WordPress.WP.AlternativeFunctions.file_system_operations_mkdir
file system operations mkdir
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #451 | CSV Import and Exporter | 32 | 83 | 138 | 1k+ | Non-prefixed global variable | ||
| #452 | Enter Addons – Ultimate Template Builder for Elementor | 32 | 82 | 72 | 1k+ | Output is not escaped | ||
| #453 | DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce | 32 | 166 | 119 | 5k+ | Output is not escaped | ||
| #454 | Revolut Gateway for WooCommerce | 32 | 85 | 157 | 6k+ | Input is not sanitized | ||
| #455 | Shariff Wrapper | 32 | 33 | 404 | 30k+ | Non-prefixed global variable | ||
| #456 | System Dashboard | 32 | 91 | 205 | 900 | Request data is not unslashed | ||
| #457 | Thrive Automator | 32 | 84 | 84 | 10k+ | SQL query is not prepared | ||
| #458 | Tumult Hype Animations | 32 | 56 | 117 | 1k+ | Output is not escaped | ||
| #459 | Easy 3D Viewer | 32 | 399 | 241 | 1k+ | Text Domain Mismatch | ||
| #460 | WP Weixin | 32 | 60 | 152 | 400 | Non-prefixed constant | ||
| #461 | Cargus | 33 | 48 | 64 | 700 | Input is not sanitized | ||
| #462 | Contact List – Online Staff Directory & Address Book | 33 | 118 | 342 | 1k+ | Nonce verification recommended | ||
| #463 | Device Detector | 33 | 209 | 112 | 600 | Output is not escaped | ||
| #464 | EchBay Phonering Alo | 33 | 74 | 47 | 1k+ | Output is not escaped | ||
| #465 | FastPixel Cache – Optimize Page Speed: Compress Images, Minify, Clean Database & CDN | 33 | 51 | 333 | 4k+ | Request data is not unslashed | ||
| #466 | ImageLinks – Interactive Image Builder with Hotspots | 33 | 517 | 90 | 1k+ | Text Domain Mismatch | ||
| #467 | LWSCache | 33 | 47 | 104 | 6k+ | Non-prefixed global variable | ||
| #468 | Membership For WooCommerce | 33 | 40 | 659 | 900 | Non-prefixed global variable | ||
| #469 | Merge + Minify + Refresh | 33 | 78 | 26 | 4k+ | date date | ||
| #470 | GDPR CCPA Compliance & Cookie Consent Banner | 33 | 622 | 87 | 1k+ | Non Singular String Literal Domain | ||
| #471 | Plugin Organizer | 33 | 325 | 257 | 10k+ | Output is not escaped | ||
| #472 | QNAP NAS Backup | 33 | 374 | 70 | 2k+ | Non Singular String Literal Domain | ||
| #473 | Sessions | 33 | 196 | 103 | 900 | Output is not escaped | ||
| #474 | Telegram Bot & Channel | 33 | 182 | 113 | 600 | Unsafe printing function | ||
| #475 | WP Twitter Auto Publish | 33 | 442 | 171 | 4k+ | Output is not escaped | ||
| #476 | Display Posts As List, Grid, Thumbs | 33 | 442 | 241 | 900 | Output is not escaped | ||
| #477 | Pay. Payment Methods for WooCommerce | 33 | 318 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #478 | WOW Slider | 33 | 176 | 101 | 3k+ | Output is not escaped | ||
| #479 | Advanced Twenty Seventeen | 34 | 247 | 98 | 3k+ | Text Domain Mismatch | ||
| #480 | All-in-One WP Migration and Backup | 34 | 47 | 69 | 5m+ | Missing nonce verification | ||
| #481 | Custom Sidebars – Dynamic Sidebar Classic Widget Area Manager | 34 | 32 | 307 | 100k+ | Non-prefixed global variable | ||
| #482 | EasyIndex | 34 | 74 | 135 | 1k+ | Missing nonce verification | ||
| #483 | Export Customers Data | 34 | 109 | 49 | 500 | Text Domain Mismatch | ||
| #484 | Geliver Akıllı Kargo Pazaryeri | 34 | 49 | 247 | 400 | Non-prefixed global variable | ||
| #485 | Image Cleanup | 34 | 52 | 94 | 1k+ | Nonce verification recommended | ||
| #486 | OTP Login & Register Woocommerce | 34 | 148 | 202 | 1k+ | Missing nonce verification | ||
| #487 | Child Theme Creator by Orbisius | 34 | 86 | 39 | 10k+ | Output is not escaped | ||
| #488 | PDF Invoices and Packing Slips For WooCommerce | 34 | 108 | 284 | 1k+ | Non-prefixed global variable | ||
| #489 | PW WooCommerce Bulk Edit | 34 | 219 | 149 | 20k+ | Unsafe printing function | ||
| #490 | SuperFrete | 34 | 84 | 242 | 1k+ | Request data is not unslashed | ||
| #491 | Email Template Designer – WP HTML Mail | 34 | 62 | 80 | 20k+ | badly named files | ||
| #492 | BTCPay Server – Accept Bitcoin payments in WooCommerce | 35 | 48 | 86 | 1k+ | Missing nonce verification | ||
| #493 | Custom CSS and JavaScript | 35 | 38 | 91 | 10k+ | Input is not sanitized | ||
| #494 | Wbcom Designs – Custom Font Uploader | 35 | 340 | 123 | 3k+ | Text Domain Mismatch | ||
| #495 | Dadevarzan WordPress Common | 35 | 56 | 71 | 700 | Text Domain Mismatch | ||
| #496 | Easy Watermark | 35 | 82 | 53 | 30k+ | Non-prefixed global variable | ||
| #497 | Static Site Exporter | 35 | 54 | 25 | 500 | file system operations mkdir | ||
| #498 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception output is not escaped | ||
| #499 | NS Cloner – Site Cloner and Multisite Duplicator | 35 | 29 | 16 | 7k+ | Missing direct file access protection | ||
| #500 | OPcache Manager | 35 | 155 | 75 | 1k+ | Output is not escaped |