WordPress.WP.AlternativeFunctions.file_system_operations_touch
file system operations touch
The plugin performs filesystem work with raw PHP functions where WordPress expects safer filesystem handling.
Why It Shows Up
Plugin Check found functions such as `fopen`, `fwrite`, `chmod`, `mkdir`, `readfile`, or related operations.
Why It Matters
WordPress sites can use different filesystem permissions and transports. Raw filesystem calls can fail on common hosts or write to unsafe locations.
How to Fix
- Use WordPress filesystem helpers when writing, reading, or changing files in plugin-managed paths.
- Validate paths and keep writes inside directories owned by the plugin or WordPress uploads.
- Never write PHP code from user input or remote responses.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #51 | Export WordPress Pages to Static HTML & PDF — Static Site Export | 23 | 490 | 301 | 4k+ | Text Domain Mismatch | ||
| #52 | Fuse Social Floating Sidebar | 23 | 1,840 | 1,573 | 10k+ | Non-prefixed global variable | ||
| #53 | FV Flowplayer Video Player | 23 | 1,311 | 1,454 | 20k+ | Output is not escaped | ||
| #54 | Media Library Assistant | 23 | 1,144 | 3,943 | 70k+ | Nonce verification recommended | ||
| #55 | Next Active Directory Integration | 23 | 683 | 284 | 2k+ | Exception output is not escaped | ||
| #56 | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization | 23 | 316 | 639 | 100k+ | Output is not escaped | ||
| #57 | PowerPress Podcasting plugin by Blubrry | 23 | 4,807 | 2,394 | 20k+ | Output is not escaped | ||
| #58 | SiteOrigin Widgets Bundle | 23 | 607 | 455 | 400k+ | Output is not escaped | ||
| #59 | The Events Calendar | 23 | 3,511 | 3,851 | 700k+ | Text Domain Mismatch | ||
| #60 | Travelpayouts | 23 | 769 | 110 | 6k+ | Output is not escaped | ||
| #61 | W3 Total Cache | 23 | 307 | 678 | 900k+ | Non-prefixed global variable | ||
| #62 | Worth The Read | 23 | 873 | 138 | 3k+ | Text Domain Mismatch | ||
| #63 | WP Migrate Lite – Migration Made Easy | 23 | 369 | 255 | 200k+ | Exception output is not escaped | ||
| #64 | WP STAGING – WordPress Backup, Restore, Migration & Clone | 23 | 1,494 | 1,550 | 100k+ | Non-prefixed global variable | ||
| #65 | Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress | 23 | 2,317 | 1,714 | 5k+ | Output is not escaped | ||
| #66 | 404 Solution | 24 | 486 | 1,338 | 10k+ | Non-prefixed class | ||
| #67 | A2 Optimized WP – Turbocharge and secure your WordPress site | 24 | 271 | 231 | 60k+ | Missing Arg Domain | ||
| #68 | Backuply – Backup, Restore, Migrate and Clone | 24 | 704 | 551 | 700k+ | Non-prefixed global variable | ||
| #69 | Kognetiks Chatbot for WordPress | 24 | 651 | 1,486 | 600 | Non-prefixed global variable | ||
| #70 | Custom CSS | 24 | 703 | 657 | 1k+ | Output is not escaped | ||
| #71 | Enable Media Replace | 24 | 212 | 276 | 600k+ | Output is not escaped | ||
| #72 | Event Tickets and Registration | 24 | 3,411 | 4,217 | 90k+ | Non-prefixed global variable | ||
| #73 | Featured Image from URL (FIFU) | 24 | 1,654 | 418 | 70k+ | Non Singular String Literal Domain | ||
| #74 | Featured Post with thumbnail | 24 | 158 | 122 | 400 | Output is not escaped | ||
| #75 | Formidable PRO2PDF | 24 | 218 | 477 | 1k+ | Non-prefixed global variable | ||
| #76 | FV Player 8 | 24 | 323 | 1,383 | 1k+ | Non-prefixed function | ||
| #77 | Newsletter – Send awesome emails from WordPress | 24 | 898 | 2,214 | 200k+ | Non-prefixed global variable | ||
| #78 | Post Status Notifier Lite | 24 | 984 | 451 | 700 | Missing direct file access protection | ||
| #79 | Pz-LinkCard | 24 | 951 | 1,581 | 20k+ | Non-prefixed global variable | ||
| #80 | reGenerate Thumbnails Advanced | 24 | 220 | 122 | 70k+ | Unsafe printing function | ||
| #81 | SEO Engine – Smart SEO with AI, Schema & Redirection for WordPress | 24 | 239 | 304 | 1k+ | Direct Query | ||
| #82 | SiteGuard WP Plugin | 24 | 359 | 350 | 500k+ | Output is not escaped | ||
| #83 | User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | 24 | 664 | 3,321 | 50k+ | Non-prefixed global variable | ||
| #84 | VikRentItems Flexible Rental Management System | 24 | 4,755 | 4,639 | 600 | Non-prefixed global variable | ||
| #85 | Vimeography: Vimeo Video Gallery WordPress Plugin | 24 | 98 | 212 | 5k+ | Nonce verification recommended | ||
| #86 | WP User Manager – User Profile Builder & Membership | 24 | 787 | 539 | 10k+ | Exception output is not escaped | ||
| #87 | WPeMatico RSS Feed Fetcher | 24 | 1,378 | 587 | 10k+ | Output is not escaped | ||
| #88 | All 404 Redirect to Homepage | 25 | 140 | 301 | 200k+ | date date | ||
| #89 | AIO Forms – Craft Complex Forms Easily | 25 | 189 | 418 | 700 | Mixed line endings | ||
| #90 | ATUM WooCommerce Inventory Management and Stock Tracking | 25 | 2,638 | 1,304 | 10k+ | Non Singular String Literal Domain | ||
| #91 | Breeze Cache | 25 | 218 | 800 | 400k+ | Non-prefixed global variable | ||
| #92 | Docket Cache – Object Cache Accelerator | 25 | 333 | 481 | 20k+ | Output is not escaped | ||
| #93 | Site Kit by Google – Analytics, Search Console, AdSense, Speed | 25 | 1,304 | 242 | 5m+ | Missing direct file access protection | ||
| #94 | Hardcore Google Fonts Localizer | 25 | 331 | 261 | 800 | Text Domain Mismatch | ||
| #95 | Index WP MySQL For Speed | 25 | 250 | 255 | 50k+ | Output is not escaped | ||
| #96 | Loginizer | 25 | 814 | 504 | 1m+ | Output is not escaped | ||
| #97 | LWS Optimize – All-in-One Speed Booster & Cache Tools | 25 | 430 | 764 | 20k+ | Non-prefixed global variable | ||
| #98 | Media Cleaner: Clean your WordPress! | 25 | 151 | 391 | 90k+ | Direct Query | ||
| #99 | MyFatoorah – WooCommerce | 25 | 191 | 89 | 2k+ | Output is not escaped | ||
| #100 | PDF Importer for WPForms | 25 | 332 | 329 | 400 | Non-prefixed global variable |