WordPress.WP.AlternativeFunctions.file_system_operations_mkdir

file system operations mkdir

The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.

medium weight

Why It Shows Up

Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.

Why It Matters

WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.

How to Fix

  • Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
  • Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
  • Never write PHP code from user input or remote responses.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#101ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF221,044799300k+Non-prefixed global variable
#102Slim Jetpack222,5861,9472k+Text Domain Mismatch
#103SSL Zen — SSL Certificate Installer & HTTPS Redirects227801,58510k+Non-prefixed global variable
#104Stylish Price List – Price Table Builder & QR Code Restaurant Menu226746783k+Output is not escaped
#105Swift Performance Lite222,3461,3257k+Text Domain Mismatch
#106Theme Editor2279868550k+Output is not escaped
#107Unlimited Elements Blocks Library227081,822400Non-prefixed global variable
#108Welcart e-Commerce2210,37810,93110k+Text Domain Mismatch
#109Wenprise WeChatPay Payment Gateway For WooCommerce22443178400Exception output is not escaped
#110ManageWP Worker225075651m+Non-prefixed class
#111Asset CleanUp: Page Speed Booster222,0302,485100k+Non-prefixed global variable
#112File Manager227405201m+Unsafe printing function
#113WP Umbrella: Update Backup Restore & Monitoring2291891670k+Exception output is not escaped
#114Wp-Insert2226730110k+Output is not escaped
#115WP Super Minify • Minify, Compress and Cache HTML, CSS & JavaScript221642579k+Non-prefixed constant
#116WP-WebAuthn229573962k+Exception output is not escaped
#117ShopWP22430225700Text Domain Mismatch
#118WPSSO Core – Complete Schema Markup and Meta Tags221,4074125k+Missing Translators Comment
#119YaySMTP – WP Mail SMTP with Email Logs, Tracking & Reports2265443510k+Exception output is not escaped
#120ЮKassa для WooCommerce225901689k+Short PHP open tag found
#121Recipe Cards For Your Food Blog from Zip Recipes221,1261,7311k+Non-prefixed global variable
#122Admin and Site Enhancements (ASE)23136330200k+Nonce verification recommended
#123Affiliate Super Assistent231,2802672k+Text Domain Mismatch
#124Autoptimize23288191800k+Output is not escaped
#125Kadence Security – Password, Two Factor Authentication, and Brute Force Protection231,053967700k+Missing Translators Comment
#126Booking calendar, Appointment Booking System231,0791,1254k+Output is not escaped
#127Geo Controller23914501k+Non-prefixed global variable
#128Classified Listing – AI-Powered Classified ads & Business Directory231552,0749k+Non-prefixed global variable
#129CLUEVO LMS, E-Learning Platform231,8431,176400Text Domain Mismatch
#130Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe239,31026,6421k+Non-prefixed global variable
#131DK PDF – WordPress PDF Generator237443353k+Exception output is not escaped
#132Easy Digital Downloads – eCommerce Payments and Subscriptions made easy233,72310,28340k+Non-prefixed namespace
#133Error Log Monitor236941,41420k+Non-prefixed global variable
#134Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder with AI233951,34290k+Non-prefixed global variable
#135Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light23386999400Non-prefixed global variable
#136Export WordPress Pages to Static HTML & PDF — Static Site Export234903014k+Text Domain Mismatch
#137Ezoic2343251610k+Output is not escaped
#138Fastcache by Host.it231,327203700Text Domain Mismatch
#139Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder234,7461,27930k+Non Singular String Literal Domain
#140Tracking and Consent Manager – WP Full Picture231,2803,2233k+Non-prefixed global variable
#141FV Flowplayer Video Player231,3111,45420k+Output is not escaped
#142GAinWP Google Analytics Integration for WordPress235251768k+Output is not escaped
#143Anti-Malware Security and Brute-Force Firewall23543965100k+Output is not escaped
#144Interactive Content – H5P2356538040k+Non Singular String Literal Domain
#145Houzez Property Feed231,4641,5851k+Text Domain Mismatch
#146Import from YML2397308400Non-prefixed global variable
#147Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress2391693300k+Non-prefixed namespace
#148License Manager for WooCommerce231298196k+Request data is not unslashed
#149MailPoet – Newsletters, Email Marketing, and Automation23931719500k+Exception output is not escaped
#150Media Library Assistant231,1443,94370k+Nonce verification recommended