missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4151 | BestWebSoft's Twitter | 50 | 477 | 174 | 900 | Text Domain Mismatch | ||
| #4152 | Ultimate Floating Widgets – Make popup sidebars | 50 | 48 | 14 | 3k+ | Output is not escaped | ||
| #4153 | Ultimate WooCommerce Brands | 50 | 87 | 12 | 500 | Text Domain Mismatch | ||
| #4154 | Veeqo for WooCommerce | 50 | 30 | 17 | 700 | Missing direct file access protection | ||
| #4155 | Calculadora de Frete e Campos Checkout para o Brasil | 50 | 1 | 138 | 5k+ | Missing nonce verification | ||
| #4156 | WP SVG Images | 50 | 58 | 12 | 30k+ | Text Domain Mismatch | ||
| #4157 | ACF: User Role Selector | 51 | 41 | 2 | 600 | Output is not escaped | ||
| #4158 | Cart Popup for WooCommerce | 51 | 9 | 115 | 9k+ | Non-prefixed global variable | ||
| #4159 | Address Geocoder | 51 | 12 | 18 | 500 | Output is not escaped | ||
| #4160 | Adjust Admin Categories | 51 | 30 | 12 | 10k+ | Output is not escaped | ||
| #4161 | AVIF Uploader | 51 | 49 | 44 | 4k+ | Missing Arg Domain | ||
| #4162 | Feeds for TikTok – Display Video Feeds in Grid Layouts | 51 | 18 | 59 | 1k+ | Request data is not unslashed | ||
| #4163 | Cards for Beaver Builder | 51 | 63 | 1 | 1k+ | Output is not escaped | ||
| #4164 | Booqable Rental Plugin | 51 | 81 | 18 | 1k+ | wp function not compatible with requires wp | ||
| #4165 | Bootstrap Modals | 51 | 43 | 8 | 1k+ | Output is not escaped | ||
| #4166 | WPML Multilingual for BuddyPress and BuddyBoss | 51 | 18 | 21 | 6k+ | SQL query is not prepared | ||
| #4167 | Category Archive Widget | 51 | 54 | 2 | 800 | Output is not escaped | ||
| #4168 | Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress | 51 | 3 | 116 | 1k+ | Missing nonce verification | ||
| #4169 | Dolyame Payment gateway | 51 | 122 | 10 | 700 | Text Domain Mismatch | ||
| #4170 | Firelight Lightbox | 51 | 78 | 97 | 200k+ | Non-prefixed global variable | ||
| #4171 | GamiPress – Reset User | 51 | 14 | 27 | 400 | Interpolated SQL is not prepared | ||
| #4172 | Gravatar Enhanced – Avatars, Profiles, and Privacy | 51 | 38 | 48 | 100k+ | Dynamic hook name | ||
| #4173 | Gravity Forms No CAPTCHA reCAPTCHA | 51 | 30 | 17 | 10k+ | Text Domain Mismatch | ||
| #4174 | Gutenverse – WordPress Blocks, Page Builder & Site Editor | 51 | 17 | 47 | 20k+ | Non-prefixed hook name | ||
| #4175 | Hide Admin Bar | 51 | 35 | 17 | 20k+ | Unsafe printing function | ||
| #4176 | Interactive Globes – 3D World Maps | 51 | 24 | 104 | 400 | Non-prefixed global variable | ||
| #4177 | Juicer.io: Effortlessly embed, curate, and aggregate social media feeds into your website | 51 | 44 | 34 | 9k+ | Output is not escaped | ||
| #4178 | KIA Subtitle | 51 | 21 | 19 | 7k+ | Non-prefixed global variable | ||
| #4179 | Menu Icons by Themeisle – Add Icons to Navigation Menus | 51 | 34 | 22 | 100k+ | Output is not escaped | ||
| #4180 | Lite Video Embed | 51 | 35 | 7 | 1k+ | Output is not escaped | ||
| #4181 | POLi Payments for WooCommerce | 51 | 62 | 26 | 500 | Text Domain Mismatch | ||
| #4182 | Security-Protection | 51 | 5 | 32 | 400 | Missing nonce verification | ||
| #4183 | SePay Gateway | 51 | 12 | 39 | 2k+ | Nonce verification recommended | ||
| #4184 | Contact Information Widget | 51 | 69 | 5 | 500 | Output is not escaped | ||
| #4185 | Simple Cookie Notification Bar | 51 | 49 | 6 | 1k+ | Text Domain Mismatch | ||
| #4186 | Popular Brand Icons – Simple Icons | 51 | 20 | 12 | 3k+ | Output is not escaped | ||
| #4187 | Redirect | 51 | 26 | 12 | 5k+ | Output is not escaped | ||
| #4188 | Star Rating Field For Contact Form 7 | 51 | 36 | 7 | 800 | Output is not escaped | ||
| #4189 | StoryChief | 51 | 12 | 55 | 1k+ | Input is not sanitized | ||
| #4190 | Tiny gtag.js Analytics | 51 | 39 | 0 | 400 | Output is not escaped | ||
| #4191 | Trustpilot Reviews | 51 | 14 | 52 | 30k+ | Missing nonce verification | ||
| #4192 | VK Filter Search | 51 | 35 | 71 | 6k+ | Nonce verification recommended | ||
| #4193 | Payment Gateway Payoneer For WooCommerce | 51 | 9 | 35 | 900 | Input is not validated | ||
| #4194 | Swift SMTP (formerly Welcome Email Editor) | 51 | 12 | 62 | 7k+ | Missing nonce verification | ||
| #4195 | WP Counter Up – Animated Number Counter & Milestone Showcase | 51 | 18 | 239 | 1k+ | Non-prefixed global variable | ||
| #4196 | REST API Log | 51 | 44 | 95 | 5k+ | Non-prefixed hook name | ||
| #4197 | Insert Code by Angie Makes | 51 | 43 | 8 | 900 | Output is not escaped | ||
| #4198 | YayMail – WooCommerce Email Customizer | 51 | 163 | 788 | 50k+ | Non-prefixed global variable | ||
| #4199 | Affiliate Area Shortcodes by AffiliateWP | 52 | 56 | 16 | 2k+ | Text Domain Mismatch | ||
| #4200 | Age Gate Lite | 52 | 28 | 3 | 2k+ | Output is not escaped |