WordPress.WP.AlternativeFunctions.file_system_operations_fwrite
file system operations fwrite
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #801 | Known Agents – Track AI Bots and Crawlers, Block Scrapers, Analyze LLM Referral Traffic | 57 | 37 | 12 | 1k+ | Setting is missing a sanitization callback | ||
| #802 | PDF invoice for WP ERP | 58 | 96 | 134 | 2k+ | Non-prefixed global variable | ||
| #803 | Videopack | 58 | 28 | 108 | 10k+ | Input is not sanitized | ||
| #804 | Surge | 60 | 46 | 47 | 4k+ | Non-prefixed global variable | ||
| #805 | WoowGallery | 60 | 15 | 178 | 1k+ | Non-prefixed global variable | ||
| #806 | Easy SSL Plugin for SAKURA Rental Server | 62 | 23 | 17 | 50k+ | Input is not sanitized | ||
| #807 | Include Klaviyo for Elementor pro | 63 | 60 | 10 | 2k+ | Missing Arg Domain | ||
| #808 | Admin CSS MU | 64 | 30 | 582 | 10k+ | Non-prefixed global variable | ||
| #809 | Embed Google Fonts | 64 | 28 | 7 | 5k+ | Output is not escaped | ||
| #810 | Яндекс.ПДС Пингер / Yandex Site search pinger | 64 | 21 | 5 | 800 | Output is not escaped | ||
| #811 | QRCode | 65 | 21 | 39 | 400 | Non-prefixed constant | ||
| #812 | WP-Farsi | 65 | 26 | 36 | 600 | Non-prefixed function | ||
| #813 | Affiliates Manager Google reCAPTCHA Integration | 67 | 18 | 10 | 400 | Request data is not unslashed | ||
| #814 | Meks Audio Player | 67 | 25 | 7 | 1k+ | Output is not escaped | ||
| #815 | Simple HTTPS | 67 | 17 | 13 | 400 | Output is not escaped | ||
| #816 | wp-Typography | 67 | 91 | 33 | 20k+ | Missing direct file access protection | ||
| #817 | Product Category Slider for WooCommerce | 68 | 21 | 104 | 800 | Non-prefixed hook name | ||
| #818 | In-feed ads for Google AdSense | 70 | 20 | 20 | 7k+ | Non-prefixed global variable | ||
| #819 | Show-Hide / Collapse-Expand | 70 | 18 | 15 | 10k+ | Missing direct file access protection | ||
| #820 | Bold Timeline Lite | 71 | 220 | 561 | 10k+ | Non-prefixed global variable | ||
| #821 | Nginx Helper | 71 | 47 | 60 | 200k+ | Non-prefixed global variable | ||
| #822 | WPWaterMark 轻水印插件 | 73 | 24 | 17 | 1k+ | Request data is not unslashed | ||
| #823 | reCAPTCHA for bbPress | 75 | 14 | 19 | 800 | Non-prefixed function | ||
| #824 | Cache External Scripts | 76 | 21 | 4 | 900 | Output is not escaped | ||
| #825 | WordPress REST API (Version 2) | 82 | 476 | 13 | 10k+ | Missing Arg Domain | ||
| #826 | Cachify | 84 | 9 | 36 | 9k+ | Non-prefixed global variable | ||
| #827 | Digital Signature For Contact Form 7 | 84 | 22 | 11 | 5k+ | file system operations fwrite | ||
| #828 | LegalBlink for Aruba | 91 | 33 | 29 | 7k+ | Missing direct file access protection | ||
| #829 | Snow Monkey Forms | 91 | 36 | 41 | 30k+ | Non-prefixed global variable | ||
| #830 | Speed Up – Browser Caching | 95 | 13 | 2 | 700 | file system operations is writable | ||
| #831 | Grow for WordPress | 96 | 7 | 5 | 10k+ | trademarked term | ||
| #832 | Stock Exporter for WooCommerce | 98 | 2 | 14 | 1k+ | Non-prefixed hook name | ||
| #833 | BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot | 99 | 1 | 1 | 30k+ | file system operations fwrite |
