WordPress.WP.AlternativeFunctions.file_system_operations_fwrite
file system operations fwrite
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #551 | WPReplace内容字符替换插件 | 33 | 209 | 195 | 800 | Non Singular String Literal Domain | ||
| #552 | XML Sitemaps | 33 | 65 | 62 | 2k+ | Output is not escaped | ||
| #553 | Advanced Custom Fields: reCAPTCHA Field | 34 | 104 | 53 | 800 | Text Domain Mismatch | ||
| #554 | affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display | 34 | 326 | 75 | 2k+ | Output is not escaped | ||
| #555 | All-in-One WP Migration and Backup | 34 | 47 | 69 | 5m+ | Missing nonce verification | ||
| #556 | AyeCode Connect | 34 | 178 | 253 | 10k+ | Nonce verification recommended | ||
| #557 | Garden Gnome Package | 34 | 116 | 51 | 4k+ | Text Domain Mismatch | ||
| #558 | Geolocation IP Detection | 34 | 227 | 167 | 20k+ | Output is not escaped | ||
| #559 | Image Cleanup | 34 | 52 | 94 | 1k+ | Nonce verification recommended | ||
| #560 | IP2Location Country Blocker | 34 | 295 | 88 | 30k+ | Output is not escaped | ||
| #561 | Lenix Leads Collector | 34 | 414 | 242 | 10k+ | Text Domain Mismatch | ||
| #562 | MantraBrain Starter Sites | MantraBrain Theme Demo Importer | 34 | 117 | 61 | 1k+ | Output is not escaped | ||
| #563 | Meow Lightbox | 34 | 75 | 52 | 10k+ | Non Singular String Literal Domain | ||
| #564 | NextGEN Gallery Optimizer | 34 | 128 | 92 | 2k+ | Output is not escaped | ||
| #565 | Meta pixel for WordPress | 34 | 91 | 38 | 400k+ | Exception output is not escaped | ||
| #566 | Child Theme Creator by Orbisius | 34 | 86 | 39 | 10k+ | Output is not escaped | ||
| #567 | PDF Invoices and Packing Slips For WooCommerce | 34 | 108 | 284 | 1k+ | Non-prefixed global variable | ||
| #568 | Redirection | 34 | 32 | 293 | 2m+ | Non-prefixed class | ||
| #569 | Software License Manager | 34 | 69 | 289 | 900 | Nonce verification recommended | ||
| #570 | Weaver Xtreme Theme Support | 34 | 1,625 | 43 | 9k+ | Text Domain Mismatch | ||
| #571 | Kybernaut IČO DIČ | 34 | 82 | 98 | 3k+ | Missing nonce verification | ||
| #572 | Thumbnail Slider With Lightbox | 34 | 244 | 141 | 700 | Output is not escaped | ||
| #573 | Thumbnail carousel slider | 34 | 277 | 143 | 2k+ | Output is not escaped | ||
| #574 | WP-SCSS | 34 | 269 | 13 | 40k+ | Exception output is not escaped | ||
| #575 | Vertical Image Slider | 34 | 264 | 138 | 1k+ | Output is not escaped | ||
| #576 | Embed Plus for YouTube Gallery, Livestream and Lazy Loading with Facades | 34 | 571 | 195 | 100k+ | Output is not escaped | ||
| #577 | Abandoned Checkout Recovery & Order Notifications for WooCommerce | 35 | 108 | 77 | 800 | Text Domain Mismatch | ||
| #578 | Air WP Sync – Airtable to WordPress | 35 | 38 | 42 | 1k+ | Non-prefixed hook name | ||
| #579 | Cloudflare | 35 | 27 | 85 | 200k+ | Non-prefixed namespace | ||
| #580 | CompressX — AVIF & WebP Converter, Media Replacement | 35 | 26 | 423 | 40k+ | Missing nonce verification | ||
| #581 | Cookies and Content Security Policy | 35 | 261 | 412 | 10k+ | Output is not escaped | ||
| #582 | Custom CSS and JavaScript | 35 | 38 | 91 | 10k+ | Input is not sanitized | ||
| #583 | Nexi Checkout | 35 | 45 | 308 | 3k+ | Dynamic hook name | ||
| #584 | Extendify | 35 | 117 | 168 | 500k+ | Non-prefixed global variable | ||
| #585 | External Links Overview | 35 | 57 | 200 | 800 | Non-prefixed global variable | ||
| #586 | Windows Compatibility Fix | 35 | 13 | 6 | 1k+ | Plugin Directory Write | ||
| #587 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #588 | Import Users & Customers with Meta | WP Ultimate CSV Importer Add-on | 35 | 27 | 140 | 5k+ | Interpolated SQL is not prepared | ||
| #589 | Instant CSS | 35 | 25 | 25 | 3k+ | Output is not escaped | ||
| #590 | Kustom Checkout for WooCommerce | 35 | 101 | 505 | 10k+ | Dynamic hook name | ||
| #591 | Lenix scss compiler | 35 | 133 | 34 | 800 | Exception output is not escaped | ||
| #592 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception output is not escaped | ||
| #593 | Media Credit | 35 | 28 | 35 | 1k+ | Non-prefixed global variable | ||
| #594 | Movylo Marketing Automation | 35 | 38 | 88 | 700 | error log print r | ||
| #595 | NS Cloner – Site Copier | 35 | 29 | 16 | 7k+ | Missing direct file access protection | ||
| #596 | Plausible Analytics | 35 | 244 | 61 | 10k+ | Exception output is not escaped | ||
| #597 | Post List Featured Image | 35 | 112 | 100 | 1k+ | Output is not escaped | ||
| #598 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 82 | 1m+ | Request data is not unslashed | ||
| #599 | Simple History – Track, Log, and Audit WordPress Changes | 35 | 32 | 122 | 300k+ | Non-prefixed global variable | ||
| #600 | String locator | 35 | 52 | 319 | 100k+ | Non-prefixed global variable |
