WordPress.WP.AlternativeFunctions.file_system_operations_is_writable
file system operations is writable
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #501 | Just TinyMCE Custom Styles | 36 | 112 | 28 | 1k+ | Missing Arg Domain | ||
| #502 | We’re Open! | 36 | 273 | 187 | 5k+ | Unsafe printing function | ||
| #503 | Search & Replace | 36 | 50 | 53 | 100k+ | Missing nonce verification | ||
| #504 | Shadowbox JS | 36 | 246 | 14 | 1k+ | Unsafe printing function | ||
| #505 | Rabo Smart Pay for WooCommerce | 36 | 147 | 54 | 600 | Text Domain Mismatch | ||
| #506 | WP LaTeX | 36 | 103 | 12 | 700 | Output is not escaped | ||
| #507 | WP Hardening (discontinued) | 36 | 230 | 85 | 10k+ | Text Domain Mismatch | ||
| #508 | WPAvatar | 36 | 425 | 45 | 700 | Unsafe printing function | ||
| #509 | Wppao Sitemap | 36 | 128 | 21 | 9k+ | Output is not escaped | ||
| #510 | Adaptive Images for WordPress | 37 | 51 | 75 | 3k+ | Output is not escaped | ||
| #511 | Analytics Spam Blocker | 37 | 76 | 22 | 800 | Unsafe printing function | ||
| #512 | Async JavaScript | 37 | 357 | 79 | 70k+ | Unsafe printing function | ||
| #513 | CDEKDelivery | 37 | 98 | 75 | 2k+ | Exception output is not escaped | ||
| #514 | Debug Log Viewer | 37 | 26 | 83 | 1k+ | Missing nonce verification | ||
| #515 | Easy Testimonial Slider and Form | 37 | 14 | 144 | 700 | Request data is not unslashed | ||
| #516 | JVM Rich Text Icons | 37 | 87 | 34 | 3k+ | Output is not escaped | ||
| #517 | Lightbox with PhotoSwipe | 37 | 179 | 24 | 20k+ | Output is not escaped | ||
| #518 | Phoenix Media Rename | 37 | 175 | 104 | 50k+ | Output is not escaped | ||
| #519 | POEditor | 37 | 78 | 140 | 500 | Output is not escaped | ||
| #520 | Sensei LMS Certificates | 37 | 97 | 362 | 4k+ | Non-prefixed global variable | ||
| #521 | Simple Image XML Sitemap | 37 | 119 | 16 | 1k+ | Output is not escaped | ||
| #522 | Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation | 37 | 42 | 33 | 10k+ | Output is not escaped | ||
| #523 | Special Text Boxes | 37 | 38 | 42 | 2k+ | Direct Query | ||
| #524 | Car Route Planner Plugin | 38 | 135 | 17 | 400 | Output is not escaped | ||
| #525 | Clever Mega Menu for Elementor | 38 | 835 | 44 | 1k+ | Output is not escaped | ||
| #526 | ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More | 38 | 21 | 88 | 30k+ | Direct Query | ||
| #527 | Monetag Official Plugin | 38 | 133 | 32 | 5k+ | Text Domain Mismatch | ||
| #528 | SCSS WP Editor | 38 | 111 | 40 | 900 | Exception output is not escaped | ||
| #529 | Author Image | 38 | 51 | 33 | 1k+ | Output is not escaped | ||
| #530 | Blogger Importer Extended | 39 | 55 | 45 | 4k+ | Output is not escaped | ||
| #531 | Prisna GWT – Google Website Translator | 39 | 117 | 77 | 8k+ | Text Domain Mismatch | ||
| #532 | PO/MO Editor | 39 | 106 | 45 | 1k+ | Unsafe printing function | ||
| #533 | WPEPP – Essential Security, Password Protect & Login Page Customizer | 39 | 34 | 29 | 3k+ | Unsupported Identifier Placeholder | ||
| #534 | WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload | 39 | 59 | 27 | 10k+ | Unsafe printing function | ||
| #535 | Complete Image Sitemap | 40 | 55 | 18 | 1k+ | Output is not escaped | ||
| #536 | Serviceform Pixel | 40 | 18 | 22 | 400 | Output is not escaped | ||
| #537 | Heroic Favicon Generator | 41 | 104 | 7 | 6k+ | Output is not escaped | ||
| #538 | MaxLimits – Increase Maximum Upload, Post & PHP Limits | 41 | 99 | 16 | 2k+ | Unsafe printing function | ||
| #539 | Simple Cache | 41 | 33 | 59 | 1k+ | Input is not sanitized | ||
| #540 | Gelato Integration for WooCommerce | 42 | 36 | 32 | 5k+ | Output is not escaped | ||
| #541 | WP QuickLaTeX | 42 | 41 | 60 | 4k+ | Non-prefixed global variable | ||
| #542 | Automatic Responsive Tables | 43 | 67 | 15 | 1k+ | Output is not escaped | ||
| #543 | 404 Image Redirection (Replace Broken Images) | 47 | 118 | 85 | 500 | Text Domain Mismatch | ||
| #544 | EasyFonts – Host Google Fonts Locally, Fast & Auto-Optimize, GDPR Compliant | 47 | 5 | 58 | 1k+ | Interpolated SQL is not prepared | ||
| #545 | The Tribal Plugin | 47 | 43 | 62 | 800 | Non-prefixed function | ||
| #546 | iControlWP | 47 | 45 | 59 | 1k+ | Missing direct file access protection | ||
| #547 | Advanced Automatic Updates | 49 | 26 | 25 | 20k+ | Nonce verification recommended | ||
| #548 | SpinupWP | 49 | 43 | 38 | 30k+ | Non-prefixed function | ||
| #549 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 4k+ | Non-prefixed global variable | ||
| #550 | File Manager | 50 | 42 | 72 | 10k+ | Missing direct file access protection |