WordPress.WP.AlternativeFunctions.file_system_operations_is_writable
file system operations is writable
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #451 | Debug Log Manager Tool | 34 | 44 | 143 | 3k+ | Nonce verification recommended | ||
| #452 | Export Customers Data | 34 | 109 | 49 | 500 | Text Domain Mismatch | ||
| #453 | FV Gravatar Cache | 34 | 50 | 42 | 700 | Output is not escaped | ||
| #454 | Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program | 34 | 131 | 352 | 600 | Missing nonce verification | ||
| #455 | Media Vault | 34 | 115 | 150 | 800 | Output is not escaped | ||
| #456 | NextGEN Gallery Optimizer | 34 | 128 | 92 | 2k+ | Output is not escaped | ||
| #457 | PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget | 34 | 46 | 298 | 9k+ | Missing nonce verification | ||
| #458 | Shift8 CDN | 34 | 81 | 25 | 600 | Output is not escaped | ||
| #459 | Weaver Xtreme Theme Support | 34 | 1,625 | 43 | 9k+ | Text Domain Mismatch | ||
| #460 | Email Template Designer – WP HTML Mail | 34 | 62 | 80 | 20k+ | badly named files | ||
| #461 | Thumbnail Slider With Lightbox | 34 | 244 | 141 | 700 | Output is not escaped | ||
| #462 | Thumbnail carousel slider | 34 | 277 | 143 | 2k+ | Output is not escaped | ||
| #463 | WP-SCSS | 34 | 269 | 13 | 40k+ | Exception output is not escaped | ||
| #464 | Vertical Image Slider | 34 | 264 | 138 | 1k+ | Output is not escaped | ||
| #465 | Xml Sitemap Generator | 34 | 72 | 47 | 400 | SQL query is not prepared | ||
| #466 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #467 | Abandoned Checkout Recovery & Order Notifications for WooCommerce | 35 | 108 | 77 | 800 | Text Domain Mismatch | ||
| #468 | Brightcove Video Connect | 35 | 580 | 235 | 600 | Text Domain Mismatch | ||
| #469 | Brozzme DB Prefix & Tools Addons | 35 | 24 | 42 | 10k+ | Request data is not unslashed | ||
| #470 | Cache Enabler | 35 | 44 | 75 | 90k+ | Input is not sanitized | ||
| #471 | Disable XML-RPC-API | 35 | 444 | 52 | 100k+ | Text Domain Mismatch | ||
| #472 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | Direct Query | ||
| #473 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #474 | Imsanity | 35 | 32 | 29 | 200k+ | Direct Query | ||
| #475 | Lenix scss compiler | 35 | 133 | 34 | 800 | Exception output is not escaped | ||
| #476 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception output is not escaped | ||
| #477 | OPcache Reset | 35 | 9 | 7 | 400 | Non-prefixed function | ||
| #478 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | ||
| #479 | Push Notifications by LaraPush | 35 | 32 | 76 | 4k+ | Non-prefixed global variable | ||
| #480 | ReviewX – Multi-Criteria Reviews for WooCommerce with Google Reviews & Schema | 35 | 10 | 1 | 7k+ | Missing direct file access protection | ||
| #481 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 82 | 1m+ | Request data is not unslashed | ||
| #482 | Simple History – Track, Log, and Audit WordPress Changes | 35 | 32 | 122 | 300k+ | Non-prefixed global variable | ||
| #483 | Solid Performance – Your No-Code Caching, Performance, & Page Speed Solution | 35 | 75 | 61 | 4k+ | Exception output is not escaped | ||
| #484 | Square Thumbnails | 35 | 43 | 317 | 800 | error log error log | ||
| #485 | Starter Sites & Templates by Neve | 35 | 28 | 88 | 100k+ | Non-prefixed hook name | ||
| #486 | Termageddon: Cookie Consent & Privacy Compliance | 35 | 28 | 13 | 7k+ | Exception output is not escaped | ||
| #487 | Video Grid | 35 | 253 | 106 | 1k+ | Output is not escaped | ||
| #488 | Video Gallery | 35 | 336 | 178 | 600 | Output is not escaped | ||
| #489 | Converter for Media – Optimize images | Convert WebP & AVIF | 35 | 133 | 53 | 500k+ | curl curl setopt | ||
| #490 | Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing | 35 | 49 | 230 | 50k+ | Non-prefixed hook name | ||
| #491 | WP Geo | 35 | 180 | 84 | 900 | Output is not escaped | ||
| #492 | WP GPX Maps | 35 | 27 | 100 | 4k+ | Non-prefixed global variable | ||
| #493 | WPGraphQL | 35 | 10 | 86 | 30k+ | Non-prefixed hook name | ||
| #494 | video carousel slider with lightbox | 35 | 350 | 136 | 1k+ | Output is not escaped | ||
| #495 | Cashflows for WooCommerce | 36 | 118 | 36 | 600 | Text Domain Mismatch | ||
| #496 | Constant Contact Forms | 36 | 39 | 89 | 20k+ | Missing nonce verification | ||
| #497 | Continuous Image Carousel With Lightbox | 36 | 255 | 129 | 1k+ | Output is not escaped | ||
| #498 | Custom PHP Settings | 36 | 153 | 76 | 10k+ | Output is not escaped | ||
| #499 | Dashboard Widgets Suite | 36 | 206 | 124 | 4k+ | Output is not escaped | ||
| #500 | Export Variable Products | 36 | 79 | 49 | 400 | Text Domain Mismatch |
