missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2701 | Plugin Name: Traffic Counter Widget Plugin | 36 | 71 | 107 | 600 | Output is not escaped | ||
| #2702 | Zoho ZeptoMail | 36 | 32 | 110 | 5k+ | Request data is not unslashed | ||
| #2703 | TrustMate.io – WooCommerce integration | 36 | 251 | 97 | 3k+ | Output is not escaped | ||
| #2704 | FOMO & Social Proof Notifications by TrustPulse – Best WordPress FOMO Plugin | 36 | 104 | 39 | 10k+ | Output is not escaped | ||
| #2705 | Ubigeo de Perú para Woocommerce y WordPress | 36 | 191 | 235 | 4k+ | Non-prefixed function | ||
| #2706 | Slider Ultimate | 36 | 294 | 80 | 500 | Output is not escaped | ||
| #2707 | underConstruction | 36 | 98 | 60 | 40k+ | Unsafe printing function | ||
| #2708 | PDF Flipbook, WPBakery Addon – Unreal FlipBook | 36 | 400 | 92 | 1k+ | Non Singular String Literal Domain | ||
| #2709 | User Roles and Capabilities | 36 | 227 | 132 | 8k+ | Output is not escaped | ||
| #2710 | Virtual Classroom – Video Conferencing & Online Meeting with BigBlueButton | 36 | 47 | 138 | 400 | Nonce verification recommended | ||
| #2711 | Wanderlust OCA para WooCommerce | 36 | 157 | 55 | 500 | Text Domain Mismatch | ||
| #2712 | WC Builder – WooCommerce Page Builder for WPBakery | 36 | 647 | 50 | 1k+ | Text Domain Mismatch | ||
| #2713 | Payments via PayMongo for WooCommerce | 36 | 39 | 81 | 1k+ | Nonce verification recommended | ||
| #2714 | WC Pickup Store | 36 | 245 | 52 | 2k+ | Output is not escaped | ||
| #2715 | Quantity Plus Minus Button for WooCommerce | 36 | 83 | 84 | 10k+ | Output is not escaped | ||
| #2716 | Shipping with Venipak for WooCommerce | 36 | 239 | 61 | 1k+ | Text Domain Mismatch | ||
| #2717 | AWPLife Weather Effects | 36 | 19 | 698 | 4k+ | Non-prefixed global variable | ||
| #2718 | When Last Login | 36 | 52 | 123 | 50k+ | Non-prefixed global variable | ||
| #2719 | Widget Indicadores Económicos (Chile) | 36 | 53 | 20 | 500 | Output is not escaped | ||
| #2720 | Disable Payment Methods based on cart conditions for WooCommerce | 36 | 158 | 57 | 1k+ | Non Singular String Literal Domain | ||
| #2721 | Custom Add to Cart Button Label and Link for WooCommerce | 36 | 371 | 112 | 3k+ | Text Domain Mismatch | ||
| #2722 | Guaranteed Reviews Company (Société des Avis Garantis) | 36 | 369 | 197 | 1k+ | Output is not escaped | ||
| #2723 | Rabo Smart Pay for WooCommerce | 36 | 147 | 54 | 600 | Text Domain Mismatch | ||
| #2724 | Extended Coupon Features for WooCommerce FREE | 36 | 219 | 63 | 10k+ | Text Domain Mismatch | ||
| #2725 | Eway Payments for Woo | 36 | 525 | 40 | 3k+ | Text Domain Mismatch | ||
| #2726 | Hide admin notices – Admin Notification Center | 36 | 114 | 67 | 8k+ | Output is not escaped | ||
| #2727 | WP Better Permalinks | 36 | 110 | 59 | 1k+ | Output is not escaped | ||
| #2728 | WP-Cleanup | 36 | 79 | 29 | 400 | Output is not escaped | ||
| #2729 | Export Themes | 36 | 122 | 90 | 2k+ | Non-prefixed constant | ||
| #2730 | WP Counter | 36 | 86 | 43 | 800 | Output is not escaped | ||
| #2731 | WP Custom Cursors | WordPress Cursor Plugin | 36 | 691 | 390 | 9k+ | Text Domain Mismatch | ||
| #2732 | WP-EMail | 36 | 340 | 95 | 1k+ | Unsafe printing function | ||
| #2733 | WP Header Images | 36 | 174 | 133 | 6k+ | Unsafe printing function | ||
| #2734 | WP Hotel Booking WooCommerce | 36 | 93 | 99 | 1k+ | Output is not escaped | ||
| #2735 | WP LaTeX | 36 | 103 | 12 | 700 | Output is not escaped | ||
| #2736 | WP Mail | 36 | 202 | 201 | 500 | Output is not escaped | ||
| #2737 | Payment Button for PayPal | 36 | 155 | 86 | 4k+ | Unsafe printing function | ||
| #2738 | WP Publication Archive | 36 | 197 | 64 | 400 | Text Domain Mismatch | ||
| #2739 | WP Show Posts | 36 | 107 | 102 | 70k+ | Output is not escaped | ||
| #2740 | WP Socializer – Simple & Easy Social Media Share Icons | 36 | 214 | 51 | 10k+ | Output is not escaped | ||
| #2741 | WP Stripe Checkout | 36 | 198 | 118 | 1k+ | Unsafe printing function | ||
| #2742 | WP Super Edit | 36 | 35 | 185 | 2k+ | Nonce verification recommended | ||
| #2743 | Yandex.Metrica | 36 | 76 | 30 | 60k+ | Output is not escaped | ||
| #2744 | WPAvatar | 36 | 425 | 45 | 700 | Unsafe printing function | ||
| #2745 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | ||
| #2746 | WPLMS H5P | 36 | 111 | 106 | 1k+ | Text Domain Mismatch | ||
| #2747 | Wppao Sitemap | 36 | 128 | 21 | 9k+ | Output is not escaped | ||
| #2748 | wpShopGermany IT-RECHT KANZLEI | 36 | 37 | 47 | 500 | Input is not sanitized | ||
| #2749 | Database Snapshots – WPvivid | 36 | 66 | 108 | 1k+ | Direct Query | ||
| #2750 | YayExtra – WooCommerce Extra Product Options | 36 | 11 | 472 | 1k+ | Non-prefixed global variable |