missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1651 | Speed Kit | 32 | 296 | 73 | 2k+ | Output is not escaped | ||
| #1652 | Better Chat Support for Messenger | 32 | 73 | 103 | 1k+ | Interpolated SQL is not prepared | ||
| #1653 | Better Robots.txt – AI-Ready Crawl Control & Bot Governance | 32 | 55 | 83 | 5k+ | error log error log | ||
| #1654 | Blog2Social: Social Media Auto Post & Scheduler | 32 | 7 | 957 | 50k+ | Direct Query | ||
| #1655 | Bosa Elementor Addons and Templates for WooCommerce | 32 | 40 | 165 | 20k+ | slow db query tax query | ||
| #1656 | BP Classic | 32 | 664 | 216 | 6k+ | Unsafe printing function | ||
| #1657 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | Output is not escaped | ||
| #1658 | Quantity Discounts, Breaks & Product Bundles for Woocommerce By Bundler | 32 | 147 | 319 | 400 | Direct Query | ||
| #1659 | Child Theme Configurator | 32 | 442 | 267 | 300k+ | Unsafe printing function | ||
| #1660 | Vimeotheque – Vimeo WordPress Plugin & Video Gallery | 32 | 642 | 264 | 2k+ | Unsafe printing function | ||
| #1661 | Color and Image Swatches for Variable Product Attributes | 32 | 173 | 111 | 1k+ | Output is not escaped | ||
| #1662 | Ultimate WooCommerce Filters | 32 | 322 | 207 | 600 | Unsafe printing function | ||
| #1663 | Contact Form Builder by vcita | 32 | 666 | 174 | 700 | Text Domain Mismatch | ||
| #1664 | Cooked – Recipe Management | 32 | 462 | 275 | 3k+ | Output is not escaped | ||
| #1665 | CSV Import and Exporter | 32 | 83 | 138 | 1k+ | Non-prefixed global variable | ||
| #1666 | Currency Switcher for WooCommerce | 32 | 357 | 263 | 10k+ | Text Domain Mismatch | ||
| #1667 | DHL eCommerce (Benelux) for WooCommerce | 32 | 222 | 330 | 2k+ | Nonce verification recommended | ||
| #1668 | Download Attachments | 32 | 69 | 188 | 8k+ | Non-prefixed hook name | ||
| #1669 | Enter Addons – Ultimate Template Builder for Elementor | 32 | 82 | 72 | 1k+ | Output is not escaped | ||
| #1670 | Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) | 32 | 560 | 198 | 5k+ | Text Domain Mismatch | ||
| #1671 | Fable Extra | 32 | 79 | 282 | 4k+ | Non-prefixed global variable | ||
| #1672 | AC's Loan Calculator | 32 | 246 | 187 | 400 | Unsafe printing function | ||
| #1673 | FA Lite – WP responsive slider plugin | 32 | 726 | 140 | 500 | Unsafe printing function | ||
| #1674 | Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages | 32 | 53 | 776 | 8k+ | Nonce verification recommended | ||
| #1675 | Gallery Box | 32 | 395 | 43 | 1k+ | Text Domain Mismatch | ||
| #1676 | GlotPress | 32 | 403 | 103 | 500 | Unsafe printing function | ||
| #1677 | Insights from Google PageSpeed | 32 | 414 | 475 | 20k+ | Text Domain Mismatch | ||
| #1678 | GSheetConnector For Ninja Forms | 32 | 165 | 93 | 1k+ | Unsafe printing function | ||
| #1679 | GSheetConnector For WPForms – WPForms Google Sheets Integration (Real-Time Sync) | 32 | 120 | 145 | 8k+ | Non-prefixed global variable | ||
| #1680 | Translate WordPress with GTranslate | 32 | 82 | 364 | 900k+ | Non-prefixed global variable | ||
| #1681 | Gwolle Guestbook | 32 | 269 | 527 | 20k+ | Output is not escaped | ||
| #1682 | Honeypot Toolkit | 32 | 155 | 770 | 400 | Missing nonce verification | ||
| #1683 | HTML5 jQuery Audio Player | 32 | 251 | 153 | 1k+ | Unsafe printing function | ||
| #1684 | Image Slider Slideshow | 32 | 409 | 171 | 2k+ | Text Domain Mismatch | ||
| #1685 | RealHomes Stripe Payments | 32 | 201 | 33 | 500 | Exception output is not escaped | ||
| #1686 | Jetpack VaultPress Backup | 32 | 554 | 211 | 20k+ | Text Domain Mismatch | ||
| #1687 | Juiz Last Tweet Widget | 32 | 136 | 53 | 500 | Output is not escaped | ||
| #1688 | Manager for IcoMoon | 32 | 270 | 68 | 400 | Short PHP open tag found | ||
| #1689 | MapPress Maps for WordPress | 32 | 695 | 133 | 30k+ | Missing Arg Domain | ||
| #1690 | Muslim Prayer Time-Salah/Iqamah | 32 | 155 | 179 | 400 | date date | ||
| #1691 | MetaSlider Gallery – Image Gallery, Lightbox Galleries, Modal Windows | 32 | 159 | 62 | 10k+ | Output is not escaped | ||
| #1692 | WP Mobile Menu – The Mobile-Friendly Responsive Menu | 32 | 990 | 195 | 70k+ | Output is not escaped | ||
| #1693 | Notice Bar | 32 | 95 | 284 | 700 | Non-prefixed global variable | ||
| #1694 | Opal Mega Menu | 32 | 419 | 119 | 400 | Text Domain Mismatch | ||
| #1695 | Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation | 32 | 462 | 41 | 1m+ | Text Domain Mismatch | ||
| #1696 | Organization chart | 32 | 187 | 334 | 5k+ | SQL query is not prepared | ||
| #1697 | DEPRECATED – Shipmondo – A complete shipping solution for WooCommerce | 32 | 166 | 119 | 5k+ | Output is not escaped | ||
| #1698 | Account Engagement | 32 | 115 | 74 | 2k+ | Output is not escaped | ||
| #1699 | Barion Payment Gateway for WooCommerce | 32 | 67 | 152 | 6k+ | Non-prefixed global variable | ||
| #1700 | Autopay dla WooCommerce | 32 | 95 | 83 | 900 | Output is not escaped |