missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2751 | Custom Product Tabs for WooCommerce | 36 | 87 | 81 | 80k+ | Output is not escaped | ||
| #2752 | Zarinpal Gateway | 36 | 151 | 55 | 50k+ | Non Singular String Literal Domain | ||
| #2753 | Zeno – AI-Powered Chatbot | 36 | 311 | 131 | 500 | Text Domain Mismatch | ||
| #2754 | 360 Javascript Viewer | 37 | 144 | 22 | 1k+ | Output is not escaped | ||
| #2755 | Redirectioner | 37 | 234 | 410 | 1k+ | Output is not escaped | ||
| #2756 | ACF: TablePress | 37 | 160 | 45 | 1k+ | Text Domain Mismatch | ||
| #2757 | Adapta RGPD | 37 | 349 | 72 | 40k+ | Text Domain Mismatch | ||
| #2758 | Adaptive Images for WordPress | 37 | 51 | 75 | 3k+ | Output is not escaped | ||
| #2759 | Add From Server | 37 | 52 | 20 | 60k+ | Output is not escaped | ||
| #2760 | AddToAny Share Buttons | 37 | 123 | 164 | 300k+ | Unsafe printing function | ||
| #2761 | Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs | 37 | 40 | 36 | 10k+ | Missing direct file access protection | ||
| #2762 | Advanced Custom Fields: NextGEN Gallery Field add-on | 37 | 131 | 20 | 400 | Output is not escaped | ||
| #2763 | PiWeb Advanced Flat rate / Conditional shipping for WooCommerce | 37 | 84 | 192 | 2k+ | wp function not compatible with requires wp | ||
| #2764 | Advanced Media Offloader | 37 | 59 | 93 | 5k+ | error log error log | ||
| #2765 | Agreeable | 37 | 40 | 67 | 800 | Unsafe printing function | ||
| #2766 | AJAX Hits Counter + Popular Posts Widget | 37 | 247 | 44 | 1k+ | Output is not escaped | ||
| #2767 | Analytics Spam Blocker | 37 | 76 | 22 | 800 | Unsafe printing function | ||
| #2768 | All-in-one Chat Button by anychat.one | 37 | 119 | 69 | 900 | Text Domain Mismatch | ||
| #2769 | Anything Popup | 37 | 164 | 185 | 2k+ | Non-prefixed global variable | ||
| #2770 | Async JS and CSS | 37 | 90 | 1 | 700 | Text Domain Mismatch | ||
| #2771 | Login by Auth0 | 37 | 307 | 82 | 10k+ | Text Domain Mismatch | ||
| #2772 | Avatar Privacy | 37 | 82 | 36 | 1k+ | Missing direct file access protection | ||
| #2773 | Random Posts and Pages Widget | 37 | 322 | 15 | 1k+ | Output is not escaped | ||
| #2774 | AZAN Plugin | 37 | 44 | 30 | 500 | Output is not escaped | ||
| #2775 | Custom Thank You Page Customize For WooCommerce by Binary Carpenter | 37 | 45 | 80 | 2k+ | error log error log | ||
| #2776 | Before After Image Comparison Slider for Elementor | 37 | 90 | 41 | 10k+ | Text Domain Mismatch | ||
| #2777 | Bellows Accordion Menu | 37 | 160 | 28 | 10k+ | Text Domain Mismatch | ||
| #2778 | Better Click To Share – Shareable Quote Boxes for X (Twitter) | 37 | 170 | 59 | 6k+ | Unsafe printing function | ||
| #2779 | Blimply | 37 | 172 | 43 | 800 | Text Domain Mismatch | ||
| #2780 | Blog News Addons For Elementor (News, Magazine and Blog Addons) | 37 | 23 | 296 | 400 | Non-prefixed global variable | ||
| #2781 | Customize WordPress Emails and Alerts – Better Notifications for WP | 37 | 64 | 47 | 30k+ | Missing Arg Domain | ||
| #2782 | Booster Extension | 37 | 28 | 289 | 7k+ | Non-prefixed global variable | ||
| #2783 | Britetechs Companion | 37 | 966 | 613 | 2k+ | Text Domain Mismatch | ||
| #2784 | BuddyPress Members Only | 37 | 184 | 80 | 1k+ | Text Domain Mismatch | ||
| #2785 | bunny.net – WordPress CDN Plugin | 37 | 165 | 159 | 10k+ | Output is not escaped | ||
| #2786 | Contact Zalo Report SW | 37 | 44 | 39 | 900 | Missing Arg Domain | ||
| #2787 | Delivery Date Time & Pickup for WooCommerce | 37 | 148 | 216 | 400 | Output is not escaped | ||
| #2788 | Call Now Button – The #1 Click to Call Button for WordPress | 37 | 1,273 | 5 | 200k+ | Exception output is not escaped | ||
| #2789 | Carousel Upsells and Related Product for Woocommerce | 37 | 173 | 35 | 1k+ | Output is not escaped | ||
| #2790 | Checkout for PayPal | 37 | 134 | 67 | 600 | Unsafe printing function | ||
| #2791 | Clearpay Gateway for WooCommerce | 37 | 185 | 63 | 1k+ | Text Domain Mismatch | ||
| #2792 | ClickCease Click Fraud Protection | 37 | 30 | 58 | 10k+ | Non-prefixed class | ||
| #2793 | CodePeople Post Map for Google Maps | 37 | 257 | 31 | 3k+ | Unsafe printing function | ||
| #2794 | Coming Soon & Maintenance Mode by Colorlib | 37 | 100 | 136 | 6k+ | Non-prefixed global variable | ||
| #2795 | Lightweight Subscribe To Comments | 37 | 105 | 70 | 1k+ | Unsafe printing function | ||
| #2796 | Constant Contact Forms by MailMunch | 37 | 147 | 53 | 2k+ | wp function not compatible with requires wp | ||
| #2797 | CookieAdmin – Cookie Consent Banner | 37 | 43 | 86 | 400k+ | Nonce verification recommended | ||
| #2798 | CorvusPay WooCommerce Payment Gateway | 37 | 29 | 141 | 1k+ | Missing nonce verification | ||
| #2799 | Crafty Social Buttons | 37 | 279 | 27 | 1k+ | Non Singular String Literal Domain | ||
| #2800 | CryptAPI Payment Gateway for WooCommerce | 37 | 187 | 29 | 400 | Text Domain Mismatch |