WordPress.WP.AlternativeFunctions.file_system_operations_is_writable
file system operations is writable
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #351 | FG PrestaShop to WooCommerce | 26 | 254 | 94 | 900 | Unsafe printing function | ||
| #352 | FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) | 26 | 591 | 416 | 2k+ | Exception output is not escaped | ||
| #353 | Translate WordPress – Google Language Translator | 26 | 200 | 317 | 100k+ | Non-prefixed global variable | ||
| #354 | GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites | 26 | 284 | 216 | 500 | badly named files | ||
| #355 | Media File Renamer: Rename for better SEO (AI-Powered) | 26 | 151 | 170 | 40k+ | Direct Query | ||
| #356 | Open User Map – Interactive Leaflet Maps | 26 | 893 | 986 | 10k+ | Non-prefixed global variable | ||
| #357 | Tag Groups is the Advanced Way to Display Your Taxonomy Terms | 26 | 351 | 232 | 3k+ | Unsafe printing function | ||
| #358 | URL Image Importer | 26 | 142 | 239 | 700 | Missing nonce verification | ||
| #359 | User Avatar | 26 | 104 | 173 | 4k+ | Non-prefixed constant | ||
| #360 | Visitors Online by BestWebSoft | 26 | 512 | 269 | 1k+ | Text Domain Mismatch | ||
| #361 | Faktur Pro for WooCommerce | 26 | 416 | 218 | 1k+ | Text Domain Mismatch | ||
| #362 | Apollo13 Framework Extensions | 27 | 171 | 273 | 20k+ | Non-prefixed global variable | ||
| #363 | Custom Scrollbar | 27 | 184 | 191 | 2k+ | Output is not escaped | ||
| #364 | FG Joomla to WordPress | 27 | 278 | 101 | 7k+ | Unsafe printing function | ||
| #365 | Foxtool All-in-One: Contact chat button, Custom login, Media optimize images | 27 | 1,629 | 360 | 7k+ | Unsafe printing function | ||
| #366 | Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin | 27 | 213 | 495 | 2k+ | Non-prefixed global variable | ||
| #367 | ImageRecycle pdf & image compression | 27 | 329 | 204 | 1k+ | Text Domain Mismatch | ||
| #368 | MW WP Form | 27 | 334 | 219 | 200k+ | Output is not escaped | ||
| #369 | picu – Online Photo Proofing Gallery | 27 | 613 | 322 | 2k+ | Output is not escaped | ||
| #370 | Quick Paypal Payments | 27 | 101 | 303 | 1k+ | Non-prefixed function | ||
| #371 | Ultimate Watermark – Image Watermark, Image Protection & Bulk Watermarking | 27 | 164 | 303 | 1k+ | Nonce verification recommended | ||
| #372 | Mihdan: Ajax Edit Comments | 27 | 1,300 | 523 | 500 | Text Domain Mismatch | ||
| #373 | Content Pilot – Autoblogging & Affiliate Marketing Suite | 27 | 299 | 269 | 900 | Output is not escaped | ||
| #374 | WP-DBManager | 27 | 386 | 304 | 60k+ | Non-prefixed global variable | ||
| #375 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | Input is not sanitized | ||
| #376 | wp-mpdf | 27 | 123 | 382 | 1k+ | Non-prefixed global variable | ||
| #377 | Redirection for Contact Form 7 | 27 | 34 | 374 | 200k+ | Non-prefixed global variable | ||
| #378 | YARPP – Yet Another Related Posts Plugin | 27 | 191 | 331 | 100k+ | Non-prefixed global variable | ||
| #379 | Zorem Local Pickup | 28 | 375 | 400 | 3k+ | Text Domain Mismatch | ||
| #380 | Reviews and Rating – Google Reviews | 28 | 343 | 219 | 20k+ | Text Domain Mismatch | ||
| #381 | GTmetrix for WordPress | 28 | 109 | 70 | 8k+ | Output is not escaped | ||
| #382 | PHP Browser Detection | 28 | 68 | 49 | 600 | Non-prefixed function | ||
| #383 | Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery | 28 | 143 | 258 | 5k+ | Post Not In exclude | ||
| #384 | Autopay | 28 | 755 | 312 | 3k+ | Text Domain Mismatch | ||
| #385 | Transliterator – Multilingual and Multi-script Text Conversion | 28 | 305 | 320 | 3k+ | Output is not escaped | ||
| #386 | Jetpack VaultPress | 28 | 71 | 362 | 10k+ | Missing nonce verification | ||
| #387 | Dynamic Product Gallery for WooCommerce | 28 | 414 | 303 | 1k+ | Output is not escaped | ||
| #388 | Email Inquiry & Cart Options for WooCommerce | 28 | 194 | 291 | 800 | Output is not escaped | ||
| #389 | Product Sort and Display for WooCommerce | 28 | 199 | 235 | 2k+ | Output is not escaped | ||
| #390 | WP YouTube Lyte | 28 | 204 | 178 | 30k+ | Non-prefixed global variable | ||
| #391 | WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce | 28 | 174 | 226 | 5k+ | Output is not escaped | ||
| #392 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped | ||
| #393 | WP Synchro – The Ultimate WordPress Migration Tool | 28 | 243 | 244 | 2k+ | Missing Translators Comment | ||
| #394 | AppPresser – Mobile App Framework | 29 | 262 | 214 | 1k+ | Text Domain Mismatch | ||
| #395 | CloudSecure WP Security | 29 | 74 | 350 | 100k+ | Request data is not unslashed | ||
| #396 | DoLogin Security | 29 | 312 | 305 | 7k+ | Output is not escaped | ||
| #397 | Interactive World Map | 29 | 684 | 341 | 1k+ | Text Domain Mismatch | ||
| #398 | Kits, Templates and Patterns | 29 | 380 | 91 | 5k+ | Text Domain Mismatch | ||
| #399 | Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization | 29 | 80 | 162 | 200k+ | Nonce verification recommended | ||
| #400 | Page View Count | 29 | 108 | 247 | 10k+ | Dynamic hook name |
