WordPress.WP.AlternativeFunctions.file_system_operations_is_writable
file system operations is writable
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #151 | MasterStudy LMS WordPress Plugin – for Online Courses and Education | 23 | 1,419 | 4,875 | 10k+ | Non-prefixed global variable | ||
| #152 | Media Library Assistant | 23 | 1,144 | 3,943 | 70k+ | Nonce verification recommended | ||
| #153 | MPG – Multiple Page Generator, Bulk Landing Pages & Programmatic SEO | 23 | 488 | 580 | 2k+ | Missing nonce verification | ||
| #154 | Next Active Directory Integration | 23 | 683 | 284 | 2k+ | Exception output is not escaped | ||
| #155 | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization | 23 | 315 | 631 | 100k+ | Output is not escaped | ||
| #156 | Pagination Styler for WooCommerce | 23 | 811 | 445 | 1k+ | Output is not escaped | ||
| #157 | Patchstack – WordPress & Plugins Security | 23 | 107 | 489 | 40k+ | Missing nonce verification | ||
| #158 | Postie | 23 | 407 | 261 | 10k+ | Output is not escaped | ||
| #159 | PowerPress Podcasting plugin by Blubrry | 23 | 4,807 | 2,394 | 20k+ | Output is not escaped | ||
| #160 | Pricing Table by Supsystic | 23 | 1,299 | 447 | 10k+ | Non Singular String Literal Domain | ||
| #161 | Product Watermark for WooCommerce | 23 | 696 | 457 | 2k+ | Output is not escaped | ||
| #162 | Real 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder | 23 | 856 | 1,365 | 10k+ | Non-prefixed global variable | ||
| #163 | Robo Gallery – Photo & Image Slider | 23 | 1,291 | 530 | 40k+ | Output is not escaped | ||
| #164 | Manago AI & Leadoo AI | 23 | 644 | 429 | 1k+ | Unsafe printing function | ||
| #165 | Seraphinite Post .DOCX Source | 23 | 1,156 | 110 | 900 | Output is not escaped | ||
| #166 | Local Google Analytics for WordPress – caches external requests | 23 | 551 | 199 | 3k+ | Output is not escaped | ||
| #167 | Slider Hero with Video Background, Animation | 23 | 1,565 | 1,253 | 3k+ | Text Domain Mismatch | ||
| #168 | Smart Slider 3 | 23 | 261 | 268 | 800k+ | Non-prefixed global variable | ||
| #169 | SiteOrigin Widgets Bundle | 23 | 607 | 455 | 400k+ | Output is not escaped | ||
| #170 | Strong Testimonials | 23 | 192 | 393 | 90k+ | Nonce verification recommended | ||
| #171 | The Events Calendar | 23 | 3,511 | 3,851 | 700k+ | Text Domain Mismatch | ||
| #172 | Travelpayouts | 23 | 769 | 110 | 6k+ | Output is not escaped | ||
| #173 | Product Options and Price Calculation Formulas for WooCommerce – Uni CPO | 23 | 2,514 | 1,929 | 1k+ | Output is not escaped | ||
| #174 | UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP | 23 | 695 | 2,434 | 20k+ | Non-prefixed hook name | ||
| #175 | W3 Total Cache | 23 | 307 | 678 | 900k+ | Non-prefixed global variable | ||
| #176 | Cart PDF for WooCommerce | 23 | 531 | 172 | 1k+ | Exception output is not escaped | ||
| #177 | WHMCS Bridge | 23 | 247 | 472 | 4k+ | Nonce verification recommended | ||
| #178 | Predictive Search for WooCommerce | 23 | 530 | 644 | 700 | Output is not escaped | ||
| #179 | Worth The Read | 23 | 873 | 138 | 3k+ | Text Domain Mismatch | ||
| #180 | WP BackItUp Community Edition | 23 | 257 | 989 | 6k+ | Non-prefixed global variable | ||
| #181 | Clone | 23 | 244 | 262 | 40k+ | Output is not escaped | ||
| #182 | WP Editor | 23 | 502 | 335 | 20k+ | Unsafe printing function | ||
| #183 | WP-Lister Lite for Amazon | 23 | 3,061 | 4,177 | 800 | Output is not escaped | ||
| #184 | WP Migrate Lite – Migration Made Easy | 23 | 368 | 254 | 200k+ | Exception output is not escaped | ||
| #185 | Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning | 23 | 1,118 | 202 | 40k+ | Missing Translators Comment | ||
| #186 | WP STAGING – WordPress Backup, Migration, Clone & Duplicate | 23 | 1,489 | 1,549 | 100k+ | Non-prefixed global variable | ||
| #187 | WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel | 23 | 1,119 | 3,516 | 20k+ | Interpolated SQL is not prepared | ||
| #188 | Comments – wpDiscuz | 23 | 620 | 1,180 | 70k+ | Non-prefixed global variable | ||
| #189 | Photo Engine (Media Organizer & Lightroom) | 23 | 252 | 650 | 2k+ | Direct Query | ||
| #190 | Yatra – Travel Booking & Tour Operator Software | 23 | 2,211 | 3,994 | 600 | Non-prefixed global variable | ||
| #191 | Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress | 23 | 2,317 | 1,714 | 5k+ | Output is not escaped | ||
| #192 | 404 Solution | 24 | 486 | 1,338 | 10k+ | Non-prefixed class | ||
| #193 | A2 Optimized WP – Turbocharge and secure your WordPress site | 24 | 271 | 231 | 60k+ | Missing Arg Domain | ||
| #194 | AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress | 24 | 5,230 | 1,464 | 7k+ | Output is not escaped | ||
| #195 | Ad Inserter – Ad Manager & AdSense Ads | 24 | 4,241 | 811 | 300k+ | Output is not escaped | ||
| #196 | Advanced Contact form 7 DB | 24 | 764 | 1,960 | 70k+ | Non-prefixed global variable | ||
| #197 | All-In-One Security (AIOS) – Security and Firewall | 24 | 552 | 1,228 | 1m+ | Non-prefixed global variable | ||
| #198 | Auto-Install Free SSL – Generate & Install Free SSL Certificates | 24 | 991 | 1,495 | 8k+ | Non-prefixed global variable | ||
| #199 | Backuply – Backup, Restore, Migrate and Clone | 24 | 704 | 551 | 700k+ | Non-prefixed global variable | ||
| #200 | Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) | 24 | 1,837 | 1,063 | 1k+ | Text Domain Mismatch |
