missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1451 | Invisible reCaptcha for WordPress | 30 | 90 | 185 | 80k+ | Input is not sanitized | ||
| #1452 | Jetpack Protect | 30 | 657 | 217 | 100k+ | Text Domain Mismatch | ||
| #1453 | core plugin for kitestudio themes | 30 | 244 | 415 | 500 | Nonce verification recommended | ||
| #1454 | Laposta Signup Embed | 30 | 88 | 19 | 1k+ | Exception output is not escaped | ||
| #1455 | Mailrelay | 30 | 318 | 170 | 1k+ | Text Domain Mismatch | ||
| #1456 | Midtrans-WooCommerce | 30 | 112 | 132 | 5k+ | Non-prefixed global variable | ||
| #1457 | Move Addons for Elementor | 30 | 3,919 | 91 | 2k+ | Text Domain Mismatch | ||
| #1458 | Naver webmaster syndication v2 | 30 | 89 | 129 | 500 | Output is not escaped | ||
| #1459 | Novelist | 30 | 475 | 158 | 1k+ | Output is not escaped | ||
| #1460 | OoohBoi Steroids for Elementor | 30 | 2,059 | 100 | 40k+ | Text Domain Mismatch | ||
| #1461 | Operation Demo Importer – Demo Importer For WPoperation Themes | 30 | 245 | 104 | 1k+ | Text Domain Mismatch | ||
| #1462 | گرویتی فرم فارسی | 30 | 205 | 157 | 20k+ | Text Domain Mismatch | ||
| #1463 | PitchPrint | 30 | 76 | 163 | 400 | Input is not sanitized | ||
| #1464 | Popularis Extra | 30 | 237 | 141 | 7k+ | Output is not escaped | ||
| #1465 | Popup Builder – Create highly converting, mobile friendly marketing popups. | 30 | 26 | 722 | 200k+ | Non-prefixed global variable | ||
| #1466 | Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget | 30 | 231 | 102 | 1k+ | Non Singular String Literal Domain | ||
| #1467 | Sync Master Sheet – Product Sync with Google Sheet for WooCommerce | 30 | 136 | 300 | 400 | Non-prefixed global variable | ||
| #1468 | Pubjet | پابجت | 30 | 91 | 172 | 1k+ | Output is not escaped | ||
| #1469 | Real Cookie Banner: GDPR & ePrivacy Cookie Consent | 30 | 9 | 496 | 100k+ | Database parameter is not escaped | ||
| #1470 | Realbig For WordPress | 30 | 36 | 591 | 1k+ | Non-prefixed global variable | ||
| #1471 | Rublon Multi-Factor Authentication (MFA) | 30 | 216 | 160 | 400 | Output is not escaped | ||
| #1472 | Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | 30 | 45 | 374 | 4m+ | Non-prefixed global variable | ||
| #1473 | StoreBuild – Online Store Builder for WooCommerce | 30 | 120 | 211 | 600 | Non-prefixed global variable | ||
| #1474 | Sina Extension for Elementor | 30 | 3,691 | 160 | 40k+ | Text Domain Mismatch | ||
| #1475 | SmartCrawl SEO checker, analyzer & optimizer | 30 | 347 | 1,307 | 20k+ | Non-prefixed global variable | ||
| #1476 | SMTP for Amazon SES – YaySMTP | 30 | 197 | 122 | 3k+ | Exception output is not escaped | ||
| #1477 | Stackable – Page Builder Gutenberg Blocks | 30 | 482 | 87 | 100k+ | Non Singular String Literal Domain | ||
| #1478 | Star Addons for Elementor | 30 | 236 | 255 | 1k+ | Non-prefixed global variable | ||
| #1479 | Taboola | 30 | 89 | 147 | 1k+ | Output is not escaped | ||
| #1480 | Tabs Responsive – With WooCommerce Product Tabs Extension | 30 | 575 | 255 | 20k+ | Non Singular String Literal Domain | ||
| #1481 | Themify Portfolio Post | 30 | 214 | 102 | 30k+ | Text Domain Mismatch | ||
| #1482 | Travel Booking Toolkit | 30 | 245 | 324 | 3k+ | Non-prefixed global variable | ||
| #1483 | Travelers' Map | 30 | 311 | 155 | 1k+ | Output is not escaped | ||
| #1484 | Tutor LMS Divi Modules | 30 | 420 | 722 | 1k+ | Non-prefixed global variable | ||
| #1485 | Urvanov Syntax Highlighter | 30 | 221 | 87 | 3k+ | Output is not escaped | ||
| #1486 | User Access Manager | 30 | 393 | 171 | 10k+ | Output is not escaped | ||
| #1487 | User Avatar – Reloaded | 30 | 352 | 171 | 900 | Text Domain Mismatch | ||
| #1488 | User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress | 30 | 486 | 278 | 3k+ | Text Domain Mismatch | ||
| #1489 | UX Flat | 30 | 539 | 203 | 1k+ | Missing Arg Domain | ||
| #1490 | Waitlist Woocommerce ( Back in stock notifier ) | 30 | 272 | 311 | 4k+ | Output is not escaped | ||
| #1491 | Checkout with Cash App on WooCommerce | 30 | 122 | 308 | 2k+ | Non-prefixed global variable | ||
| #1492 | Dropify | 30 | 132 | 254 | 2k+ | Nonce verification recommended | ||
| #1493 | Custom Post Types and Custom Fields creator – WCK | 30 | 1,299 | 137 | 10k+ | Text Domain Mismatch | ||
| #1494 | Webling | 30 | 147 | 313 | 500 | Input is not validated | ||
| #1495 | Widget Manager Light | 30 | 233 | 83 | 600 | Text Domain Mismatch | ||
| #1496 | Widgetize Pages Light | 30 | 145 | 104 | 3k+ | Output is not escaped | ||
| #1497 | WonderPush – Web Push Notifications – WooCommerce Abandoned Cart – GDPR | 30 | 152 | 192 | 600 | Missing direct file access protection | ||
| #1498 | Delivery & Pickup Date Time for WooCommerce | 30 | 439 | 435 | 5k+ | Non-prefixed global variable | ||
| #1499 | FOX – Currency Switcher Professional for WooCommerce | 30 | 211 | 1,022 | 50k+ | Non-prefixed global variable | ||
| #1500 | Mercado Pago payments for WooCommerce | 30 | 619 | 63 | 100k+ | Short PHP open tag found |