WordPress.WP.AlternativeFunctions.file_system_operations_mkdir
file system operations mkdir
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #351 | WPvivid — Backup, Migration & Staging | 25 | 899 | 1,461 | 900k+ | Non-prefixed namespace | ||
| #352 | Backup, Restore and Migrate your sites with XCloner | 25 | 238 | 864 | 10k+ | Input is not sanitized | ||
| #353 | YeeMail — Email Template Builder & Customizer | 25 | 606 | 222 | 600 | wp function not compatible with requires wp | ||
| #354 | ActiveCampaign for WooCommerce | 26 | 541 | 190 | 6k+ | Exception output is not escaped | ||
| #355 | Blog Floating Button | 26 | 705 | 240 | 9k+ | Output is not escaped | ||
| #356 | Ditty – Responsive News Tickers, Sliders, and Lists | 26 | 561 | 484 | 30k+ | Output is not escaped | ||
| #357 | ezCache | 26 | 127 | 269 | 10k+ | Direct Query | ||
| #358 | FG Drupal to WordPress | 26 | 275 | 100 | 700 | Unsafe printing function | ||
| #359 | FG PrestaShop to WooCommerce | 26 | 254 | 94 | 900 | Unsafe printing function | ||
| #360 | Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | 26 | 113 | 597 | 90k+ | Non-prefixed global variable | ||
| #361 | Media File Renamer: Rename for better SEO (AI-Powered) | 26 | 148 | 170 | 40k+ | Direct Query | ||
| #362 | RestaurantPress | 26 | 265 | 518 | 600 | Output is not escaped | ||
| #363 | Send Users Email – Email Subscribers, Email Marketing Newsletter | 26 | 188 | 415 | 5k+ | Non-prefixed global variable | ||
| #364 | SV Proven Expert | 26 | 747 | 380 | 900 | Output is not escaped | ||
| #365 | Tag Groups is the Advanced Way to Display Your Taxonomy Terms | 26 | 351 | 232 | 3k+ | Unsafe printing function | ||
| #366 | Ultimate Reviews | 26 | 515 | 345 | 500 | Output is not escaped | ||
| #367 | User Avatar | 26 | 104 | 173 | 4k+ | Non-prefixed constant | ||
| #368 | Faktur Pro for WooCommerce | 26 | 416 | 218 | 1k+ | Text Domain Mismatch | ||
| #369 | Duplicate Post | 27 | 447 | 274 | 300k+ | Unsafe printing function | ||
| #370 | Cyrlitera – Transliteration of Links and File Names | 27 | 453 | 204 | 40k+ | Output is not escaped | ||
| #371 | EZ SQL Reports Shortcode Widget and DB Backup | 27 | 165 | 158 | 500 | Output is not escaped | ||
| #372 | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin | 27 | 122 | 135 | 3k+ | Non-prefixed global variable | ||
| #373 | FG Joomla to WordPress | 27 | 278 | 101 | 7k+ | Unsafe printing function | ||
| #374 | Foxtool All-in-One: Contact chat button, Custom login, Media optimize images | 27 | 1,629 | 360 | 7k+ | Unsafe printing function | ||
| #375 | Login for Google Apps | 27 | 139 | 85 | 10k+ | Exception output is not escaped | ||
| #376 | MaxGalleria | 27 | 278 | 567 | 2k+ | Non-prefixed global variable | ||
| #377 | MLSImport – Download and synchronize real estate data from various MLS (Multiple Listing Services) | 27 | 154 | 551 | 5k+ | Non-prefixed global variable | ||
| #378 | Packlink PRO for WooCommerce | 27 | 130 | 154 | 20k+ | Non-prefixed global variable | ||
| #379 | picu – Online Photo Proofing Gallery | 27 | 613 | 322 | 2k+ | Output is not escaped | ||
| #380 | Simple Download Monitor | 27 | 218 | 273 | 20k+ | Output is not escaped | ||
| #381 | SV Tracking Manager | 27 | 968 | 129 | 1k+ | Output is not escaped | ||
| #382 | Verge3D Publishing and E-Commerce | 27 | 245 | 298 | 400 | Nonce verification recommended | ||
| #383 | Mihdan: Ajax Edit Comments | 27 | 1,300 | 523 | 500 | Text Domain Mismatch | ||
| #384 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | Input is not sanitized | ||
| #385 | wp-mpdf | 27 | 123 | 382 | 1k+ | Non-prefixed global variable | ||
| #386 | Redirection for Contact Form 7 | 27 | 34 | 374 | 200k+ | Non-prefixed global variable | ||
| #387 | Dynamic User Directory | 28 | 403 | 256 | 1k+ | Output is not escaped | ||
| #388 | FAPI Member | 28 | 279 | 153 | 500 | Exception output is not escaped | ||
| #389 | Fluent Support – Helpdesk & Customer Support Ticket System | 28 | 50 | 271 | 10k+ | Direct Query | ||
| #390 | Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery | 28 | 384 | 175 | 10k+ | Text Domain Mismatch | ||
| #391 | Kama Thumbnail | 28 | 80 | 47 | 9k+ | Output is not escaped | ||
| #392 | Media Hygiene: Remove or Delete Unused Images and More! | 28 | 654 | 309 | 5k+ | Non Singular String Literal Domain | ||
| #393 | My auctions allegro | 28 | 483 | 235 | 500 | Non Singular String Literal Domain | ||
| #394 | Notification – Custom Notifications and Alerts for WordPress | 28 | 186 | 219 | 10k+ | Non-prefixed global variable | ||
| #395 | Sparkle Demo Importer | 28 | 307 | 166 | 6k+ | Text Domain Mismatch | ||
| #396 | 10WebSocial | 28 | 584 | 185 | 10k+ | Unsafe printing function | ||
| #397 | WP YouTube Lyte | 28 | 204 | 178 | 30k+ | Non-prefixed global variable | ||
| #398 | WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce | 28 | 174 | 226 | 5k+ | Output is not escaped | ||
| #399 | WP Synchro – The Ultimate WordPress Migration Tool | 28 | 243 | 244 | 2k+ | Missing Translators Comment | ||
| #400 | Bitcoin Payments – Blockonomics | 29 | 208 | 227 | 3k+ | Output is not escaped |
