missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1901 | Assistant – Every Day Productivity Apps | 34 | 124 | 97 | 4k+ | Exception output is not escaped | ||
| #1902 | Audit Trail | 34 | 90 | 107 | 10k+ | Unsafe printing function | ||
| #1903 | Auto Listings – Car Listings & Car Dealership Plugin for WordPress | 34 | 80 | 318 | 2k+ | Non-prefixed global variable | ||
| #1904 | Automatic YouTube Gallery – Embed Auto-Updating YouTube Video Galleries, Feeds, Playlists & Channels | 34 | 86 | 255 | 9k+ | Direct Query | ||
| #1905 | AyeCode Connect | 34 | 178 | 253 | 10k+ | Nonce verification recommended | ||
| #1906 | Bayarcash WooCommerce | 34 | 148 | 138 | 700 | Non Singular String Literal Domain | ||
| #1907 | Beeketing for WooCommerce – Marketing Automation to Boost Sales | 34 | 113 | 123 | 500 | SQL query is not prepared | ||
| #1908 | Blog-in-Blog | 34 | 64 | 93 | 800 | Non-prefixed function | ||
| #1909 | BoldGrid Easy SEO – Simple and Effective SEO | 34 | 149 | 104 | 40k+ | Text Domain Mismatch | ||
| #1910 | Buckets | 34 | 68 | 76 | 500 | Output is not escaped | ||
| #1911 | Cache Master | 34 | 371 | 27 | 400 | Output is not escaped | ||
| #1912 | Campi Moduli Italiani | 34 | 72 | 363 | 500 | Unquoted Complex Placeholder | ||
| #1913 | SMS Abandoned Cart Recovery ✦ CartBoss | 34 | 67 | 72 | 400 | SQL query is not prepared | ||
| #1914 | Checkout Field Editor for WooCommerce – Checkout Manager | 34 | 122 | 64 | 20k+ | Text Domain Mismatch | ||
| #1915 | Clean Testimonials | 34 | 127 | 87 | 400 | Output is not escaped | ||
| #1916 | CM Search And Replace – Optimize content edits with a powerful search and replace tool | 34 | 286 | 111 | 2k+ | Output is not escaped | ||
| #1917 | Cornerstone | 34 | 161 | 174 | 30k+ | Nonce verification recommended | ||
| #1918 | CSS JS Manager, Async JavaScript, Defer Render Blocking CSS | 34 | 76 | 106 | 1k+ | Input is not validated | ||
| #1919 | Custom Login Page by SeedProd | 34 | 330 | 125 | 500 | Output is not escaped | ||
| #1920 | Custom Post Type Attachment | 34 | 153 | 49 | 800 | wp function not compatible with requires wp | ||
| #1921 | Custom Sidebars – Dynamic Sidebar Classic Widget Area Manager | 34 | 32 | 307 | 100k+ | Non-prefixed global variable | ||
| #1922 | Datafeedr API | 34 | 307 | 48 | 6k+ | Output is not escaped | ||
| #1923 | DD Last Viewed | 34 | 193 | 132 | 500 | Output is not escaped | ||
| #1924 | Debug Log Manager Tool | 34 | 44 | 143 | 3k+ | Nonce verification recommended | ||
| #1925 | Document Library Lite | 34 | 149 | 85 | 4k+ | Text Domain Mismatch | ||
| #1926 | Dr. Flex | 34 | 83 | 51 | 1k+ | Output is not escaped | ||
| #1927 | Delisho – Recipe Widgets and Blocks | 34 | 60 | 355 | 1k+ | Input is not sanitized | ||
| #1928 | Easy Social Sharing | 34 | 16 | 240 | 1k+ | Non-prefixed global variable | ||
| #1929 | EasyIndex | 34 | 74 | 135 | 1k+ | Missing nonce verification | ||
| #1930 | Edit Flow | 34 | 103 | 227 | 4k+ | Non-prefixed hook name | ||
| #1931 | ECS – Ele Custom Skin for Elementor | 34 | 99 | 205 | 100k+ | Text Domain Mismatch | ||
| #1932 | Enhanced Text Widget | 34 | 101 | 58 | 30k+ | Output is not escaped | ||
| #1933 | ePayco Plugin for WooCommerce | 34 | 155 | 136 | 3k+ | Text Domain Mismatch | ||
| #1934 | Event Calendar Newsletter | 34 | 96 | 167 | 600 | Non-prefixed hook name | ||
| #1935 | Evento | 34 | 583 | 60 | 1k+ | Text Domain Mismatch | ||
| #1936 | Export Customers Data | 34 | 109 | 49 | 500 | Text Domain Mismatch | ||
| #1937 | Profile Box Shortcode And Widget | 34 | 488 | 138 | 1k+ | Output is not escaped | ||
| #1938 | Featured Video Plus | 34 | 99 | 105 | 10k+ | Non-prefixed global variable | ||
| #1939 | Flash Toolkit | 34 | 158 | 242 | 10k+ | Non-prefixed global variable | ||
| #1940 | Weight Based Shipping Table Rate for WooCommerce – Flexible Shipping | 34 | 124 | 156 | 100k+ | Nonce verification recommended | ||
| #1941 | Floating Side Tab | 34 | 94 | 153 | 600 | Non-prefixed global variable | ||
| #1942 | Forms: 3rd-Party Integration | 34 | 234 | 112 | 5k+ | Output is not escaped | ||
| #1943 | Geolocation IP Detection | 34 | 227 | 167 | 20k+ | Output is not escaped | ||
| #1944 | Gitium | 34 | 149 | 57 | 400 | Output is not escaped | ||
| #1945 | APG Google Video Sitemap Feed | 34 | 96 | 45 | 800 | Output is not escaped | ||
| #1946 | Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program | 34 | 131 | 352 | 600 | Missing nonce verification | ||
| #1947 | Signature Add-On for Gravity Forms | 34 | 161 | 48 | 1k+ | Text Domain Mismatch | ||
| #1948 | Herzog Dupont for YOOtheme Pro | 34 | 477 | 233 | 4k+ | Output is not escaped | ||
| #1949 | Hitsteps Web Analytics | 34 | 370 | 313 | 800 | Output is not escaped | ||
| #1950 | HollerBox — Fast & Effective Popups & Lead-Generation | 34 | 78 | 92 | 2k+ | Output is not escaped |