missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1201 | Online Lesson Booking | 27 | 978 | 281 | 500 | Non Singular String Literal Domain | ||
| #1202 | Tussendoor – Open RDW | 27 | 301 | 140 | 600 | Text Domain Mismatch | ||
| #1203 | Packlink PRO for WooCommerce | 27 | 132 | 160 | 20k+ | Non-prefixed global variable | ||
| #1204 | picu – Online Photo Proofing Gallery | 27 | 613 | 325 | 2k+ | Output is not escaped | ||
| #1205 | PowerPack Lite for Beaver Builder | 27 | 2,842 | 375 | 7k+ | Text Domain Mismatch | ||
| #1206 | PublishPress Permissions: Control User Access for Posts, Pages, Categories, Tags | 27 | 424 | 323 | 10k+ | Missing Translators Comment | ||
| #1207 | Quick Paypal Payments | 27 | 101 | 303 | 1k+ | Non-prefixed function | ||
| #1208 | Rate My Post – Star Rating Plugin by FeedbackWP | 27 | 222 | 360 | 20k+ | Output is not escaped | ||
| #1209 | Restrict for Elementor | 27 | 530 | 1,223 | 900 | Non-prefixed global variable | ||
| #1210 | Robokassa payment gateway for Woocommerce | 27 | 95 | 211 | 3k+ | Non-prefixed global variable | ||
| #1211 | RS Elements Elementor Addon | 27 | 2,026 | 321 | 500 | Text Domain Mismatch | ||
| #1212 | Shipit | 27 | 371 | 209 | 400 | Text Domain Mismatch | ||
| #1213 | Side Cart Woocommerce | Woocommerce Cart | 27 | 490 | 439 | 80k+ | Output is not escaped | ||
| #1214 | Sign-up Sheets | 27 | 325 | 363 | 1k+ | Output is not escaped | ||
| #1215 | Simple Download Monitor | 27 | 218 | 273 | 20k+ | Output is not escaped | ||
| #1216 | Simple Event Planner | 27 | 149 | 346 | 1k+ | Non-prefixed global variable | ||
| #1217 | Hubbub Lite – Fast, free social sharing and follow buttons | 27 | 337 | 172 | 30k+ | Text Domain Mismatch | ||
| #1218 | Social Web Suite – Social Media Auto Post, Social Media Auto Publish | 27 | 74 | 164 | 500 | Non-prefixed global variable | ||
| #1219 | Stream Video Player | 27 | 220 | 135 | 600 | Output is not escaped | ||
| #1220 | SV Tracking Manager | 27 | 968 | 129 | 1k+ | Output is not escaped | ||
| #1221 | Terms & Conditions Per Product | 27 | 533 | 1,336 | 800 | Non-prefixed global variable | ||
| #1222 | Theme One Click Demo Importer | 27 | 210 | 157 | 500 | Text Domain Mismatch | ||
| #1223 | Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More | 27 | 165 | 430 | 100k+ | Non-prefixed global variable | ||
| #1224 | Food Menu – Restaurant Menu & Online Ordering for WooCommerce | 27 | 25 | 1,320 | 3k+ | Non-prefixed global variable | ||
| #1225 | Transbank Webpay | 27 | 198 | 211 | 10k+ | Non-prefixed global variable | ||
| #1226 | Tutor LMS – Migration Tool | 27 | 139 | 341 | 1k+ | Direct Query | ||
| #1227 | Verge3D Publishing and E-Commerce | 27 | 245 | 298 | 400 | Nonce verification recommended | ||
| #1228 | Video Gallery for WooCommerce – Add Product Video & Featured Video | 27 | 116 | 476 | 3k+ | Non-prefixed global variable | ||
| #1229 | VOD Infomaniak | 27 | 797 | 385 | 20k+ | Output is not escaped | ||
| #1230 | Watu Quiz | 27 | 1,089 | 1,014 | 3k+ | Output is not escaped | ||
| #1231 | WC Booster | 27 | 191 | 282 | 800 | Non-prefixed global variable | ||
| #1232 | WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder | 27 | 109 | 801 | 30k+ | Missing nonce verification | ||
| #1233 | Whols – Wholesale Prices and B2B Store Solution for WooCommerce | 27 | 228 | 235 | 2k+ | Output is not escaped | ||
| #1234 | Tabbed Category Product Listing for Woocommerce | 27 | 423 | 111 | 1k+ | Text Domain Mismatch | ||
| #1235 | Mihdan: Ajax Edit Comments | 27 | 1,300 | 523 | 400 | Text Domain Mismatch | ||
| #1236 | Content Pilot – Autoblogging & Affiliate Marketing Suite | 27 | 299 | 269 | 900 | Output is not escaped | ||
| #1237 | WP-DBManager | 27 | 386 | 304 | 60k+ | Non-prefixed global variable | ||
| #1238 | Email Marketing Plugin – WP Email Capture | 27 | 383 | 262 | 1k+ | Output is not escaped | ||
| #1239 | WP Events Manager | 27 | 294 | 415 | 30k+ | Output is not escaped | ||
| #1240 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | Input is not sanitized | ||
| #1241 | WP Job Manager | 27 | 93 | 582 | 80k+ | Non-prefixed hook name | ||
| #1242 | wp-mpdf | 27 | 123 | 382 | 1k+ | Non-prefixed global variable | ||
| #1243 | WP Activity Log | 27 | 96 | 230 | 300k+ | Nonce verification recommended | ||
| #1244 | WP Chat App | 27 | 120 | 274 | 100k+ | Alternative PHP tag found | ||
| #1245 | Worthy – VG WORT Integration für WordPress | 27 | 1,343 | 773 | 1k+ | Output is not escaped | ||
| #1246 | WPBase Cache | 27 | 189 | 113 | 2k+ | Text Domain Mismatch | ||
| #1247 | Redirection for Contact Form 7 | 27 | 34 | 374 | 200k+ | Non-prefixed global variable | ||
| #1248 | YARPP – Yet Another Related Posts Plugin | 27 | 191 | 331 | 100k+ | Non-prefixed global variable | ||
| #1249 | Ultimate Addons for SiteOrigin | 28 | 525 | 189 | 7k+ | Text Domain Mismatch | ||
| #1250 | Vertex Addons for Elementor | 28 | 232 | 413 | 400 | Output is not escaped |