WordPress.WP.AlternativeFunctions.file_system_operations_mkdir

file system operations mkdir

The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.

medium weight

Why It Shows Up

Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.

Why It Matters

WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.

How to Fix

  • Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
  • Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
  • Never write PHP code from user input or remote responses.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#251Security Plugin, Firewall & Malware Scanner with Auto Removal241,19176930k+Output is not escaped
#252ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization2492632210k+Output is not escaped
#253SiteGuard WP Plugin24359350500k+Output is not escaped
#254Slideshow Gallery LITE248964145k+Output is not escaped
#255SiteOrigin Widgets Bundle24606455400k+Output is not escaped
#256Social Media Auto Publish241,4687136k+Unsafe printing function
#257Softaculous241154910k+file system operations fread
#258Spotlight Social Feeds – Block, Shortcode, and Widget2441114760k+Output is not escaped
#259Tainacan241565981k+Direct Query
#260Timber248512820k+Non-prefixed hook name
#261Ultimate Maps by Supsystic241,03437410k+Non Singular String Literal Domain
#262Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin249382,935200k+Non-prefixed global variable
#263Unlimited Elements For Elementor247102,093300k+Non-prefixed global variable
#264User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder246643,32150k+Non-prefixed global variable
#265Video Conferencing with Zoom241,10544010k+Unsafe printing function
#266VikRentItems Flexible Rental Management System244,7554,639600Non-prefixed global variable
#267WCMultiShipping — Mondial Relay, Inpost & Chronopost for WooCommerce247304995k+Output is not escaped
#268Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels241,6151,38170k+Text Domain Mismatch
#269Disable Updates – Updates Manager, Disable Automatic Updates, Disable All Updates2452213510k+Output is not escaped
#270Payment Gateway for PayPal on WooCommerce2415356110k+Nonce verification recommended
#271NextMove Lite – Thank You Page for WooCommerce2491685710k+Non-prefixed global variable
#272EU VAT Assistant for WooCommerce241,7424955k+Non Singular String Literal Domain
#273WPML Multilingual & Multicurrency for WooCommerce241,4531,618100k+SQL query is not prepared
#274WP Admin Audit241,0517811k+error log print r
#275WP-Appbox244183902k+Missing Arg Domain
#276WP Discourse241031141k+Nonce verification recommended
#277WP Fastest Cache – WordPress Cache Plugin245417531m+Unsafe printing function
#278Iptanus File Upload245091,32510k+Non-prefixed function
#279WP Layouts243491463k+Text Domain Mismatch
#280WP-Members Membership Plugin2466938250k+Output is not escaped
#281WP RSS Aggregator – RSS Import, Feed to Post, Autoblogging, AI Content241,77539340k+Text Domain Mismatch
#282WP Travel – Ultimate Travel Booking System, Tour Management Engine242251,9434k+Non-prefixed hook name
#283Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress242,5762,103100k+Output is not escaped
#284WP User Manager – User Profile Builder & Membership2478753910k+Exception output is not escaped
#285WP Voting Contest Lite24259258400Text Domain Mismatch
#286WPAdverts – Classifieds Plugin241,3084964k+Output is not escaped
#287WPIDE – File Manager & Code Editor246101,38640k+Non-prefixed global variable
#288WpStream – Live Streaming, Video on Demand, Pay Per View241,7247423k+Text Domain Mismatch
#289xili-language241,501523600Output is not escaped
#290Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation241,2113,15230k+Non-prefixed global variable
#2913DPrint Lite251751,029700Non-prefixed global variable
#292AdRotate Banner Manager251,36384620k+Unsafe printing function
#293AliExpress Dropshipping Plugin for WooCommerce Stores255507285k+Text Domain Mismatch
#294AIO Forms – Craft Complex Forms Easily25189418700Mixed line endings
#295ATUM WooCommerce Inventory Management and Stock Tracking252,6381,30410k+Non Singular String Literal Domain
#296bbp style pack251,4191,7926k+Output is not escaped
#297Breeze Cache25218800400k+Non-prefixed global variable
#298Broken Link Checker25727600500k+Output is not escaped
#299CheckoutWC Lite251,3998513k+Text Domain Mismatch
#300Disable Comments & Delete All Comments255031859k+Output is not escaped