WordPress.WP.AlternativeFunctions.file_system_operations_rmdir
file system operations rmdir
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #301 | Inavii Social Feed – Live Social Proof Gallery | 34 | 532 | 180 | 9k+ | Text Domain Mismatch | ||
| #302 | Responsive Menu – Create Mobile-Friendly Menu | 34 | 68 | 40 | 70k+ | Nonce verification recommended | ||
| #303 | Shift8 CDN | 34 | 81 | 25 | 600 | Output is not escaped | ||
| #304 | Weaver Xtreme Theme Support | 34 | 1,625 | 43 | 9k+ | Text Domain Mismatch | ||
| #305 | BTCPay Server – Accept Bitcoin payments in WooCommerce | 35 | 48 | 86 | 1k+ | Missing nonce verification | ||
| #306 | Cache Enabler | 35 | 44 | 75 | 90k+ | Input is not sanitized | ||
| #307 | Constant Contact Forms | 35 | 41 | 89 | 20k+ | Missing nonce verification | ||
| #308 | Counter live visitors for WooCommerce | 35 | 189 | 39 | 7k+ | Short PHP open tag found | ||
| #309 | Cryptex | E-Mail Address Protection | 35 | 62 | 10 | 900 | Output is not escaped | ||
| #310 | Elementor Website Builder – more than just a page builder | 35 | 46 | 428 | 10m+ | Non-prefixed global variable | ||
| #311 | EWWW Image Optimizer | 35 | 225 | 729 | 1m+ | Direct Query | ||
| #312 | External Links Overview | 35 | 57 | 200 | 800 | Non-prefixed global variable | ||
| #313 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #314 | iPages – FlipBook Image & PDF Viewer | 35 | 467 | 177 | 2k+ | Text Domain Mismatch | ||
| #315 | Static Site Exporter | 35 | 54 | 25 | 500 | file system operations mkdir | ||
| #316 | Media Library Downloader | 35 | 21 | 16 | 4k+ | Output is not escaped | ||
| #317 | Plausible Analytics | 35 | 244 | 61 | 10k+ | Exception output is not escaped | ||
| #318 | ReactPress – Create React App for WordPress | 35 | 26 | 43 | 3k+ | Request data is not unslashed | ||
| #319 | Termageddon: Cookie Consent & Privacy Compliance | 35 | 27 | 13 | 7k+ | Exception output is not escaped | ||
| #320 | The Courier Guy Shipping for WooCommerce | 35 | 57 | 107 | 3k+ | Missing nonce verification | ||
| #321 | Converter for Media – Optimize images | Convert WebP & AVIF | 35 | 133 | 53 | 500k+ | curl curl setopt | ||
| #322 | Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing | 35 | 50 | 236 | 50k+ | Non-prefixed hook name | ||
| #323 | WP GPX Maps | 35 | 27 | 100 | 4k+ | Non-prefixed global variable | ||
| #324 | wpLingua – Automatic translation – Translate and make website multilingual | 35 | 79 | 167 | 2k+ | Nonce verification recommended | ||
| #325 | XServer Migrator | 35 | 39 | 53 | 10k+ | Interpolated SQL is not prepared | ||
| #326 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #327 | Crelly Slider | 36 | 421 | 185 | 10k+ | Unsafe printing function | ||
| #328 | PDF Forms Filler for CF7 | 36 | 185 | 79 | 3k+ | Text Domain Mismatch | ||
| #329 | PDF Forms Filler for WPForms | 36 | 161 | 54 | 600 | Text Domain Mismatch | ||
| #330 | Supplier Order Email | 36 | 54 | 105 | 400 | Output is not escaped | ||
| #331 | Sync QCloud COS | 36 | 63 | 109 | 600 | Non-prefixed function | ||
| #332 | Adaptive Images for WordPress | 37 | 51 | 75 | 3k+ | Output is not escaped | ||
| #333 | Images Optimize and Upload CF7 | 37 | 130 | 36 | 600 | Non Singular String Literal Domain | ||
| #334 | JVM Rich Text Icons | 37 | 87 | 34 | 3k+ | Output is not escaped | ||
| #335 | Media Sweep – WordPress Media Cleaner | 37 | 56 | 137 | 1k+ | Interpolated SQL is not prepared | ||
| #336 | Send PDF for Contact Form 7 | 37 | 22 | 308 | 9k+ | Non-prefixed global variable | ||
| #337 | HashThemes Demo Importer | 38 | 71 | 44 | 6k+ | Output is not escaped | ||
| #338 | CAOS | Host Google Analytics Locally | 38 | 124 | 44 | 10k+ | Output is not escaped | ||
| #339 | Migrate Store: Export and Import WooCommerce Settings | 38 | 37 | 33 | 1k+ | Non-prefixed global variable | ||
| #340 | MultiLine Files for Contact Form 7 | 38 | 98 | 40 | 9k+ | Text Domain Mismatch | ||
| #341 | WP Safe Mode | 38 | 95 | 55 | 2k+ | Output is not escaped | ||
| #342 | mb.YTPlayer for background videos | 38 | 80 | 29 | 1k+ | Unsafe printing function | ||
| #343 | Dashboard Cleaner | 39 | 40 | 91 | 500 | Missing nonce verification | ||
| #344 | BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress | 39 | 480 | 226 | 4k+ | Text Domain Mismatch | ||
| #345 | GDPRess | Eliminate external requests to increase GDPR compliance | 39 | 60 | 26 | 1k+ | Output is not escaped | ||
| #346 | WP Add Custom CSS | 39 | 45 | 23 | 60k+ | Output is not escaped | ||
| #347 | WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload | 39 | 59 | 27 | 10k+ | Unsafe printing function | ||
| #348 | Simple Cache | 41 | 33 | 59 | 1k+ | Input is not sanitized | ||
| #349 | Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin | 42 | 472 | 181 | 400 | Text Domain Mismatch | ||
| #350 | Hyper Cache | 45 | 36 | 100 | 8k+ | Non-prefixed global variable |