WordPress.WP.AlternativeFunctions.file_system_operations_fwrite
file system operations fwrite
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #651 | Abandoned Checkout Recovery & Order Notifications for WooCommerce | 35 | 108 | 77 | 800 | Text Domain Mismatch | ||
| #652 | Air WP Sync – Airtable to WordPress | 35 | 37 | 45 | 1k+ | Non-prefixed hook name | ||
| #653 | Cloudflare | 35 | 27 | 85 | 200k+ | Non-prefixed namespace | ||
| #654 | CompressX — AVIF & WebP Converter, Media Replacement | 35 | 26 | 423 | 40k+ | Missing nonce verification | ||
| #655 | Cookies and Content Security Policy | 35 | 261 | 412 | 10k+ | Output is not escaped | ||
| #656 | Custom CSS and JavaScript | 35 | 38 | 91 | 10k+ | Input is not sanitized | ||
| #657 | Nexi Checkout | 35 | 45 | 308 | 3k+ | Dynamic hook name | ||
| #658 | Dintero Checkout for WooCommerce Payment Methods | 35 | 58 | 48 | 600 | Text Domain Mismatch | ||
| #659 | External Links Overview | 35 | 57 | 200 | 800 | Non-prefixed global variable | ||
| #660 | Windows Compatibility Fix | 35 | 13 | 6 | 1k+ | Plugin Directory Write | ||
| #661 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #662 | Gumlet – Image optimization with Resize, Compression, Lazy load, Caching & CDN delivery | 35 | 53 | 45 | 500 | parse url parse url | ||
| #663 | Import Users & Customers with Meta | WP Ultimate CSV Importer Add-on | 35 | 27 | 140 | 5k+ | Interpolated SQL is not prepared | ||
| #664 | Instant CSS | 35 | 25 | 25 | 3k+ | Output is not escaped | ||
| #665 | Static Site Exporter | 35 | 54 | 25 | 500 | file system operations mkdir | ||
| #666 | Kustom Checkout for WooCommerce | 35 | 101 | 505 | 10k+ | Dynamic hook name | ||
| #667 | Lenix scss compiler | 35 | 133 | 34 | 800 | Exception output is not escaped | ||
| #668 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception output is not escaped | ||
| #669 | Media Credit | 35 | 28 | 35 | 1k+ | Non-prefixed global variable | ||
| #670 | Movylo Marketing Automation | 35 | 38 | 88 | 700 | error log print r | ||
| #671 | NewsPlugin | 35 | 84 | 53 | 400 | Text Domain Mismatch | ||
| #672 | NS Cloner – Site Cloner and Multisite Duplicator | 35 | 29 | 16 | 7k+ | Missing direct file access protection | ||
| #673 | Meta pixel for WordPress | 35 | 90 | 40 | 400k+ | Exception output is not escaped | ||
| #674 | OPcache Reset | 35 | 9 | 7 | 400 | Non-prefixed function | ||
| #675 | Plausible Analytics | 35 | 244 | 61 | 10k+ | Exception output is not escaped | ||
| #676 | Post List Featured Image | 35 | 112 | 100 | 900 | Output is not escaped | ||
| #677 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 35 | 225 | 110 | 8k+ | Non Singular String Literal Domain | ||
| #678 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 86 | 1m+ | Input is not sanitized | ||
| #679 | Simple History – Track, Log, and Audit WordPress Changes | 35 | 32 | 122 | 300k+ | Non-prefixed global variable | ||
| #680 | Image Quality Control | Still BE | 35 | 54 | 44 | 400 | Missing Translators Comment | ||
| #681 | String locator | 35 | 52 | 319 | 100k+ | Non-prefixed global variable | ||
| #682 | The Courier Guy Shipping for WooCommerce | 35 | 57 | 107 | 3k+ | Missing nonce verification | ||
| #683 | Vendi Abandoned Plugin Check | 35 | 13 | 3 | 1k+ | trademarked term | ||
| #684 | Video Grid | 35 | 253 | 106 | 1k+ | Output is not escaped | ||
| #685 | Video Gallery | 35 | 336 | 178 | 600 | Output is not escaped | ||
| #686 | ShipStation Live Rates for WooCommerce | 35 | 402 | 73 | 900 | Non Singular String Literal Domain | ||
| #687 | Kybernaut IČO DIČ | 35 | 79 | 68 | 3k+ | Missing nonce verification | ||
| #688 | Easy Accept Payments via PayPal | 35 | 322 | 128 | 7k+ | Text Domain Mismatch | ||
| #689 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #690 | WP-Paginate | 35 | 37 | 55 | 20k+ | Input is not validated | ||
| #691 | WP PGP Encrypted Emails | 35 | 63 | 39 | 400 | Output is not escaped | ||
| #692 | video carousel slider with lightbox | 35 | 350 | 136 | 1k+ | Output is not escaped | ||
| #693 | WSB HUB3 | 35 | 36 | 109 | 1k+ | Missing nonce verification | ||
| #694 | XServer Migrator | 35 | 39 | 53 | 10k+ | Interpolated SQL is not prepared | ||
| #695 | Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts | 35 | 48 | 114 | 5k+ | Non-prefixed hook name | ||
| #696 | authLdap | 36 | 47 | 30 | 4k+ | Exception output is not escaped | ||
| #697 | bpost shipping | 36 | 97 | 43 | 700 | Output is not escaped | ||
| #698 | Cashflows for WooCommerce | 36 | 118 | 36 | 600 | Text Domain Mismatch | ||
| #699 | Simple SEO | 36 | 164 | 113 | 10k+ | Non Singular String Literal Domain | ||
| #700 | CLP – Custom Login Page by NiteoThemes | 36 | 240 | 49 | 700 | Output is not escaped |