missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1751 | Yoo Slider – Image Slider & Video Slider | 32 | 744 | 209 | 600 | Output is not escaped | ||
| #1752 | Advanced Custom Fields: Typography Field | 33 | 445 | 57 | 4k+ | Text Domain Mismatch | ||
| #1753 | Advanced Coupons for WooCommerce Coupons & Store Credit | 33 | 84 | 215 | 20k+ | Non-prefixed global variable | ||
| #1754 | Advanced Forms for ACF | 33 | 169 | 278 | 3k+ | Non-prefixed hook name | ||
| #1755 | AI WP Writer – SEO content generator, chatGPT, Gemini | 33 | 581 | 531 | 3k+ | Text Domain Mismatch | ||
| #1756 | App Builder – Create Native Android & iOS Apps On The Flight | 33 | 73 | 119 | 600 | Text Domain Mismatch | ||
| #1757 | Archive Posts Sort Customize | 33 | 338 | 97 | 600 | Output is not escaped | ||
| #1758 | Premium Portfolio Features for Phlox theme | 33 | 204 | 137 | 40k+ | Output is not escaped | ||
| #1759 | AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth | 33 | 33 | 229 | 9k+ | Non-prefixed global variable | ||
| #1760 | Awesome Widgets for SiteOrigin Page Builder | 33 | 314 | 59 | 500 | Text Domain Mismatch | ||
| #1761 | Background Per Page | 33 | 80 | 56 | 700 | Text Domain Mismatch | ||
| #1762 | Ultimate Before After Image Slider & Gallery – BEAF | 33 | 488 | 87 | 30k+ | Text Domain Mismatch | ||
| #1763 | Bosta WooCommerce | 33 | 303 | 180 | 700 | Text Domain Mismatch | ||
| #1764 | Activity Plus Reloaded for BuddyPress | 33 | 88 | 93 | 1k+ | Output is not escaped | ||
| #1765 | Five Star Business Profile and Schema | 33 | 289 | 138 | 7k+ | Output is not escaped | ||
| #1766 | Addi – Cuotas que se adaptan a ti | 33 | 106 | 209 | 2k+ | Direct Query | ||
| #1767 | Cargus | 33 | 48 | 64 | 700 | Input is not sanitized | ||
| #1768 | CB Custom Beaver Builder Modules | 33 | 748 | 4 | 1k+ | Output is not escaped | ||
| #1769 | Century ToolKit | 33 | 118 | 78 | 700 | Output is not escaped | ||
| #1770 | Chartify – WordPress Chart Plugin | 33 | 76 | 411 | 3k+ | Non-prefixed global variable | ||
| #1771 | Civic Cookie Control | 33 | 1,881 | 219 | 2k+ | Text Domain Mismatch | ||
| #1772 | Clicky Analytics | 33 | 166 | 92 | 10k+ | Output is not escaped | ||
| #1773 | Companion Auto Update | 33 | 159 | 298 | 40k+ | Direct Query | ||
| #1774 | Companion Sitemap Generator – Simple, Smart, and SEO-Ready | 33 | 118 | 57 | 7k+ | Missing Translators Comment | ||
| #1775 | Conekta Payment Gateway | 33 | 240 | 66 | 2k+ | Text Domain Mismatch | ||
| #1776 | Contact Form Block | 33 | 64 | 73 | 500 | Non Singular String Literal Domain | ||
| #1777 | Contact Form Plugin | 33 | 47 | 220 | 2k+ | Non-prefixed function | ||
| #1778 | Contact List – Online Staff Directory & Address Book | 33 | 118 | 342 | 1k+ | Nonce verification recommended | ||
| #1779 | Chatbot with IBM watsonx Assistant | 33 | 324 | 83 | 400 | Non Singular String Literal Domain | ||
| #1780 | Countdown Timer | 33 | 311 | 17 | 900 | Text Domain Mismatch | ||
| #1781 | Device Detector | 33 | 209 | 112 | 600 | Output is not escaped | ||
| #1782 | DJ-Accessibility – Accessibility Plugin | 33 | 370 | 48 | 3k+ | Text Domain Mismatch | ||
| #1783 | Easy Timer | 33 | 78 | 450 | 1k+ | Non-prefixed global variable | ||
| #1784 | Easy Upload Files During Checkout | 33 | 218 | 199 | 500 | Unsafe printing function | ||
| #1785 | Echelon Widgets for SiteOrigin | 33 | 667 | 5 | 800 | Output is not escaped | ||
| #1786 | Human Presence – Stop Form Spam Without ReCaptcha | 33 | 54 | 65 | 1k+ | Request data is not unslashed | ||
| #1787 | Meta for WooCommerce | 33 | 68 | 189 | 400k+ | Non-prefixed hook name | ||
| #1788 | Fastly | 33 | 221 | 66 | 1k+ | Text Domain Mismatch | ||
| #1789 | FastPixel Cache – Optimize Page Speed: Compress Images, Minify, Clean Database & CDN | 33 | 52 | 342 | 4k+ | Request data is not unslashed | ||
| #1790 | Gallery Custom Links | 33 | 64 | 62 | 30k+ | Non Singular String Literal Domain | ||
| #1791 | GetResponse Forms by Optin Cat | 33 | 68 | 138 | 1k+ | Missing direct file access protection | ||
| #1792 | WP GIF Uploader | 33 | 117 | 44 | 1k+ | Text Domain Mismatch | ||
| #1793 | Five Star Restaurant Reviews | 33 | 242 | 142 | 400 | Output is not escaped | ||
| #1794 | Comments – GraphComment | AI-Moderated Comment System | 33 | 196 | 177 | 400 | Unsafe printing function | ||
| #1795 | Gravity Forms Eway | 33 | 519 | 45 | 500 | Missing Translators Comment | ||
| #1796 | GSheetConnector for Forminator Forms | 33 | 128 | 201 | 1k+ | Non-prefixed global variable | ||
| #1797 | Ultimate Addons for Elementor | 33 | 81 | 291 | 2m+ | Non-prefixed class | ||
| #1798 | Mentions légales [FR] | 33 | 238 | 48 | 2k+ | Text Domain Mismatch | ||
| #1799 | HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce | 33 | 377 | 139 | 20k+ | Unsafe printing function | ||
| #1800 | Flipbox – Awesomes Flip Boxes Image Overlay | 33 | 400 | 7,279 | 10k+ | Input is not validated |