missing_direct_file_access_protection

Missing direct file access protection

A PHP file in the plugin can be loaded directly instead of through WordPress.

medium weight

Why It Shows Up

Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.

Why It Matters

Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.

How to Fix

  • Add a guard near the top of PHP files that are not intended to be requested directly.
  • Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
  • Keep template partials and bootstrap files protected too, not only the main plugin file.

Notes

  • Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2801CorvusPay WooCommerce Payment Gateway37291411k+Missing nonce verification
#2802Crafty Social Buttons37279271k+Non Singular String Literal Domain
#2803CryptAPI Payment Gateway for WooCommerce3718729400Text Domain Mismatch
#2804Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter3715161700Output is not escaped
#2805Custom CSS Manager3755201k+Output is not escaped
#2806Custom Post Template37483010k+Output is not escaped
#2807Customer Email Verification for WooCommerce371651642k+Nonce verification recommended
#2808Direct Payments for WooCommerce – Bank Transfer, Mobile Money, Crypto and Peer-to-Peer (P2P) Payments37103977800Non-prefixed global variable
#2809Disclaimer Popup37313531k+Text Domain Mismatch
#2810Donation Block For PayPal3723106600Input is not validated
#2811Easy Photo Album37360431k+Text Domain Mismatch
#2812Pricing Table WordPress Plugin – Easy Pricing Tables3733216110k+Output is not escaped
#2813Easy Profile Widget3715720400Output is not escaped
#2814Easy Testimonial Slider and Form3714144700Request data is not unslashed
#2815EasyMe Connect3713045500Text Domain Mismatch
#2816Eazy CF Captcha379354500Text Domain Mismatch
#2817WP eBay Product Feeds3713631700Output is not escaped
#2818Encyclopedia / Glossary / Wiki37263481k+Output is not escaped
#2819Excerpt Editor37170142500Unsafe printing function
#2820Exploit Scanner37251308k+Non-prefixed global variable
#2821Facturare WooCommerce371581063k+Text Domain Mismatch
#2822Favorites3720412110k+Unsafe printing function
#2823Get Custom Field Values3740441k+Output is not escaped
#2824果果推送3731561k+Nonce verification recommended
#2825Gmail SMTP37847310k+Unsafe printing function
#2826GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM3759269600Direct Query
#2827GoCache3727343900Non Singular String Literal Domain
#2828Google for WooCommerce37328121800k+Exception output is not escaped
#2829XML Sitemap Generator for Google3743791m+Input is not validated
#2830GoPay for WooCommerce37661031k+Non-prefixed global variable
#2831GS Portfolio for Envato37155754k+Text Domain Mismatch
#2832Hash Elements37147925k+Output is not escaped
#2833Horizontal scrolling announcements372151408k+Output is not escaped
#2834HT Builder – WordPress Theme Builder for Elementor3714241900Output is not escaped
#2835HT Menu – WordPress Mega Menu Builder for Elementor37300603k+Text Domain Mismatch
#2836.htaccess Site Access Control375467800Input is not sanitized
#2837Humans TXT3715986400Output is not escaped
#2838Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs37371021k+Non-prefixed global variable
#2839Image Optimizer by 10web – Image Optimizer and Compression plugin37244453k+Text Domain Mismatch
#2840Images Optimize and Upload CF73713036600Non Singular String Literal Domain
#2841Job Manager & Career – Manage job board listings, and recruitments371122052k+Missing nonce verification
#2842JVM Rich Text Icons3787343k+Output is not escaped
#2843LearnPress – Course Review37674320k+Output is not escaped
#2844LH Archived Post Status37150643k+Text Domain Mismatch
#2845Lightbox with PhotoSwipe371792420k+Output is not escaped
#2846LiveAgent – Omnichannel Help Desk & Live Chat Software37125142400Non Singular String Literal Domain
#2847LiveJournal Importer3786678k+Output is not escaped
#2848Local Time Clock37105111k+Output is not escaped
#2849Localendar Calendar for WordPress372416400Output is not escaped
#2850MailingBoss WP Plugin3710830600Output is not escaped