WordPress.WP.AlternativeFunctions.file_system_operations_is_writable
file system operations is writable
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #401 | Element Invader – Template Kits for Elementor | 30 | 274 | 130 | 3k+ | Output is not escaped | ||
| #402 | Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant | 30 | 264 | 221 | 4k+ | Non Singular String Literal Text | ||
| #403 | Invisible reCaptcha for WordPress | 30 | 90 | 185 | 80k+ | Input is not sanitized | ||
| #404 | Pubjet | پابجت | 30 | 91 | 172 | 1k+ | Output is not escaped | ||
| #405 | SmartCrawl SEO checker, analyzer & optimizer | 30 | 347 | 1,307 | 20k+ | Non-prefixed global variable | ||
| #406 | Taboola | 30 | 89 | 147 | 1k+ | Output is not escaped | ||
| #407 | Travelers' Map | 30 | 311 | 155 | 1k+ | Output is not escaped | ||
| #408 | Urvanov Syntax Highlighter | 30 | 221 | 87 | 3k+ | Output is not escaped | ||
| #409 | Photo Gallery Slideshow & Masonry Tiled Gallery | 30 | 806 | 352 | 1k+ | Output is not escaped | ||
| #410 | a3 Lazy Load | 31 | 83 | 240 | 90k+ | Dynamic hook name | ||
| #411 | AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization | 31 | 91 | 133 | 2k+ | Output is not escaped | ||
| #412 | Better Robots.txt – AI-Ready Crawl Control & Bot Governance | 31 | 90 | 85 | 6k+ | Text Domain Mismatch | ||
| #413 | Co-marquage service-public.fr | 31 | 84 | 213 | 1k+ | Non-prefixed global variable | ||
| #414 | FraudLabs Pro for WooCommerce | 31 | 169 | 213 | 1k+ | Request data is not unslashed | ||
| #415 | g-FFL Checkout | 31 | 249 | 300 | 600 | Request data is not unslashed | ||
| #416 | HFD ePost Integration | 31 | 186 | 110 | 1k+ | Text Domain Mismatch | ||
| #417 | Kindeditor For WordPress | 31 | 63 | 130 | 500 | Non-prefixed global variable | ||
| #418 | Linguise – AI Automatic Multilingual Translation | 31 | 61 | 280 | 1k+ | Non-prefixed global variable | ||
| #419 | MainWP Dashboard: Self-hosted WordPress Management for Agencies | 31 | 95 | 317 | 20k+ | Interpolated SQL is not prepared | ||
| #420 | Pop-up | 31 | 103 | 91 | 10k+ | Output is not escaped | ||
| #421 | SpeedyCache – Cache, Optimization, Performance | 31 | 65 | 118 | 600k+ | Input is not validated | ||
| #422 | Staatic – Static Site Generator for WordPress | 31 | 420 | 195 | 2k+ | SQL query is not prepared | ||
| #423 | Big File Uploads – Increase Maximum File Upload Size | 31 | 101 | 92 | 100k+ | Output is not escaped | ||
| #424 | User Spam Remover | 31 | 115 | 14 | 1k+ | Output is not escaped | ||
| #425 | Speed Kit | 32 | 296 | 73 | 2k+ | Output is not escaped | ||
| #426 | Child Theme Configurator | 32 | 442 | 267 | 300k+ | Unsafe printing function | ||
| #427 | Contact Form Block | 32 | 64 | 77 | 500 | Non Singular String Literal Domain | ||
| #428 | CSV Import and Exporter | 32 | 83 | 138 | 1k+ | Non-prefixed global variable | ||
| #429 | Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages | 32 | 53 | 773 | 9k+ | Nonce verification recommended | ||
| #430 | ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More | 32 | 101 | 308 | 30k+ | Non-prefixed global variable | ||
| #431 | Responsive Filterable Portfolio Gallery – Media Grid & Video Portfolio | 32 | 436 | 163 | 1k+ | Output is not escaped | ||
| #432 | System Dashboard | 32 | 91 | 205 | 1k+ | Request data is not unslashed | ||
| #433 | Activity Plus Reloaded for BuddyPress | 33 | 88 | 93 | 1k+ | Output is not escaped | ||
| #434 | Cargus | 33 | 48 | 64 | 700 | Input is not sanitized | ||
| #435 | Companion Sitemap Generator – Simple, Smart, and SEO-Ready | 33 | 118 | 57 | 7k+ | Missing Translators Comment | ||
| #436 | Membership For WooCommerce | 33 | 40 | 658 | 900 | Non-prefixed global variable | ||
| #437 | Rename wp-login.php to anything you want | 33 | 251 | 117 | 500 | Output is not escaped | ||
| #438 | Pay. Payment Methods for WooCommerce | 33 | 316 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #439 | PDF Invoices Italian Add-on for WooCommerce | 33 | 325 | 200 | 5k+ | Non Singular String Literal Domain | ||
| #440 | EasyMedia – Increase Media Upload File Size | Role-Based Upload Limit | Increase Execution Time | 33 | 82 | 138 | 70k+ | Non-prefixed global variable | ||
| #441 | XML Sitemaps | 33 | 65 | 62 | 2k+ | Output is not escaped | ||
| #442 | All-in-One WP Migration and Backup | 34 | 47 | 69 | 5m+ | Missing nonce verification | ||
| #443 | Debug Log Manager Tool | 34 | 44 | 143 | 3k+ | Nonce verification recommended | ||
| #444 | Export Customers Data | 34 | 109 | 49 | 500 | Text Domain Mismatch | ||
| #445 | FV Gravatar Cache | 34 | 50 | 42 | 700 | Output is not escaped | ||
| #446 | Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program | 34 | 131 | 352 | 600 | Missing nonce verification | ||
| #447 | Media Vault | 34 | 115 | 150 | 800 | Output is not escaped | ||
| #448 | NextGEN Gallery Optimizer | 34 | 128 | 92 | 2k+ | Output is not escaped | ||
| #449 | PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget | 34 | 46 | 298 | 9k+ | Missing nonce verification | ||
| #450 | Shift8 CDN | 34 | 81 | 25 | 600 | Output is not escaped |
