WordPress.WP.AlternativeFunctions.file_system_operations_fwrite
file system operations fwrite
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #601 | Shariff Wrapper | 32 | 33 | 404 | 30k+ | Non-prefixed global variable | ||
| #602 | System Dashboard | 32 | 91 | 205 | 1k+ | Request data is not unslashed | ||
| #603 | TK Google Fonts GDPR Compliant | 32 | 582 | 34 | 1k+ | Output is not escaped | ||
| #604 | WP 2-step verification | 32 | 154 | 65 | 1k+ | Output is not escaped | ||
| #605 | WP Bannerize Pro | 32 | 281 | 216 | 800 | Text Domain Mismatch | ||
| #606 | Advanced Custom Fields: Typography Field | 33 | 445 | 57 | 4k+ | Text Domain Mismatch | ||
| #607 | Affiliate Program & Referral Tracking for WooCommerce & WordPress – Affilia | 33 | 80 | 172 | 600 | Nonce verification recommended | ||
| #608 | Cargus | 33 | 48 | 64 | 700 | Input is not sanitized | ||
| #609 | Century ToolKit | 33 | 118 | 78 | 800 | Output is not escaped | ||
| #610 | Contact List – Online Staff Directory & Address Book | 33 | 118 | 342 | 1k+ | Nonce verification recommended | ||
| #611 | Human Presence – Stop Form Spam Without ReCaptcha | 33 | 54 | 65 | 1k+ | Request data is not unslashed | ||
| #612 | Gallery Custom Links | 33 | 64 | 62 | 30k+ | Non Singular String Literal Domain | ||
| #613 | IP2Location Redirection | 33 | 194 | 115 | 8k+ | Output is not escaped | ||
| #614 | Janolaw AGB Hosting | 33 | 198 | 11 | 1k+ | Short PHP open tag found | ||
| #615 | LWSCache | 33 | 47 | 104 | 6k+ | Non-prefixed global variable | ||
| #616 | Merge + Minify + Refresh | 33 | 78 | 26 | 4k+ | date date | ||
| #617 | More Types | 33 | 227 | 198 | 800 | Non-prefixed global variable | ||
| #618 | PeproDev WooCommerce Receipt Uploader | 33 | 325 | 49 | 1k+ | Non Singular String Literal Domain | ||
| #619 | Picture Gallery – Frontend Image Uploads, AJAX Photo List | 33 | 112 | 150 | 400 | Request data is not unslashed | ||
| #620 | QNAP NAS Backup | 33 | 374 | 70 | 2k+ | Non Singular String Literal Domain | ||
| #621 | Social Rocket – Social Sharing Plugin | 33 | 1,016 | 255 | 1k+ | Unsafe printing function | ||
| #622 | Multi-Carrier EasyPost Shipping Methods & Address Validation for WooCommerce | 33 | 424 | 69 | 400 | Non Singular String Literal Domain | ||
| #623 | Multi-Carrier Shippo Shipping Rates & Address Validation for WooCommerce | 33 | 411 | 73 | 3k+ | Non Singular String Literal Domain | ||
| #624 | PostNL for WooCommerce | 33 | 598 | 108 | 3k+ | Text Domain Mismatch | ||
| #625 | EasyMedia – Increase Media Upload File Size | Role-Based Upload Limit | Increase Execution Time | 33 | 82 | 138 | 70k+ | Non-prefixed global variable | ||
| #626 | WPReplace内容字符替换插件 | 33 | 209 | 195 | 800 | Non Singular String Literal Domain | ||
| #627 | XML Sitemaps | 33 | 65 | 62 | 2k+ | Output is not escaped | ||
| #628 | Advanced Custom Fields: reCAPTCHA Field | 34 | 104 | 53 | 800 | Text Domain Mismatch | ||
| #629 | affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display | 34 | 326 | 75 | 2k+ | Output is not escaped | ||
| #630 | All-in-One WP Migration and Backup | 34 | 47 | 69 | 5m+ | Missing nonce verification | ||
| #631 | AyeCode Connect | 34 | 178 | 253 | 10k+ | Nonce verification recommended | ||
| #632 | Clean Testimonials | 34 | 127 | 87 | 400 | Output is not escaped | ||
| #633 | Dr. Flex | 34 | 83 | 51 | 1k+ | Output is not escaped | ||
| #634 | Export Customers Data | 34 | 109 | 49 | 500 | Text Domain Mismatch | ||
| #635 | FV Gravatar Cache | 34 | 50 | 42 | 700 | Output is not escaped | ||
| #636 | Garden Gnome Package | 34 | 116 | 51 | 4k+ | Text Domain Mismatch | ||
| #637 | Geolocation IP Detection | 34 | 227 | 167 | 20k+ | Output is not escaped | ||
| #638 | Image Cleanup | 34 | 52 | 94 | 1k+ | Nonce verification recommended | ||
| #639 | IP2Location Country Blocker | 34 | 295 | 88 | 30k+ | Output is not escaped | ||
| #640 | Lenix Leads Collector | 34 | 414 | 242 | 10k+ | Text Domain Mismatch | ||
| #641 | MantraBrain Starter Sites | MantraBrain Theme Demo Importer | 34 | 117 | 61 | 1k+ | Output is not escaped | ||
| #642 | Meow Analytics (Google Analytics) | 34 | 80 | 54 | 400 | Output is not escaped | ||
| #643 | Meow Lightbox | 34 | 77 | 52 | 10k+ | Non Singular String Literal Domain | ||
| #644 | NextGEN Gallery Optimizer | 34 | 128 | 92 | 2k+ | Output is not escaped | ||
| #645 | Meta pixel for WordPress | 34 | 91 | 38 | 400k+ | Exception output is not escaped | ||
| #646 | Child Theme Creator by Orbisius | 34 | 86 | 39 | 10k+ | Output is not escaped | ||
| #647 | OwnerRez | 34 | 79 | 56 | 700 | Unsafe printing function | ||
| #648 | PDF Invoices and Packing Slips For WooCommerce | 34 | 108 | 284 | 1k+ | Non-prefixed global variable | ||
| #649 | Redirection | 34 | 32 | 293 | 2m+ | Non-prefixed class | ||
| #650 | Software License Manager | 34 | 69 | 289 | 900 | Nonce verification recommended |
