missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2901 | Views for WPForms – Display & Edit WPForms Entries on your site frontend | 37 | 80 | 64 | 1k+ | Output is not escaped | ||
| #2902 | Innovs WPBakery Visual Composer WHMCS Elements | 37 | 154 | 24 | 2k+ | Text Domain Mismatch | ||
| #2903 | Weather Atlas Widget | 37 | 630 | 111 | 9k+ | Output is not escaped | ||
| #2904 | Widget Box Lite | 37 | 318 | 17 | 900 | Output is not escaped | ||
| #2905 | Conditional Discounts for WooCommerce – A simple yet complete woocommerce dynamic pricing plugin | 37 | 99 | 33 | 10k+ | Text Domain Mismatch | ||
| #2906 | Piraeus Bank WooCommerce Payment Gateway | 37 | 146 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #2907 | SUMIT Payment Gateway for WooCommerce | 37 | 358 | 74 | 1k+ | Text Domain Mismatch | ||
| #2908 | Variation Swatches for WooCommerce | 37 | 92 | 103 | 10k+ | Output is not escaped | ||
| #2909 | Amazon Pay for WooCommerce | 37 | 29 | 117 | 20k+ | Non-prefixed class | ||
| #2910 | WP WooCommerce Mailchimp | 37 | 62 | 85 | 6k+ | Non-prefixed hook name | ||
| #2911 | WooCommerce PayPal Payments | 37 | 194 | 110 | 800k+ | Exception output is not escaped | ||
| #2912 | Quickpay for WooCommerce | 37 | 66 | 56 | 4k+ | Nonce verification recommended | ||
| #2913 | Wordable – Export Google Docs to WordPress | 37 | 47 | 63 | 2k+ | Output is not escaped | ||
| #2914 | Hustle – Email Marketing, Lead Generation, Optins, Popups | 37 | 4,874 | 5,942 | 90k+ | Non-prefixed global variable | ||
| #2915 | Fix Media Library | 37 | 53 | 71 | 1k+ | Output is not escaped | ||
| #2916 | WP Category Permalink | 37 | 75 | 31 | 2k+ | Output is not escaped | ||
| #2917 | WP-Cron Control | 37 | 54 | 22 | 1k+ | Output is not escaped | ||
| #2918 | WP Emmet | 37 | 154 | 8 | 3k+ | Output is not escaped | ||
| #2919 | WP Export Categories & Taxonomies | 37 | 169 | 35 | 500 | Output is not escaped | ||
| #2920 | WPForce Logout – WordPress User Login Logout Management Plugin | 37 | 567 | 32 | 8k+ | Output is not escaped | ||
| #2921 | WP FullCalendar | 37 | 32 | 64 | 8k+ | Nonce verification recommended | ||
| #2922 | FundEngine – Donation and Crowdfunding Platform | 37 | 90 | 9 | 1k+ | Exception output is not escaped | ||
| #2923 | WP Image Markers – Easy Hotspot Solution | 37 | 179 | 66 | 700 | Text Domain Mismatch | ||
| #2924 | WP PageNavi Style | 37 | 109 | 11 | 8k+ | Unsafe printing function | ||
| #2925 | Persistent Login | 37 | 338 | 108 | 6k+ | Unsafe printing function | ||
| #2926 | WP Plugin Info Card | 37 | 53 | 376 | 500 | Nonce verification recommended | ||
| #2927 | WP Post Signature | 37 | 90 | 13 | 1k+ | Unsafe printing function | ||
| #2928 | ReCaptcha Integration for WordPress | 37 | 60 | 66 | 9k+ | Output is not escaped | ||
| #2929 | WP Show Stats | 37 | 197 | 103 | 400 | Output is not escaped | ||
| #2930 | Special Text Boxes | 37 | 38 | 42 | 2k+ | Direct Query | ||
| #2931 | TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More | 37 | 878 | 59 | 800 | Output is not escaped | ||
| #2932 | WPO365 | MICROSOFT 365 GRAPH MAILER | 37 | 112 | 83 | 10k+ | Text Domain Mismatch | ||
| #2933 | XT Visitor Counter | 37 | 177 | 52 | 7k+ | Output is not escaped | ||
| #2934 | Yada Wiki | 37 | 207 | 45 | 2k+ | Text Domain Mismatch | ||
| #2935 | YOURLS Link Creator | 37 | 196 | 39 | 500 | Text Domain Mismatch | ||
| #2936 | Widget Responsive for Youtube | 37 | 240 | 7 | 7k+ | Output is not escaped | ||
| #2937 | Zakeke Interactive Product Designer for WooCommerce | 37 | 186 | 178 | 2k+ | Nonce verification recommended | ||
| #2938 | Zendesk Chat | 37 | 44 | 67 | 10k+ | Output is not escaped | ||
| #2939 | Accessibility | 38 | 66 | 61 | 1k+ | Non-prefixed global variable | ||
| #2940 | AccessibleWP – Accessibility Toolbar | 38 | 381 | 26 | 20k+ | Text Domain Mismatch | ||
| #2941 | ACF-VC Integrator | 38 | 190 | 91 | 3k+ | Output is not escaped | ||
| #2942 | Action Scheduler | 38 | 92 | 134 | 20k+ | Exception output is not escaped | ||
| #2943 | Parallax Scroll by adamrob.co.uk | 38 | 102 | 51 | 1k+ | Output is not escaped | ||
| #2944 | Add Customer for WooCommerce | 38 | 229 | 153 | 1k+ | Text Domain Mismatch | ||
| #2945 | Admin Bar Editor – Toolbar Customization with User Role based access & Custom menus | 38 | 56 | 46 | 3k+ | Output is not escaped | ||
| #2946 | Admin Bar & Dashboard Access Control | 38 | 94 | 37 | 3k+ | Text Domain Mismatch | ||
| #2947 | Admin Management Xtended | 38 | 280 | 161 | 5k+ | Output is not escaped | ||
| #2948 | Admin Tools | 38 | 189 | 10 | 3k+ | Unsafe printing function | ||
| #2949 | AdRoll for WooCommerce Stores | 38 | 40 | 25 | 600 | Output is not escaped | ||
| #2950 | Advanced Media Offloader | 38 | 57 | 93 | 5k+ | error log error log |