Seraphinite Accelerator | 22 | 594 | 255 | 50k+ | Output is not escaped | ||
| #164 | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | 22 | 1,044 | 799 | 300k+ | Non-prefixed global variable | ||
| #165 | Simple Job Board | 22 | 634 | 1,355 | 10k+ | Non-prefixed global variable | ||
| #166 | Slim Jetpack | 22 | 2,586 | 1,947 | 2k+ | Text Domain Mismatch | ||
| #167 | SNS Count Cache | 22 | 918 | 120 | 8k+ | Non Singular String Literal Domain | ||
| #168 | SportsPress – Sports Club & League Manager | 22 | 460 | 2,242 | 10k+ | Non-prefixed global variable | ||
| #169 | SSL Zen — SSL Certificate Installer & HTTPS Redirects | 22 | 785 | 1,588 | 10k+ | Non-prefixed global variable | ||
| #170 | Stylish Price List – Price Table Builder & QR Code Restaurant Menu | 22 | 674 | 678 | 3k+ | Output is not escaped | ||
| #171 | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | 22 | 225 | 519 | 8k+ | error log error log | ||
| #172 | The Moneytizer | 22 | 751 | 271 | 1k+ | Text Domain Mismatch | ||
| #173 | Theme Editor | 22 | 798 | 685 | 50k+ | Output is not escaped | ||
| #174 | Customize Feeds for Twitter | 22 | 92 | 171 | 4k+ | Non-prefixed global variable | ||
| #175 | RapidLoad AI – Optimize Web Vitals Automatically | 22 | 81 | 840 | 700 | Nonce verification recommended | ||
| #176 | Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links | 22 | 1,044 | 1,797 | 20k+ | Non-prefixed global variable | ||
| #177 | UpStream: a Project Management Plugin for WordPress | 22 | 683 | 703 | 600 | Non-prefixed global variable | ||
| #178 | URL Shortify – Simple and Easy URL Shortener | 22 | 1,520 | 2,689 | 10k+ | Non-prefixed global variable | ||
| #179 | Welcart e-Commerce | 22 | 10,378 | 10,931 | 10k+ | Text Domain Mismatch | ||
| #180 | UserFeedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds | 22 | 444 | 243 | 200k+ | Text Domain Mismatch | ||
| #181 | WCFM – Frontend Manager for WooCommerce | 22 | 4,754 | 5,054 | 20k+ | Non-prefixed global variable | ||
| #182 | WCFM Marketplace – Multivendor Marketplace for WooCommerce | 22 | 1,934 | 1,966 | 10k+ | Non-prefixed global variable | ||
| #183 | WCFM Membership – WooCommerce Memberships for Multivendor Marketplace | 22 | 559 | 675 | 10k+ | Non-prefixed global variable | ||
| #184 | Wenprise WeChatPay Payment Gateway For WooCommerce | 22 | 443 | 178 | 400 | Exception output is not escaped | ||
| #185 | WooCommerce | 22 | 1,359 | 6,172 | 7m+ | Non-prefixed global variable | ||
| #186 | Simple Shopping Cart | 22 | 796 | 536 | 10k+ | Unsafe printing function | ||
| #187 | ManageWP Worker | 22 | 507 | 565 | 1m+ | Non-prefixed class | ||
| #188 | WP Easy Pay – Payment and Donation form Builder for Square | 22 | 910 | 1,835 | 1k+ | Non-prefixed global variable | ||
| #189 | WP Express Checkout (Fast Payments via PayPal & Stripe) | 22 | 591 | 627 | 1k+ | Output is not escaped | ||
| #190 | File Manager | 22 | 740 | 520 | 1m+ | Unsafe printing function | ||
| #191 | WP Fusion Lite – Marketing Automation and CRM Integration for WordPress | 22 | 275 | 683 | 5k+ | Nonce verification recommended | ||
| #192 | WP Umbrella: Update Backup Restore & Monitoring | 22 | 918 | 916 | 70k+ | Exception output is not escaped | ||
| #193 | Wp-Insert | 22 | 267 | 301 | 10k+ | Output is not escaped | ||
| #194 | AidWP – Donation & Payment Forms (Stripe Powered) | 22 | 1,317 | 1,675 | 800 | Non-prefixed global variable | ||
| #195 | WP Super Minify • Minify, Compress and Cache HTML, CSS & JavaScript | 22 | 164 | 257 | 9k+ | Non-prefixed constant | ||
| #196 | NotifSMS – SMS Notifications OTP & 2FA for WordPress & WooCommerce | 22 | 1,353 | 1,412 | 2k+ | Non-prefixed global variable | ||
| #197 | WP-WebAuthn | 22 | 957 | 396 | 2k+ | Exception output is not escaped | ||
| #198 | WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell | 22 | 5,996 | 2,790 | 5k+ | Text Domain Mismatch | ||
| #199 | WPSSO Core – Complete Schema Markup and Meta Tags | 22 | 1,407 | 412 | 5k+ | Missing Translators Comment | ||
| #200 | YaySMTP – WP Mail SMTP with Email Logs, Tracking & Reports | 22 | 654 | 435 | 10k+ | Exception output is not escaped |