missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2801 | CorvusPay WooCommerce Payment Gateway | 37 | 29 | 141 | 1k+ | Missing nonce verification | ||
| #2802 | Crafty Social Buttons | 37 | 279 | 27 | 1k+ | Non Singular String Literal Domain | ||
| #2803 | CryptAPI Payment Gateway for WooCommerce | 37 | 187 | 29 | 400 | Text Domain Mismatch | ||
| #2804 | Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter | 37 | 151 | 61 | 700 | Output is not escaped | ||
| #2805 | Custom CSS Manager | 37 | 55 | 20 | 1k+ | Output is not escaped | ||
| #2806 | Custom Post Template | 37 | 48 | 30 | 10k+ | Output is not escaped | ||
| #2807 | Customer Email Verification for WooCommerce | 37 | 165 | 164 | 2k+ | Nonce verification recommended | ||
| #2808 | Direct Payments for WooCommerce – Bank Transfer, Mobile Money, Crypto and Peer-to-Peer (P2P) Payments | 37 | 103 | 977 | 800 | Non-prefixed global variable | ||
| #2809 | Disclaimer Popup | 37 | 313 | 53 | 1k+ | Text Domain Mismatch | ||
| #2810 | Donation Block For PayPal | 37 | 23 | 106 | 600 | Input is not validated | ||
| #2811 | Easy Photo Album | 37 | 360 | 43 | 1k+ | Text Domain Mismatch | ||
| #2812 | Pricing Table WordPress Plugin – Easy Pricing Tables | 37 | 332 | 161 | 10k+ | Output is not escaped | ||
| #2813 | Easy Profile Widget | 37 | 157 | 20 | 400 | Output is not escaped | ||
| #2814 | Easy Testimonial Slider and Form | 37 | 14 | 144 | 700 | Request data is not unslashed | ||
| #2815 | EasyMe Connect | 37 | 130 | 45 | 500 | Text Domain Mismatch | ||
| #2816 | Eazy CF Captcha | 37 | 93 | 54 | 500 | Text Domain Mismatch | ||
| #2817 | WP eBay Product Feeds | 37 | 136 | 31 | 700 | Output is not escaped | ||
| #2818 | Encyclopedia / Glossary / Wiki | 37 | 263 | 48 | 1k+ | Output is not escaped | ||
| #2819 | Excerpt Editor | 37 | 170 | 142 | 500 | Unsafe printing function | ||
| #2820 | Exploit Scanner | 37 | 25 | 130 | 8k+ | Non-prefixed global variable | ||
| #2821 | Facturare WooCommerce | 37 | 158 | 106 | 3k+ | Text Domain Mismatch | ||
| #2822 | Favorites | 37 | 204 | 121 | 10k+ | Unsafe printing function | ||
| #2823 | Get Custom Field Values | 37 | 40 | 44 | 1k+ | Output is not escaped | ||
| #2824 | 果果推送 | 37 | 31 | 56 | 1k+ | Nonce verification recommended | ||
| #2825 | Gmail SMTP | 37 | 84 | 73 | 10k+ | Unsafe printing function | ||
| #2826 | GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM | 37 | 59 | 269 | 600 | Direct Query | ||
| #2827 | GoCache | 37 | 273 | 43 | 900 | Non Singular String Literal Domain | ||
| #2828 | Google for WooCommerce | 37 | 328 | 121 | 800k+ | Exception output is not escaped | ||
| #2829 | XML Sitemap Generator for Google | 37 | 43 | 79 | 1m+ | Input is not validated | ||
| #2830 | GoPay for WooCommerce | 37 | 66 | 103 | 1k+ | Non-prefixed global variable | ||
| #2831 | GS Portfolio for Envato | 37 | 155 | 75 | 4k+ | Text Domain Mismatch | ||
| #2832 | Hash Elements | 37 | 147 | 92 | 5k+ | Output is not escaped | ||
| #2833 | Horizontal scrolling announcements | 37 | 215 | 140 | 8k+ | Output is not escaped | ||
| #2834 | HT Builder – WordPress Theme Builder for Elementor | 37 | 142 | 41 | 900 | Output is not escaped | ||
| #2835 | HT Menu – WordPress Mega Menu Builder for Elementor | 37 | 300 | 60 | 3k+ | Text Domain Mismatch | ||
| #2836 | .htaccess Site Access Control | 37 | 54 | 67 | 800 | Input is not sanitized | ||
| #2837 | Humans TXT | 37 | 159 | 86 | 400 | Output is not escaped | ||
| #2838 | Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs | 37 | 37 | 102 | 1k+ | Non-prefixed global variable | ||
| #2839 | Image Optimizer by 10web – Image Optimizer and Compression plugin | 37 | 244 | 45 | 3k+ | Text Domain Mismatch | ||
| #2840 | Images Optimize and Upload CF7 | 37 | 130 | 36 | 600 | Non Singular String Literal Domain | ||
| #2841 | Job Manager & Career – Manage job board listings, and recruitments | 37 | 112 | 205 | 2k+ | Missing nonce verification | ||
| #2842 | JVM Rich Text Icons | 37 | 87 | 34 | 3k+ | Output is not escaped | ||
| #2843 | LearnPress – Course Review | 37 | 67 | 43 | 20k+ | Output is not escaped | ||
| #2844 | LH Archived Post Status | 37 | 150 | 64 | 3k+ | Text Domain Mismatch | ||
| #2845 | Lightbox with PhotoSwipe | 37 | 179 | 24 | 20k+ | Output is not escaped | ||
| #2846 | LiveAgent – Omnichannel Help Desk & Live Chat Software | 37 | 125 | 142 | 400 | Non Singular String Literal Domain | ||
| #2847 | LiveJournal Importer | 37 | 86 | 67 | 8k+ | Output is not escaped | ||
| #2848 | Local Time Clock | 37 | 105 | 11 | 1k+ | Output is not escaped | ||
| #2849 | Localendar Calendar for WordPress | 37 | 241 | 6 | 400 | Output is not escaped | ||
| #2850 | MailingBoss WP Plugin | 37 | 108 | 30 | 600 | Output is not escaped |