WordPress.WP.AlternativeFunctions.file_system_operations_mkdir
file system operations mkdir
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #501 | Post List Featured Image | 35 | 112 | 100 | 900 | Output is not escaped | ||
| #502 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 35 | 225 | 110 | 8k+ | Non Singular String Literal Domain | ||
| #503 | The Courier Guy Shipping for WooCommerce | 35 | 57 | 107 | 3k+ | Missing nonce verification | ||
| #504 | User Photo | 35 | 112 | 68 | 3k+ | Output is not escaped | ||
| #505 | Vendi Abandoned Plugin Check | 35 | 13 | 3 | 1k+ | trademarked term | ||
| #506 | Converter for Media – Optimize images | Convert WebP & AVIF | 35 | 133 | 53 | 500k+ | curl curl setopt | ||
| #507 | Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing | 35 | 50 | 236 | 50k+ | Non-prefixed hook name | ||
| #508 | Wooplatnica | 35 | 27 | 24 | 400 | Non-prefixed class | ||
| #509 | WP Compiler | 35 | 33 | 20 | 1k+ | Output is not escaped | ||
| #510 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #511 | WP Geo | 35 | 180 | 84 | 900 | Output is not escaped | ||
| #512 | WP GPX Maps | 35 | 27 | 100 | 4k+ | Non-prefixed global variable | ||
| #513 | XServer Migrator | 35 | 39 | 53 | 10k+ | Interpolated SQL is not prepared | ||
| #514 | bpost shipping | 36 | 97 | 43 | 700 | Output is not escaped | ||
| #515 | CP Blocks | 36 | 46 | 38 | 1k+ | wp function not compatible with requires wp | ||
| #516 | Crelly Slider | 36 | 421 | 185 | 10k+ | Unsafe printing function | ||
| #517 | Rara One Click Demo Import | 36 | 122 | 98 | 20k+ | Missing Translators Comment | ||
| #518 | SMTP for SendGrid – YaySMTP | 36 | 27 | 96 | 1k+ | Non-prefixed global variable | ||
| #519 | StaticPress | 36 | 88 | 79 | 500 | Output is not escaped | ||
| #520 | Supplier Order Email | 36 | 54 | 105 | 400 | Output is not escaped | ||
| #521 | SurveyJS: Drag & Drop Form Builder | 36 | 12 | 134 | 500 | Missing Version | ||
| #522 | PDF Flipbook, WPBakery Addon – Unreal FlipBook | 36 | 400 | 92 | 1k+ | Non Singular String Literal Domain | ||
| #523 | Shipping with Venipak for WooCommerce | 36 | 239 | 61 | 1k+ | Text Domain Mismatch | ||
| #524 | Export Themes | 36 | 122 | 90 | 2k+ | Non-prefixed constant | ||
| #525 | WP LaTeX | 36 | 103 | 12 | 700 | Output is not escaped | ||
| #526 | wpShopGermany IT-RECHT KANZLEI | 36 | 37 | 47 | 500 | Input is not sanitized | ||
| #527 | Adaptive Images for WordPress | 37 | 51 | 75 | 3k+ | Output is not escaped | ||
| #528 | JVM Rich Text Icons | 37 | 87 | 34 | 3k+ | Output is not escaped | ||
| #529 | Sensei LMS Certificates | 37 | 97 | 362 | 4k+ | Non-prefixed global variable | ||
| #530 | TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot | 37 | 48 | 40 | 6k+ | Unsafe printing function | ||
| #531 | Theme Builder For Elementor | 37 | 477 | 28 | 2k+ | Text Domain Mismatch | ||
| #532 | Tracking Code Manager | 37 | 55 | 42 | 90k+ | Output is not escaped | ||
| #533 | Fix Media Library | 37 | 53 | 71 | 1k+ | Output is not escaped | ||
| #534 | Anant Sites — Elementor & Gutenberg Readymade Template Library Free & Pro Templates | 38 | 20 | 156 | 1k+ | Non-prefixed global variable | ||
| #535 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #536 | Checkout Files Upload for WooCommerce | 38 | 57 | 120 | 7k+ | Input is not sanitized | ||
| #537 | Clever Mega Menu for Visual Composer | 38 | 500 | 87 | 1k+ | Output is not escaped | ||
| #538 | Crop-Thumbnails | 38 | 33 | 27 | 40k+ | Missing direct file access protection | ||
| #539 | Import to Photo Gallery from NextGen gallery | 38 | 80 | 83 | 400 | Direct Query | ||
| #540 | 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery | 38 | 353 | 77 | 80k+ | Non Singular String Literal Domain | ||
| #541 | Migrate Store: Export and Import WooCommerce Settings | 38 | 37 | 33 | 1k+ | Non-prefixed global variable | ||
| #542 | Products Coming Soon for WooCommerce | 38 | 151 | 62 | 700 | Output is not escaped | ||
| #543 | WP Safe Mode | 38 | 95 | 55 | 2k+ | Output is not escaped | ||
| #544 | Block Editor Bootstrap Blocks | 39 | 173 | 50 | 900 | Text Domain Mismatch | ||
| #545 | Dashboard Cleaner | 39 | 40 | 91 | 500 | Missing nonce verification | ||
| #546 | GoSMTP – SMTP for WordPress | 39 | 59 | 42 | 500k+ | Output is not escaped | ||
| #547 | Library Viewer | 39 | 65 | 93 | 400 | Non-prefixed hook name | ||
| #548 | QR Redirector | 39 | 48 | 54 | 4k+ | Output is not escaped | ||
| #549 | Rollbar | 39 | 75 | 14 | 400 | Output is not escaped | ||
| #550 | Use Any Font | Custom Font Uploader | 39 | 36 | 55 | 200k+ | Request data is not unslashed |