missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3301 | Structured Content (JSON-LD) #wpsc | 39 | 291 | 73 | 40k+ | Output is not escaped | ||
| #3302 | Substack Importer | 39 | 33 | 33 | 1k+ | Missing nonce verification | ||
| #3303 | Swifty Image Widget | 39 | 114 | 28 | 900 | Output is not escaped | ||
| #3304 | Sydney Toolbox | 39 | 84 | 62 | 50k+ | Unsafe printing function | ||
| #3305 | Sync Post With Other Site | 39 | 179 | 21 | 3k+ | Non Singular String Literal Domain | ||
| #3306 | Tabify Edit Screen | 39 | 83 | 27 | 500 | Output is not escaped | ||
| #3307 | Easy Category Icons | 39 | 50 | 43 | 600 | Text Domain Mismatch | ||
| #3308 | ThemeKit For WordPress | 39 | 149 | 49 | 700 | Output is not escaped | ||
| #3309 | OpenHook | 39 | 172 | 22 | 1k+ | Unsafe printing function | ||
| #3310 | TinyMCE Custom Styles | 39 | 297 | 76 | 7k+ | Non Singular String Literal Domain | ||
| #3311 | TinyMCE Spellcheck | 39 | 27 | 32 | 2k+ | Unsafe printing function | ||
| #3312 | UiChemy — Figma Converter for Elementor, Gutenberg and Bricks | 39 | 8 | 100 | 9k+ | Nonce verification recommended | ||
| #3313 | Ultimate Client Dash | 39 | 697 | 12 | 2k+ | Text Domain Mismatch | ||
| #3314 | Ultimate Lightbox | 39 | 110 | 59 | 1k+ | Unsafe printing function | ||
| #3315 | Universal Google Adsense and Ads manager | 39 | 70 | 31 | 2k+ | Unsafe printing function | ||
| #3316 | Unlimited Background Slider | 39 | 66 | 53 | 600 | Output is not escaped | ||
| #3317 | upPrev | 39 | 35 | 36 | 1k+ | Dynamic hook name | ||
| #3318 | Uptolike Social Share Buttons | 39 | 38 | 33 | 4k+ | Output is not escaped | ||
| #3319 | User Blocker | 39 | 6 | 276 | 3k+ | Nonce verification recommended | ||
| #3320 | UserHeat Plugin | 39 | 121 | 20 | 6k+ | Non Singular String Literal Domain | ||
| #3321 | Accessibility by UserWay | 39 | 22 | 35 | 80k+ | Direct Query | ||
| #3322 | Smart Variation Swatches and Attribute Filters for WooCommerce | 39 | 39 | 50 | 3k+ | Output is not escaped | ||
| #3323 | Video Blogster Lite | 39 | 29 | 80 | 700 | Missing nonce verification | ||
| #3324 | Visual Portfolio, Photo Gallery & Post Grid | 39 | 34 | 189 | 60k+ | Non-prefixed hook name | ||
| #3325 | Payments via PayMongo for WooCommerce | 39 | 36 | 81 | 1k+ | Nonce verification recommended | ||
| #3326 | Smart COD for WooCommerce | 39 | 50 | 28 | 30k+ | Output is not escaped | ||
| #3327 | WebHotelier for WordPress | 39 | 451 | 40 | 500 | Text Domain Mismatch | ||
| #3328 | Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types | 39 | 89 | 117 | 20k+ | Unsafe printing function | ||
| #3329 | Woo Button Text | 39 | 53 | 21 | 500 | Output is not escaped | ||
| #3330 | Lucky Wheel for WooCommerce – Spin a Sale | 39 | 12 | 153 | 1k+ | Request data is not unslashed | ||
| #3331 | PayU GPO Payment for WooCommerce | 39 | 44 | 91 | 10k+ | Output is not escaped | ||
| #3332 | Modal Fly Cart & AJAX Add to Cart for WooCommerce | 39 | 83 | 74 | 2k+ | Text Domain Mismatch | ||
| #3333 | WooCommerce Product Dependencies | 39 | 44 | 60 | 3k+ | Missing nonce verification | ||
| #3334 | Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools | 39 | 322 | 66 | 8k+ | Output is not escaped | ||
| #3335 | WP Accessibility | 39 | 200 | 104 | 60k+ | Unsafe printing function | ||
| #3336 | WP Add Custom CSS | 39 | 45 | 23 | 60k+ | Output is not escaped | ||
| #3337 | Aparat for WordPress | 39 | 59 | 14 | 3k+ | Output is not escaped | ||
| #3338 | WP Attachments | 39 | 49 | 44 | 3k+ | Output is not escaped | ||
| #3339 | WP-Cycle | 39 | 53 | 17 | 3k+ | Output is not escaped | ||
| #3340 | WP Gmail SMTP | 39 | 99 | 50 | 1k+ | Text Domain Mismatch | ||
| #3341 | WP Limit Login Attempts | 39 | 26 | 67 | 10k+ | Direct Query | ||
| #3342 | WP Most Popular | 39 | 50 | 35 | 2k+ | Output is not escaped | ||
| #3343 | WP Multibyte Patch | 39 | 24 | 55 | 1m+ | Input is not sanitized | ||
| #3344 | WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload | 39 | 59 | 27 | 10k+ | Unsafe printing function | ||
| #3345 | WP Realtime Sitemap | 39 | 46 | 41 | 10k+ | Output is not escaped | ||
| #3346 | WP SendGrid SMTP | 39 | 99 | 50 | 1k+ | Text Domain Mismatch | ||
| #3347 | WP Sitemap Control | 39 | 31 | 37 | 400 | Output is not escaped | ||
| #3348 | WP Sitemaps Config | 39 | 88 | 37 | 700 | Output is not escaped | ||
| #3349 | WP-Slimbox2 Plugin | 39 | 77 | 19 | 3k+ | Unsafe printing function | ||
| #3350 | WP Social Widget | 39 | 239 | 7 | 4k+ | Output is not escaped |