missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1851 | Spiffy Calendar | 33 | 473 | 243 | 3k+ | Output is not escaped | ||
| #1852 | Spin Wheel – Interactive spinning wheel that offers coupons | 33 | 680 | 313 | 500 | Unsafe printing function | ||
| #1853 | Split Test For Elementor | 33 | 98 | 134 | 3k+ | Non-prefixed global variable | ||
| #1854 | Simple Sticky Add To Cart For WooCommerce | 33 | 401 | 70 | 900 | Text Domain Mismatch | ||
| #1855 | Gravity Booster – Styles & Layouts for Gravity Forms | 33 | 277 | 87 | 40k+ | Missing Arg Domain | ||
| #1856 | Sublanguage | 33 | 266 | 287 | 700 | Output is not escaped | ||
| #1857 | Telegram Bot & Channel | 33 | 182 | 113 | 600 | Unsafe printing function | ||
| #1858 | Testimonial Slider – Free Testimonials Slider Plugin | 33 | 91 | 50 | 700 | Request data is not unslashed | ||
| #1859 | TP Education | 33 | 186 | 303 | 800 | Unsafe printing function | ||
| #1860 | TrackingMore Order Tracking for WooCommerce (Free plan available) | 33 | 94 | 124 | 700 | Text Domain Mismatch | ||
| #1861 | WP Twitter Auto Publish | 33 | 442 | 171 | 4k+ | Output is not escaped | ||
| #1862 | Uix Shortcodes | 33 | 246 | 444 | 400 | Non-prefixed global variable | ||
| #1863 | Display Posts As List, Grid, Thumbs | 33 | 442 | 241 | 900 | Output is not escaped | ||
| #1864 | Variation Swatches for WooCommerce | 33 | 469 | 116 | 50k+ | Text Domain Mismatch | ||
| #1865 | Multi-Carrier EasyPost Shipping Methods & Address Validation for WooCommerce | 33 | 424 | 69 | 400 | Non Singular String Literal Domain | ||
| #1866 | Multi-Carrier Shippo Shipping Rates & Address Validation for WooCommerce | 33 | 411 | 73 | 3k+ | Non Singular String Literal Domain | ||
| #1867 | Webmention | 33 | 64 | 89 | 900 | Output is not escaped | ||
| #1868 | Website Monetization by MageNet | 33 | 60 | 87 | 20k+ | Output is not escaped | ||
| #1869 | Textmetrics | 33 | 324 | 163 | 400 | Output is not escaped | ||
| #1870 | White Label CMS | 33 | 412 | 202 | 200k+ | Unsafe printing function | ||
| #1871 | Rich Showcase for Google Reviews | 33 | 212 | 278 | 100k+ | Output is not escaped | ||
| #1872 | Product Addons for Woocommerce – Product Options with Custom Fields | 33 | 124 | 114 | 30k+ | Output is not escaped | ||
| #1873 | Min Max Control – Min Max Quantity & Step Control for WooCommerce | 33 | 96 | 215 | 10k+ | Non-prefixed global variable | ||
| #1874 | Hyyan WooCommerce Polylang Integration | 33 | 141 | 220 | 8k+ | Nonce verification recommended | ||
| #1875 | CartBounty – Save and recover abandoned carts for WooCommerce | 33 | 370 | 399 | 10k+ | Output is not escaped | ||
| #1876 | Pay. Payment Methods for WooCommerce | 33 | 318 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #1877 | PDF Invoices Italian Add-on for WooCommerce | 33 | 325 | 200 | 5k+ | Non Singular String Literal Domain | ||
| #1878 | WOW Slider | 33 | 176 | 101 | 3k+ | Output is not escaped | ||
| #1879 | WP Edit | 33 | 337 | 137 | 40k+ | Unsafe printing function | ||
| #1880 | WP Social AutoConnect | 33 | 290 | 144 | 400 | Output is not escaped | ||
| #1881 | EasyMedia – Increase Media Upload File Size | Role-Based Upload Limit | Increase Execution Time | 33 | 82 | 138 | 70k+ | Non-prefixed global variable | ||
| #1882 | WebToffee WP Backup and Migration | 33 | 132 | 222 | 5k+ | Non-prefixed global variable | ||
| #1883 | WP Multilang – Translation and Multilingual Plugin | 33 | 53 | 118 | 10k+ | Database parameter is not escaped | ||
| #1884 | WP MyLinks | 33 | 354 | 206 | 1k+ | Text Domain Mismatch | ||
| #1885 | WP Theme Optimizer | 33 | 388 | 80 | 400 | Output is not escaped | ||
| #1886 | WP-UserOnline | 33 | 111 | 161 | 10k+ | Output is not escaped | ||
| #1887 | Editor Blocks by Download Manager | 33 | 174 | 102 | 5k+ | Output is not escaped | ||
| #1888 | WPoperation Elementor Addons | 33 | 891 | 52 | 1k+ | Text Domain Mismatch | ||
| #1889 | WPReplace内容字符替换插件 | 33 | 209 | 195 | 800 | Non Singular String Literal Domain | ||
| #1890 | XML Sitemaps | 33 | 65 | 62 | 2k+ | Output is not escaped | ||
| #1891 | Video Gallery – YouTube Playlist, Channel Gallery by YotuWP | 33 | 278 | 101 | 20k+ | Missing Arg Domain | ||
| #1892 | Zita Site Library for Elementor | 33 | 107 | 135 | 1k+ | Text Domain Mismatch | ||
| #1893 | AFS Analytics | 34 | 194 | 98 | 600 | Text Domain Mismatch | ||
| #1894 | Advanced Custom Fields: reCAPTCHA Field | 34 | 104 | 53 | 800 | Text Domain Mismatch | ||
| #1895 | Advanced Twenty Seventeen | 34 | 247 | 98 | 3k+ | Text Domain Mismatch | ||
| #1896 | Affilia – Affiliate Program | 34 | 80 | 170 | 500 | Nonce verification recommended | ||
| #1897 | affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display | 34 | 326 | 75 | 2k+ | Output is not escaped | ||
| #1898 | AGCA – Custom Dashboard & Login Page | 34 | 350 | 44 | 20k+ | Unsafe printing function | ||
| #1899 | All In One Favicon | 34 | 214 | 62 | 60k+ | Output is not escaped | ||
| #1900 | Arconix Shortcodes | 34 | 129 | 108 | 4k+ | Output is not escaped |