missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3551 | Visual Builder for Contact Form 7 | 40 | 20 | 43 | 500 | Output is not escaped | ||
| #3552 | Visual Editor Custom Buttons | 40 | 30 | 48 | 4k+ | Output is not escaped | ||
| #3553 | WP Sticky Button – Click to Chat | 40 | 73 | 64 | 10k+ | Non-prefixed global variable | ||
| #3554 | Webo-facto | 40 | 41 | 102 | 1k+ | Nonce verification recommended | ||
| #3555 | Wider Admin Menu | 40 | 76 | 17 | 2k+ | Output is not escaped | ||
| #3556 | Widget Builder | 40 | 40 | 52 | 500 | Non-prefixed global variable | ||
| #3557 | Widget Menuizer | 40 | 44 | 26 | 600 | Missing Arg Domain | ||
| #3558 | Widget Visibility Without Jetpack | 40 | 74 | 47 | 5k+ | Text Domain Mismatch | ||
| #3559 | Wonder Video Embed | 40 | 94 | 4 | 4k+ | Output is not escaped | ||
| #3560 | Preview E-mails for WooCommerce | 40 | 35 | 37 | 30k+ | Unsafe printing function | ||
| #3561 | NP Quote Request for WooCommerce | 40 | 91 | 145 | 9k+ | Non-prefixed global variable | ||
| #3562 | Total Sales Counts for WooCommerce | 40 | 121 | 62 | 700 | SQL query is not prepared | ||
| #3563 | Wallet for WooCommerce | 40 | 32 | 524 | 20k+ | Non-prefixed hook name | ||
| #3564 | yubikey-plugin | 40 | 64 | 33 | 400 | Text Domain Mismatch | ||
| #3565 | All In One SEO Pack for WooCommerce | 40 | 57 | 25 | 3k+ | Text Domain Mismatch | ||
| #3566 | Simple Registration for WooCommerce | 40 | 27 | 55 | 4k+ | Missing nonce verification | ||
| #3567 | Word Balloon | 40 | 20 | 125 | 10k+ | Request data is not unslashed | ||
| #3568 | WP Ajax Load More Pagination and Infinite Scroll | 40 | 63 | 15 | 400 | Output is not escaped | ||
| #3569 | WP Compress for MainWP | 40 | 20 | 36 | 700 | Output is not escaped | ||
| #3570 | Custom CSS/JS | 40 | 58 | 34 | 700 | Text Domain Mismatch | ||
| #3571 | WP Discord Invite | 40 | 73 | 42 | 400 | Unsafe printing function | ||
| #3572 | Easy PayPal & Stripe Buy Now Button | 40 | 388 | 96 | 10k+ | Unsafe printing function | ||
| #3573 | WP All Import – Job Listing Import for WP Job Manager | 40 | 35 | 27 | 2k+ | Output is not escaped | ||
| #3574 | WP Keyword Suggest | 40 | 29 | 41 | 500 | Non Singular String Literal Domain | ||
| #3575 | WP Meteor Website Speed Optimization Addon | 40 | 34 | 19 | 20k+ | Output is not escaped | ||
| #3576 | WP Multisite Content Copier/Updater | 40 | 19 | 144 | 800 | Interpolated SQL is not prepared | ||
| #3577 | WP Nav Plus | 40 | 95 | 13 | 1k+ | Output is not escaped | ||
| #3578 | WP Paint – WordPress Image Editor | 40 | 30 | 29 | 6k+ | Missing Arg Domain | ||
| #3579 | WP Reroute Email | 40 | 141 | 106 | 1k+ | Output is not escaped | ||
| #3580 | Social Share Buttons & Analytics Plugin – GetSocial.io | 40 | 97 | 25 | 2k+ | Output is not escaped | ||
| #3581 | WP Tab Widget | 40 | 128 | 32 | 10k+ | Output is not escaped | ||
| #3582 | WP Theme Test | 40 | 21 | 39 | 7k+ | Input is not sanitized | ||
| #3583 | WPS Menu Exporter | 40 | 47 | 22 | 10k+ | Output is not escaped | ||
| #3584 | XLTab – Accordions and Tabs for Elementor Page Builder | 40 | 317 | 65 | 1k+ | Text Domain Mismatch | ||
| #3585 | My YouTube Channel | 40 | 54 | 38 | 5k+ | Output is not escaped | ||
| #3586 | Simple Counter | 41 | 60 | 12 | 1k+ | Unsafe printing function | ||
| #3587 | AMP for WP – Accelerated Mobile Pages | 41 | 656 | 2,401 | 80k+ | Non-prefixed global variable | ||
| #3588 | ACF: Advanced Taxonomy Selector | 41 | 56 | 15 | 1k+ | Output is not escaped | ||
| #3589 | AddQuicktag | 41 | 86 | 10 | 100k+ | Output is not escaped | ||
| #3590 | Advance Bank Payment Transfer Gateway | 41 | 105 | 62 | 1k+ | Text Domain Mismatch | ||
| #3591 | ACF: Google Map Extended | 41 | 141 | 8 | 800 | Text Domain Mismatch | ||
| #3592 | Advanced Excerpt | 41 | 69 | 43 | 70k+ | Unsafe printing function | ||
| #3593 | AffiliateWP – Affiliate Product Rates | 41 | 84 | 24 | 2k+ | Output is not escaped | ||
| #3594 | AH Display Widgets | 41 | 52 | 16 | 8k+ | Text Domain Mismatch | ||
| #3595 | Amazon Link Engine | 41 | 38 | 17 | 2k+ | Output is not escaped | ||
| #3596 | Amazon Web Services | 41 | 53 | 21 | 5k+ | Missing Translators Comment | ||
| #3597 | Announcer – Sticky Message Banner & Notification Bar | 41 | 110 | 27 | 10k+ | Output is not escaped | ||
| #3598 | Antispam | 41 | 11 | 41 | 400 | Missing nonce verification | ||
| #3599 | ATP Call Now | 41 | 98 | 7 | 700 | Output is not escaped | ||
| #3600 | Authenticator | 41 | 59 | 44 | 1k+ | Output is not escaped |