WordPress.WP.AlternativeFunctions.file_system_operations_fwrite
file system operations fwrite
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #501 | Laposta Signup Basic | 28 | 276 | 67 | 2k+ | Output is not escaped | ||
| #502 | MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | 28 | 62 | 246 | 600k+ | Non-prefixed global variable | ||
| #503 | Perfect Brands for WooCommerce | 28 | 112 | 143 | 40k+ | Non-prefixed constant | ||
| #504 | PHP Browser Detection | 28 | 68 | 49 | 600 | Non-prefixed function | ||
| #505 | Product Sync for WooCommerce | 28 | 158 | 375 | 400 | Direct Query | ||
| #506 | PushAlert – Web Push Notifications for WordPress and WooCommerce | 28 | 196 | 63 | 1k+ | curl curl setopt | ||
| #507 | Redis Object Cache | 28 | 151 | 103 | 400k+ | Exception output is not escaped | ||
| #508 | Secure Downloads | 28 | 616 | 406 | 600 | Output is not escaped | ||
| #509 | Temporary Login Without Password | 28 | 128 | 131 | 100k+ | wp function not compatible with requires wp | ||
| #510 | Ultimate FAQ Accordion Plugin | 28 | 386 | 227 | 30k+ | Unsafe printing function | ||
| #511 | WeeConnectPay – Clover Payment Gateway for WooCommerce | 28 | 179 | 171 | 500 | Exception output is not escaped | ||
| #512 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped | ||
| #513 | WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买 | 28 | 57 | 138 | 500 | Request data is not unslashed | ||
| #514 | AppPresser – Mobile App Framework | 29 | 262 | 214 | 1k+ | Text Domain Mismatch | ||
| #515 | aThemeArt Theme Helper | 29 | 206 | 151 | 2k+ | Non-prefixed global variable | ||
| #516 | Bitcoin Payments – Blockonomics | 29 | 208 | 227 | 2k+ | Output is not escaped | ||
| #517 | CloudSecure WP Security | 29 | 74 | 350 | 100k+ | Request data is not unslashed | ||
| #518 | DB Cache Reloaded Fix | 29 | 133 | 42 | 2k+ | Output is not escaped | ||
| #519 | Di Themes Demo Site Importer | 29 | 343 | 183 | 1k+ | Text Domain Mismatch | ||
| #520 | Document Gallery | 29 | 183 | 98 | 8k+ | Output is not escaped | ||
| #521 | Interactive Image Map Plugin – Draw Attention | 29 | 620 | 227 | 20k+ | Output is not escaped | ||
| #522 | Easy HTTPS Redirection (SSL) | 29 | 266 | 152 | 100k+ | Unsafe printing function | ||
| #523 | Kits, Templates and Patterns | 29 | 380 | 91 | 5k+ | Text Domain Mismatch | ||
| #524 | Laposta WooCommerce | 29 | 96 | 115 | 500 | Non-prefixed global variable | ||
| #525 | Meow Gallery | 29 | 113 | 182 | 10k+ | Direct Query | ||
| #526 | Offload Media – Cloud Storage | 29 | 126 | 80 | 1k+ | unlink unlink | ||
| #527 | Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization | 29 | 80 | 162 | 200k+ | Nonce verification recommended | ||
| #528 | pCloud WP Backup | 29 | 120 | 73 | 1k+ | Exception output is not escaped | ||
| #529 | PhastPress | 29 | 95 | 52 | 10k+ | Exception output is not escaped | ||
| #530 | Pósturinn\'s Shipping with WooCommerce | 29 | 713 | 551 | 500 | Text Domain Mismatch | ||
| #531 | Social Engine | 29 | 133 | 90 | 600 | Exception output is not escaped | ||
| #532 | SQLite Database Integration | 29 | 161 | 89 | 3k+ | Exception output is not escaped | ||
| #533 | Tilda-publishing | 29 | 219 | 78 | 700 | Output is not escaped | ||
| #534 | Visualizer – Tables & Charts Manager with Built-in AI Generator | 29 | 348 | 331 | 20k+ | Output is not escaped | ||
| #535 | Widget for Yelp Reviews | 29 | 147 | 158 | 2k+ | Output is not escaped | ||
| #536 | Sofortueberweisung Gateway for Woocommerce | 29 | 104 | 71 | 700 | Output is not escaped | ||
| #537 | WP-PostRatings | 29 | 425 | 384 | 30k+ | Output is not escaped | ||
| #538 | XML for Google Merchant Center | 29 | 52 | 312 | 3k+ | Non-prefixed global variable | ||
| #539 | Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance | 30 | 164 | 439 | 100k+ | Interpolated SQL is not prepared | ||
| #540 | Contact Form 7 Connector | 30 | 324 | 196 | 5k+ | Text Domain Mismatch | ||
| #541 | EDI – Обмен данными между WooCommerce и 1С | 30 | 284 | 101 | 600 | Text Domain Mismatch | ||
| #542 | Element Invader – Template Kits for Elementor | 30 | 274 | 130 | 3k+ | Output is not escaped | ||
| #543 | Eway Payment Gateway | 30 | 509 | 92 | 800 | Missing Translators Comment | ||
| #544 | Export Plugins and Templates | 30 | 143 | 33 | 1k+ | file system operations fread | ||
| #545 | PiWeb Export Customers Users & Guest customer to CSV for WooCommerce | 30 | 173 | 75 | 1k+ | Text Domain Mismatch | ||
| #546 | Formzu WP | 30 | 167 | 163 | 3k+ | Text Domain Mismatch | ||
| #547 | Import WooCommerce Suite for Products, Orders, Coupons, Reviews, and Customers | WP Ultimate CSV Importer | 30 | 80 | 434 | 4k+ | Interpolated SQL is not prepared | ||
| #548 | Invisible reCaptcha for WordPress | 30 | 90 | 185 | 80k+ | Input is not sanitized | ||
| #549 | Jetpack Protect | 30 | 657 | 217 | 100k+ | Text Domain Mismatch | ||
| #550 | Laposta Signup Embed | 30 | 88 | 19 | 1k+ | Exception output is not escaped |