missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4451 | Connect SendGrid for Emails | 59 | 37 | 103 | 900 | Missing direct file access protection | ||
| #4452 | Custom API for WP | 59 | 173 | 16 | 1k+ | wp function not compatible with requires wp | ||
| #4453 | Display Post Types – Post Grid, post list and post sliders | 59 | 24 | 14 | 7k+ | Output is not escaped | ||
| #4454 | ELEX WooCommerce Name Your Price | 59 | 295 | 117 | 600 | Missing Arg Domain | ||
| #4455 | etracker analytics | 59 | 16 | 9 | 1k+ | Exception output is not escaped | ||
| #4456 | Fathom Analytics Conversions | 59 | 14 | 47 | 400 | Non-prefixed function | ||
| #4457 | flowpaper | 59 | 13 | 31 | 10k+ | Non-prefixed function | ||
| #4458 | FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses | 59 | 41 | 14 | 8k+ | Exception output is not escaped | ||
| #4459 | GDPR Data Request Form | 59 | 22 | 19 | 5k+ | Missing direct file access protection | ||
| #4460 | Gettext override translations | 59 | 33 | 7 | 2k+ | Missing Arg Domain | ||
| #4461 | Getty Images | 59 | 11 | 46 | 2k+ | Missing nonce verification | ||
| #4462 | Gravity Forms: Notification Attachments | 59 | 18 | 7 | 500 | Output is not escaped | ||
| #4463 | Gravity Forms Approvals Add-On | 59 | 17 | 6 | 800 | Output is not escaped | ||
| #4464 | GravityWP – Merge Tags | 59 | 16 | 172 | 2k+ | Non-prefixed global variable | ||
| #4465 | HTTP Headers | 59 | 20 | 43 | 50k+ | Nonce verification recommended | ||
| #4466 | Icon List | 59 | 83 | 11 | 1k+ | Text Domain Mismatch | ||
| #4467 | MapGeo – Interactive Geo Maps | 59 | 14 | 51 | 40k+ | Non-prefixed hook name | ||
| #4468 | JetSticky For Elementor | 59 | 13 | 38 | 30k+ | Nonce verification recommended | ||
| #4469 | Logo or Image Replace by mycore.global | 59 | 30 | 12 | 400 | Text Domain Mismatch | ||
| #4470 | Mango Buttons | 59 | 14 | 21 | 3k+ | Output is not escaped | ||
| #4471 | Pattern Wrangler – Manage Block Patterns and Pattern Categories | 59 | 14 | 73 | 400 | Non-prefixed global variable | ||
| #4472 | pensopay Payments v2 | 59 | 413 | 32 | 1k+ | Non Singular String Literal Domain | ||
| #4473 | Post Type Select Field for Advanced Custom Fields | 59 | 48 | 1 | 900 | Text Domain Mismatch | ||
| #4474 | SureFeedback Client Site | 59 | 47 | 24 | 5k+ | Text Domain Mismatch | ||
| #4475 | Resize Image After Upload | 59 | 15 | 11 | 80k+ | Output is not escaped | ||
| #4476 | Simplelightbox | 59 | 32 | 4 | 1k+ | Output is not escaped | ||
| #4477 | Subscribers – Free Web Push Notifications | 59 | 15 | 11 | 1k+ | Output is not escaped | ||
| #4478 | Super Progressive Web Apps | 59 | 62 | 22 | 40k+ | wp function not compatible with requires wp | ||
| #4479 | Text Scroll Widget | 59 | 30 | 2 | 400 | Output is not escaped | ||
| #4480 | Typebot | 59 | 17 | 9 | 3k+ | Output is not escaped | ||
| #4481 | Videojs HTML5 Player | 59 | 12 | 12 | 8k+ | Nonce verification recommended | ||
| #4482 | Konnect Payment Gateway for WooCommerce | 59 | 39 | 16 | 400 | Text Domain Mismatch | ||
| #4483 | Payment Gateway for LiqPay for Woocommerce | 59 | 84 | 31 | 1k+ | Text Domain Mismatch | ||
| #4484 | Hide Posts | 59 | 9 | 70 | 20k+ | Direct Query | ||
| #4485 | GST Invoice for WooCommerce | 59 | 10 | 42 | 1k+ | Missing nonce verification | ||
| #4486 | RevivePress – Keep your Old Content Evergreen | 59 | 27 | 46 | 5k+ | date date | ||
| #4487 | WP Shortcode by MyThemeShop | 59 | 32 | 5 | 10k+ | Output is not escaped | ||
| #4488 | Accesibilidad Web con el Widget de AccedeMe | 60 | 22 | 23 | 1k+ | Text Domain Mismatch | ||
| #4489 | Admin Menu Groups | 60 | 26 | 10 | 800 | Output is not escaped | ||
| #4490 | Bandsintown Events | 60 | 80 | 28 | 4k+ | wp function not compatible with requires wp | ||
| #4491 | Post Blocks & Tools | 60 | 9 | 46 | 400 | Missing nonce verification | ||
| #4492 | Contact Form 7 – Phone mask field | 60 | 21 | 7 | 20k+ | Unsafe printing function | ||
| #4493 | Contact Form 7 Modules | 60 | 47 | 15 | 5k+ | Text Domain Mismatch | ||
| #4494 | Disable Emails | 60 | 25 | 16 | 30k+ | Short PHP open tag found | ||
| #4495 | EPROLO-Dropshipping | 60 | 16 | 34 | 1k+ | Missing nonce verification | ||
| #4496 | FancyBox for WordPress | 60 | 175 | 33 | 30k+ | Text Domain Mismatch | ||
| #4497 | Freshchat | 60 | 16 | 10 | 1k+ | Output is not escaped | ||
| #4498 | GamiPress – Button | 60 | 34 | 8 | 900 | Text Domain Mismatch | ||
| #4499 | Genesis Featured Widget Amplified | 60 | 126 | 12 | 2k+ | Text Domain Mismatch | ||
| #4500 | HelloAsso | 60 | 132 | 89 | 4k+ | Short PHP open tag found |