missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1301 | Redis Object Cache | 28 | 151 | 103 | 400k+ | Exception output is not escaped | ||
| #1302 | Brilliant Web-to-Lead for Salesforce | 28 | 247 | 244 | 2k+ | Text Domain Mismatch | ||
| #1303 | Secure Downloads | 28 | 616 | 406 | 600 | Output is not escaped | ||
| #1304 | Transliterator – Multilingual and Multi-script Text Conversion | 28 | 305 | 322 | 3k+ | Output is not escaped | ||
| #1305 | Slider Pro | 28 | 583 | 527 | 4k+ | Unsafe printing function | ||
| #1306 | Sparkle Demo Importer | 28 | 307 | 166 | 5k+ | Text Domain Mismatch | ||
| #1307 | ST Elementor Addons | 28 | 224 | 374 | 500 | Non-prefixed global variable | ||
| #1308 | Tab – Accordion, FAQ | 28 | 104 | 542 | 1k+ | Non-prefixed global variable | ||
| #1309 | Temporary Login Without Password | 28 | 128 | 131 | 100k+ | wp function not compatible with requires wp | ||
| #1310 | Terms descriptions | 28 | 222 | 423 | 1k+ | Non-prefixed function | ||
| #1311 | Themesflat Addons For Elementor | 28 | 714 | 227 | 40k+ | Output is not escaped | ||
| #1312 | Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor | 28 | 291 | 292 | 20k+ | Output is not escaped | ||
| #1313 | Ultimate FAQ Accordion Plugin | 28 | 386 | 227 | 30k+ | Unsafe printing function | ||
| #1314 | Jetpack VaultPress | 28 | 71 | 362 | 10k+ | Missing nonce verification | ||
| #1315 | VG WORT METIS | 28 | 150 | 317 | 900 | Nonce verification recommended | ||
| #1316 | WC Fields Factory | 28 | 194 | 369 | 7k+ | Nonce verification recommended | ||
| #1317 | 10WebSocial | 28 | 584 | 185 | 10k+ | Unsafe printing function | ||
| #1318 | WeeConnectPay – Clover Payment Gateway for WooCommerce | 28 | 179 | 171 | 500 | Exception output is not escaped | ||
| #1319 | PayZen for WooCommerce | 28 | 258 | 214 | 600 | Output is not escaped | ||
| #1320 | Product Gallery Slider, Additional Variation Images for WooCommerce | 28 | 552 | 316 | 20k+ | Output is not escaped | ||
| #1321 | Dynamic Product Gallery for WooCommerce | 28 | 414 | 301 | 1k+ | Output is not escaped | ||
| #1322 | Email Inquiry & Cart Options for WooCommerce | 28 | 181 | 273 | 800 | Output is not escaped | ||
| #1323 | Product Sort and Display for WooCommerce | 28 | 190 | 229 | 2k+ | Output is not escaped | ||
| #1324 | WP ADA Compliance Check Basic | 28 | 785 | 177 | 3k+ | Text Domain Mismatch | ||
| #1325 | WP Booking System – Booking Calendar | 28 | 502 | 549 | 20k+ | Output is not escaped | ||
| #1326 | WP GoToWebinar | 28 | 207 | 207 | 700 | Non-prefixed function | ||
| #1327 | WP Mapbox GL JS Maps | 28 | 104 | 119 | 1k+ | Output is not escaped | ||
| #1328 | Connect Matomo – Analytics Dashboard for WordPress | 28 | 100 | 102 | 60k+ | Missing Translators Comment | ||
| #1329 | WP Travel Gutenberg Blocks | 28 | 485 | 157 | 900 | Output is not escaped | ||
| #1330 | WhyDonate – FREE Donate button – Crowdfunding – Fundraising | 28 | 216 | 328 | 800 | Non-prefixed global variable | ||
| #1331 | WP YouTube Lyte | 28 | 204 | 178 | 20k+ | Non-prefixed global variable | ||
| #1332 | WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) | 28 | 209 | 217 | 10k+ | Exception output is not escaped | ||
| #1333 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped | ||
| #1334 | WP Synchro – The Ultimate WordPress Migration Tool | 28 | 243 | 244 | 2k+ | Missing Translators Comment | ||
| #1335 | WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买 | 28 | 57 | 138 | 500 | Request data is not unslashed | ||
| #1336 | YITH WooCommerce Product Bundles | 28 | 404 | 1,480 | 3k+ | Non-prefixed global variable | ||
| #1337 | Accordion Slider | 29 | 391 | 447 | 2k+ | Unsafe printing function | ||
| #1338 | Accordion Slider Gallery | 29 | 379 | 142 | 1k+ | Text Domain Mismatch | ||
| #1339 | Advanced coupon for WooCommerce | 29 | 472 | 242 | 900 | Text Domain Mismatch | ||
| #1340 | Adminimize | 29 | 296 | 691 | 200k+ | Non-prefixed global variable | ||
| #1341 | Alt Text AI – Automatically generate image alt text for SEO and accessibility | 29 | 72 | 280 | 20k+ | Non-prefixed global variable | ||
| #1342 | AppPresser – Mobile App Framework | 29 | 262 | 214 | 1k+ | Text Domain Mismatch | ||
| #1343 | aThemeArt Theme Helper | 29 | 206 | 151 | 2k+ | Non-prefixed global variable | ||
| #1344 | aThemes Starter Sites | 29 | 268 | 214 | 40k+ | Text Domain Mismatch | ||
| #1345 | Attribute Stock for WooCommerce – Shared Stock & Variable Quantities (Lite Version) | 29 | 481 | 313 | 2k+ | Text Domain Mismatch | ||
| #1346 | Better Google Analytics | 29 | 376 | 869 | 2k+ | Non-prefixed global variable | ||
| #1347 | Bitcoin Payments – Blockonomics | 29 | 208 | 227 | 2k+ | Output is not escaped | ||
| #1348 | BNE Testimonials | 29 | 521 | 102 | 1k+ | Output is not escaped | ||
| #1349 | Order Delivery Date Time & Pickup for WooCommerce | 29 | 667 | 244 | 500 | Output is not escaped | ||
| #1350 | Branded Social Images – Open Graph Images with logo and extra text layer | 29 | 254 | 91 | 900 | Non Singular String Literal Domain |