missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3901 | Team Builder Member Showcase | 43 | 14 | 127 | 1k+ | Non-prefixed global variable | ||
| #3902 | Term Management Tools | 43 | 9 | 26 | 10k+ | Non-prefixed hook name | ||
| #3903 | Terms Order WP – Categories And Taxonomies Order Plugin | 43 | 12 | 47 | 900 | Non-prefixed global variable | ||
| #3904 | Theme Test Drive | 43 | 39 | 16 | 7k+ | Output is not escaped | ||
| #3905 | Uber reCaptcha | 43 | 129 | 45 | 1k+ | Text Domain Mismatch | ||
| #3906 | User Session Control | 43 | 31 | 21 | 700 | Output is not escaped | ||
| #3907 | utm.codes | 43 | 34 | 33 | 400 | Missing nonce verification | ||
| #3908 | Sovrn | 43 | 9 | 29 | 1k+ | Input is not sanitized | ||
| #3909 | WIP Custom Login | 43 | 21 | 37 | 700 | Nonce verification recommended | ||
| #3910 | Checkout Field Manager (Checkout Manager) for WooCommerce | 43 | 161 | 154 | 90k+ | Non-prefixed global variable | ||
| #3911 | WP Hotel Booking Stripe Payment | 43 | 34 | 29 | 400 | Text Domain Mismatch | ||
| #3912 | WP Hotel Booking WPML Support | 43 | 10 | 52 | 400 | Direct Query | ||
| #3913 | WP Mail Log | 43 | 40 | 29 | 10k+ | Text Domain Mismatch | ||
| #3914 | WP Post Expires | 43 | 21 | 15 | 2k+ | Output is not escaped | ||
| #3915 | Advanced Custom Fields: oEmbed Field | 44 | 36 | 13 | 1k+ | Text Domain Mismatch | ||
| #3916 | Advanced Dynamic Pricing and Discount Rules for WooCommerce | 44 | 2 | 813 | 20k+ | Non-prefixed namespace | ||
| #3917 | Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button | 44 | 24 | 71 | 50k+ | Non-prefixed constant | ||
| #3918 | Button visually impaired | 44 | 145 | 5 | 10k+ | Text Domain Mismatch | ||
| #3919 | Code Widget | 44 | 60 | 33 | 4k+ | Text Domain Mismatch | ||
| #3920 | Coming soon and Maintenance mode | 44 | 14 | 43 | 9k+ | Request data is not unslashed | ||
| #3921 | Comment Image | 44 | 19 | 23 | 1k+ | Output is not escaped | ||
| #3922 | Custom Dashboard Help Widget | 44 | 73 | 12 | 800 | Output is not escaped | ||
| #3923 | Cyberpret – Calculettes | 44 | 41 | 17 | 500 | Output is not escaped | ||
| #3924 | Debug Bar Console | 44 | 23 | 9 | 1k+ | Missing Arg Domain | ||
| #3925 | Easy!Appointments | 44 | 47 | 6 | 600 | Unsafe printing function | ||
| #3926 | ELEX WooCommerce Role Based Pricing | 44 | 213 | 196 | 2k+ | Non-prefixed global variable | ||
| #3927 | Github Embed | 44 | 18 | 35 | 1k+ | Non-prefixed global variable | ||
| #3928 | Image Widget | 44 | 48 | 5 | 3k+ | Output is not escaped | ||
| #3929 | Smart JavaScript Auto Loader | 44 | 83 | 2 | 400 | Output is not escaped | ||
| #3930 | KKiapay WooCommerce Plugin | 44 | 20 | 25 | 400 | Output is not escaped | ||
| #3931 | Roles & Capabilities | 44 | 24 | 79 | 1k+ | Nonce verification recommended | ||
| #3932 | Save and Close | 44 | 4 | 47 | 400 | Missing nonce verification | ||
| #3933 | LIQUID SPEECH BALLOON | 44 | 34 | 30 | 10k+ | Output is not escaped | ||
| #3934 | Minimum Order Amount for Woocommerce | 44 | 50 | 16 | 2k+ | Text Domain Mismatch | ||
| #3935 | Multilevel Navigation Menu | 44 | 80 | 1 | 500 | Output is not escaped | ||
| #3936 | Notix – Web Push Notifications | 44 | 22 | 41 | 600 | Non-prefixed global variable | ||
| #3937 | QR Code Woocommerce | 44 | 37 | 36 | 1k+ | Output is not escaped | ||
| #3938 | Razorpay Subscriptions for WooCommerce | 44 | 28 | 35 | 600 | Exception output is not escaped | ||
| #3939 | Setmore Appointments | 44 | 45 | 13 | 4k+ | Output is not escaped | ||
| #3940 | Shippit for WooCommerce | 44 | 127 | 26 | 900 | Text Domain Mismatch | ||
| #3941 | Simple Full Screen Background Image | 44 | 23 | 13 | 10k+ | Output is not escaped | ||
| #3942 | Simple Image Widget | 44 | 26 | 19 | 10k+ | Unsafe printing function | ||
| #3943 | Smart Archive Page Remove | 44 | 82 | 5 | 7k+ | Output is not escaped | ||
| #3944 | Smart Attachment Page Remove | 44 | 82 | 3 | 900 | Output is not escaped | ||
| #3945 | SmartVideo – Video Player and CDN | 44 | 295 | 44 | 1k+ | Text Domain Mismatch | ||
| #3946 | TP Product Description in Loop for WooCommerce | 44 | 48 | 7 | 500 | Setting is missing a sanitization callback | ||
| #3947 | Trusty Whistleblowing Solution | 44 | 234 | 16 | 400 | Text Domain Mismatch | ||
| #3948 | WCFM – WCFM Marketplace integrate Elementor | 44 | 82 | 18 | 1k+ | Output is not escaped | ||
| #3949 | WP Club Manager – WordPress Sports Club Plugin | 44 | 171 | 682 | 600 | Non-prefixed global variable | ||
| #3950 | Wpazure Kit | 44 | 136 | 140 | 800 | Missing direct file access protection |