missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2851 | OSM – OpenStreetMap | 37 | 130 | 64 | 10k+ | Output is not escaped | ||
| #2852 | Page scroll to id | 37 | 38 | 120 | 100k+ | Missing nonce verification | ||
| #2853 | GoHero Store Customizer for WooCommerce | 37 | 75 | 53 | 600 | Unsafe printing function | ||
| #2854 | Phoenix Media Rename | 37 | 175 | 104 | 50k+ | Output is not escaped | ||
| #2855 | Plexx Elementor Extension | 37 | 582 | 14 | 400 | Text Domain Mismatch | ||
| #2856 | PNG to JPG | 37 | 130 | 173 | 9k+ | Interpolated SQL is not prepared | ||
| #2857 | POEditor | 37 | 78 | 140 | 500 | Output is not escaped | ||
| #2858 | Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales | 37 | 59 | 64 | 2k+ | SQL query is not prepared | ||
| #2859 | Post Terms Order – per Post based | 37 | 70 | 36 | 2k+ | Output is not escaped | ||
| #2860 | Product Image Hover Effects WOOC – WPSHARE247 | 37 | 161 | 94 | 800 | Output is not escaped | ||
| #2861 | Publish to Schedule | 37 | 195 | 43 | 4k+ | Text Domain Mismatch | ||
| #2862 | PublishPress Statuses – Custom Post Status and Workflow | 37 | 231 | 78 | 1k+ | Missing Arg Domain | ||
| #2863 | Quantities and Units for WooCommerce | 37 | 133 | 118 | 1k+ | Output is not escaped | ||
| #2864 | Quick Restaurant Menu | 37 | 136 | 40 | 1k+ | Text Domain Mismatch | ||
| #2865 | rapidmail: Newsletter & E-Mail Marketing for WooCommerce | 37 | 79 | 47 | 400 | Text Domain Mismatch | ||
| #2866 | Recent Posts Widget With Thumbnails | 37 | 222 | 46 | 100k+ | Output is not escaped | ||
| #2867 | resmio button & widget | 37 | 99 | 36 | 400 | Text Domain Mismatch | ||
| #2868 | Reusable Content Blocks | 37 | 349 | 14 | 4k+ | Text Domain Mismatch | ||
| #2869 | Rich Table of Contents | 37 | 262 | 57 | 20k+ | Output is not escaped | ||
| #2870 | Robots & Sitemap | 37 | 199 | 28 | 500 | Text Domain Mismatch | ||
| #2871 | RSS for Yandex Zen | 37 | 240 | 100 | 4k+ | Unsafe printing function | ||
| #2872 | RSS Image Feed | 37 | 147 | 16 | 2k+ | Output is not escaped | ||
| #2873 | Ryviu – Review Importer & Product Reviews | 37 | 72 | 95 | 1k+ | Output is not escaped | ||
| #2874 | SB RSS feed plus | 37 | 172 | 24 | 1k+ | Output is not escaped | ||
| #2875 | Scroll Back To Top | 37 | 149 | 12 | 10k+ | Output is not escaped | ||
| #2876 | Send PDF for Contact Form 7 | 37 | 22 | 308 | 9k+ | Non-prefixed global variable | ||
| #2877 | SendWP | 37 | 47 | 42 | 10k+ | Output is not escaped | ||
| #2878 | Sensei LMS Certificates | 37 | 97 | 362 | 4k+ | Non-prefixed global variable | ||
| #2879 | Sezzle Woocommerce Payment | 37 | 108 | 105 | 1k+ | Text Domain Mismatch | ||
| #2880 | Snippet Shortcodes | 37 | 359 | 133 | 4k+ | Non Singular String Literal Domain | ||
| #2881 | Shortcoder — Create Shortcodes for Anything | 37 | 25 | 70 | 100k+ | Non-prefixed global variable | ||
| #2882 | Weaver Show Sliders | 37 | 177 | 132 | 900 | Text Domain Mismatch | ||
| #2883 | Simple Image XML Sitemap | 37 | 119 | 16 | 1k+ | Output is not escaped | ||
| #2884 | Skimlinks Affiliate Marketing Tool | 37 | 84 | 19 | 800 | wp function not compatible with requires wp | ||
| #2885 | Slider Pro | 37 | 78 | 260 | 1k+ | Non-prefixed global variable | ||
| #2886 | Smart Send Logistics | 37 | 92 | 81 | 400 | Output is not escaped | ||
| #2887 | Social Comments | 37 | 59 | 32 | 400 | Output is not escaped | ||
| #2888 | Spam Destroyer | 37 | 63 | 43 | 6k+ | rand rand | ||
| #2889 | StagTools | 37 | 476 | 53 | 1k+ | Text Domain Mismatch | ||
| #2890 | Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation | 37 | 42 | 33 | 10k+ | Output is not escaped | ||
| #2891 | SuperCPT | 37 | 172 | 27 | 600 | Output is not escaped | ||
| #2892 | Super Simple Site Offline | 37 | 115 | 59 | 6k+ | Text Domain Mismatch | ||
| #2893 | Swifty Bar, sticky bar by WPGens | 37 | 112 | 81 | 400 | Output is not escaped | ||
| #2894 | TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot | 37 | 48 | 40 | 6k+ | Unsafe printing function | ||
| #2895 | Theme Builder For Elementor | 37 | 477 | 28 | 2k+ | Text Domain Mismatch | ||
| #2896 | Tracking Script Manager | 37 | 82 | 57 | 2k+ | Non Singular String Literal Domain | ||
| #2897 | Ultimate WordPress Auction Plugin | 37 | 623 | 146 | 1k+ | Text Domain Mismatch | ||
| #2898 | Landing Page Builder – Free Landing Page Templates | 37 | 329 | 111 | 600 | Output is not escaped | ||
| #2899 | Ultimate Tag Cloud Widget | 37 | 715 | 16 | 4k+ | Output is not escaped | ||
| #2900 | User Meta Display | 37 | 78 | 74 | 500 | Output is not escaped |