WordPress.WP.AlternativeFunctions.file_system_operations_mkdir
file system operations mkdir
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #251 | Security Plugin, Firewall & Malware Scanner with Auto Removal | 24 | 1,191 | 769 | 30k+ | Output is not escaped | ||
| #252 | ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization | 24 | 926 | 322 | 10k+ | Output is not escaped | ||
| #253 | SiteGuard WP Plugin | 24 | 359 | 350 | 500k+ | Output is not escaped | ||
| #254 | Slideshow Gallery LITE | 24 | 896 | 414 | 5k+ | Output is not escaped | ||
| #255 | SiteOrigin Widgets Bundle | 24 | 606 | 455 | 400k+ | Output is not escaped | ||
| #256 | Social Media Auto Publish | 24 | 1,468 | 713 | 6k+ | Unsafe printing function | ||
| #257 | Softaculous | 24 | 115 | 49 | 10k+ | file system operations fread | ||
| #258 | Spotlight Social Feeds – Block, Shortcode, and Widget | 24 | 411 | 147 | 60k+ | Output is not escaped | ||
| #259 | Tainacan | 24 | 156 | 598 | 1k+ | Direct Query | ||
| #260 | Timber | 24 | 85 | 128 | 20k+ | Non-prefixed hook name | ||
| #261 | Ultimate Maps by Supsystic | 24 | 1,034 | 374 | 10k+ | Non Singular String Literal Domain | ||
| #262 | Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | 24 | 938 | 2,935 | 200k+ | Non-prefixed global variable | ||
| #263 | Unlimited Elements For Elementor | 24 | 710 | 2,093 | 300k+ | Non-prefixed global variable | ||
| #264 | User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | 24 | 664 | 3,321 | 50k+ | Non-prefixed global variable | ||
| #265 | Video Conferencing with Zoom | 24 | 1,105 | 440 | 10k+ | Unsafe printing function | ||
| #266 | VikRentItems Flexible Rental Management System | 24 | 4,755 | 4,639 | 600 | Non-prefixed global variable | ||
| #267 | WCMultiShipping — Mondial Relay, Inpost & Chronopost for WooCommerce | 24 | 730 | 499 | 5k+ | Output is not escaped | ||
| #268 | Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels | 24 | 1,615 | 1,381 | 70k+ | Text Domain Mismatch | ||
| #269 | Disable Updates – Updates Manager, Disable Automatic Updates, Disable All Updates | 24 | 522 | 135 | 10k+ | Output is not escaped | ||
| #270 | Payment Gateway for PayPal on WooCommerce | 24 | 153 | 561 | 10k+ | Nonce verification recommended | ||
| #271 | NextMove Lite – Thank You Page for WooCommerce | 24 | 916 | 857 | 10k+ | Non-prefixed global variable | ||
| #272 | EU VAT Assistant for WooCommerce | 24 | 1,742 | 495 | 5k+ | Non Singular String Literal Domain | ||
| #273 | WPML Multilingual & Multicurrency for WooCommerce | 24 | 1,453 | 1,618 | 100k+ | SQL query is not prepared | ||
| #274 | WP Admin Audit | 24 | 1,051 | 781 | 1k+ | error log print r | ||
| #275 | WP-Appbox | 24 | 418 | 390 | 2k+ | Missing Arg Domain | ||
| #276 | WP Discourse | 24 | 103 | 114 | 1k+ | Nonce verification recommended | ||
| #277 | WP Fastest Cache – WordPress Cache Plugin | 24 | 541 | 753 | 1m+ | Unsafe printing function | ||
| #278 | Iptanus File Upload | 24 | 509 | 1,325 | 10k+ | Non-prefixed function | ||
| #279 | WP Layouts | 24 | 349 | 146 | 3k+ | Text Domain Mismatch | ||
| #280 | WP-Members Membership Plugin | 24 | 669 | 382 | 50k+ | Output is not escaped | ||
| #281 | WP RSS Aggregator – RSS Import, Feed to Post, Autoblogging, AI Content | 24 | 1,775 | 393 | 40k+ | Text Domain Mismatch | ||
| #282 | WP Travel – Ultimate Travel Booking System, Tour Management Engine | 24 | 225 | 1,943 | 4k+ | Non-prefixed hook name | ||
| #283 | Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | 24 | 2,576 | 2,103 | 100k+ | Output is not escaped | ||
| #284 | WP User Manager – User Profile Builder & Membership | 24 | 787 | 539 | 10k+ | Exception output is not escaped | ||
| #285 | WP Voting Contest Lite | 24 | 259 | 258 | 400 | Text Domain Mismatch | ||
| #286 | WPAdverts – Classifieds Plugin | 24 | 1,308 | 496 | 4k+ | Output is not escaped | ||
| #287 | WPIDE – File Manager & Code Editor | 24 | 610 | 1,386 | 40k+ | Non-prefixed global variable | ||
| #288 | WpStream – Live Streaming, Video on Demand, Pay Per View | 24 | 1,724 | 742 | 3k+ | Text Domain Mismatch | ||
| #289 | xili-language | 24 | 1,501 | 523 | 600 | Output is not escaped | ||
| #290 | Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation | 24 | 1,211 | 3,152 | 30k+ | Non-prefixed global variable | ||
| #291 | 3DPrint Lite | 25 | 175 | 1,029 | 700 | Non-prefixed global variable | ||
| #292 | AdRotate Banner Manager | 25 | 1,363 | 846 | 20k+ | Unsafe printing function | ||
| #293 | AliExpress Dropshipping Plugin for WooCommerce Stores | 25 | 550 | 728 | 5k+ | Text Domain Mismatch | ||
| #294 | AIO Forms – Craft Complex Forms Easily | 25 | 189 | 418 | 700 | Mixed line endings | ||
| #295 | ATUM WooCommerce Inventory Management and Stock Tracking | 25 | 2,638 | 1,304 | 10k+ | Non Singular String Literal Domain | ||
| #296 | bbp style pack | 25 | 1,419 | 1,792 | 6k+ | Output is not escaped | ||
| #297 | Breeze Cache | 25 | 218 | 800 | 400k+ | Non-prefixed global variable | ||
| #298 | Broken Link Checker | 25 | 727 | 600 | 500k+ | Output is not escaped | ||
| #299 | CheckoutWC Lite | 25 | 1,399 | 851 | 3k+ | Text Domain Mismatch | ||
| #300 | Disable Comments & Delete All Comments | 25 | 503 | 185 | 9k+ | Output is not escaped |