missing_direct_file_access_protection
Missing direct file access protection
A PHP file in the plugin can be loaded directly instead of through WordPress.
Why It Shows Up
Plugin Check found a PHP file without an early guard such as an ABSPATH check. Without that guard, a browser or script can request the file by path.
Why It Matters
Direct access can run code outside the normal WordPress bootstrap, expose output, or trigger assumptions about loaded functions, permissions, and request context.
How to Fix
- Add a guard near the top of PHP files that are not intended to be requested directly.
- Use `if ( ! defined( 'ABSPATH' ) ) { exit; }` before the file performs work or sends output.
- Keep template partials and bootstrap files protected too, not only the main plugin file.
Notes
- Files that are deliberately public endpoints should route through WordPress APIs or explicitly validate the request before doing work.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4751 | HiFi (Head Injection, Foot Injection) | 66 | 13 | 11 | 2k+ | Output is not escaped | ||
| #4752 | Free Property Valuation (Lead Generator) / Kostenlose Immobilienbewertung | 66 | 11 | 5 | 600 | Unsafe printing function | ||
| #4753 | LeadBack – Callback, Chatbot and Live Chat Widgets for WordPress sites | 66 | 17 | 5 | 600 | Unsafe printing function | ||
| #4754 | Leadpages | 66 | 6 | 62 | 10k+ | Direct Query | ||
| #4755 | Link Widget Title | 66 | 22 | 5 | 4k+ | Output is not escaped | ||
| #4756 | Page Title Splitter | 66 | 29 | 8 | 1k+ | wp function not compatible with requires wp | ||
| #4757 | Page Meta | 66 | 26 | 14 | 700 | Missing Arg Domain | ||
| #4758 | Product Code for WooCommerce | 66 | 13 | 54 | 1k+ | Missing direct file access protection | ||
| #4759 | Product Size Chart For WooCommerce | 66 | 9 | 22 | 6k+ | Non-prefixed hook name | ||
| #4760 | Mailchimp Widget by ProteusThemes | 66 | 17 | 9 | 1k+ | Output is not escaped | ||
| #4761 | Raw HTML | 66 | 17 | 35 | 10k+ | Non-prefixed function | ||
| #4762 | Safe Redirect Manager | 66 | 9 | 60 | 40k+ | Non-prefixed hook name | ||
| #4763 | Seed Fonts | 66 | 29 | 11 | 20k+ | Output is not escaped | ||
| #4764 | TAO Schedule Update | 66 | 37 | 11 | 2k+ | Text Domain Mismatch | ||
| #4765 | User Profile Picture | 66 | 9 | 8 | 4k+ | Missing nonce verification | ||
| #4766 | Visual Link Preview | 66 | 47 | 2 | 10k+ | Output is not escaped | ||
| #4767 | Ajax add to cart for WooCommerce | 66 | 67 | 31 | 10k+ | Text Domain Mismatch | ||
| #4768 | Frenet Shipping Gateway for WooCommerce – Correios, Etiquetas e Rastreio | 66 | 22 | 31 | 4k+ | Non-prefixed global variable | ||
| #4769 | WooCommerce Accepted Payment Methods | 66 | 28 | 4 | 2k+ | badly named files | ||
| #4770 | WP Simple Adsense Insertion | 66 | 3 | 29 | 3k+ | Input is not validated | ||
| #4771 | WP Redis | 66 | 11 | 25 | 9k+ | Interpolated SQL is not prepared | ||
| #4772 | WP Scroll Depth | 66 | 29 | 9 | 1k+ | Output is not escaped | ||
| #4773 | Video Popup for Elementor – WPTD | 66 | 33 | 13 | 1k+ | Output is not escaped | ||
| #4774 | Add Logo to Admin | 67 | 14 | 3 | 6k+ | Unsafe printing function | ||
| #4775 | Address correction autocomplete for Woo | 67 | 19 | 9 | 1k+ | Text Domain Mismatch | ||
| #4776 | Raptive Ads | 67 | 34 | 31 | 6k+ | Text Domain Mismatch | ||
| #4777 | Affiliates Manager Google reCAPTCHA Integration | 67 | 18 | 10 | 400 | Request data is not unslashed | ||
| #4778 | Awesome Contact Form7 for Elementor | 67 | 20 | 30 | 7k+ | Non-prefixed global variable | ||
| #4779 | Breadcrumbs Divi Module | 67 | 44 | 38 | 10k+ | Text Domain Mismatch | ||
| #4780 | Caddy – WooCommerce Side Cart & Free Shipping Bar | 67 | 38 | 199 | 3k+ | Non-prefixed global variable | ||
| #4781 | CCM19 Integration | 67 | 14 | 13 | 4k+ | Nonce verification recommended | ||
| #4782 | Custom CSS Pro | 67 | 17 | 6 | 7k+ | Output is not escaped | ||
| #4783 | Custom Link Widget | 67 | 28 | 0 | 1k+ | Output is not escaped | ||
| #4784 | Duplicate TEC Event | 67 | 12 | 10 | 900 | date date | ||
| #4785 | Dynamic Text Field For Contact Form 7 | 67 | 20 | 7 | 1k+ | Unsafe printing function | ||
| #4786 | Easy Media Replace | 67 | 16 | 14 | 1k+ | Output is not escaped | ||
| #4787 | Editoria11y Accessibility Checker | 67 | 69 | 55 | 1k+ | Text Domain Mismatch | ||
| #4788 | Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor | 67 | 57 | 98 | 10k+ | Non-prefixed global variable | ||
| #4789 | WordPress.com Editing Toolkit | 67 | 52 | 90 | 1k+ | Missing direct file access protection | ||
| #4790 | GravityExport Lite for Gravity Forms | 67 | 48 | 14 | 10k+ | Output is not escaped | ||
| #4791 | Hide Page And Post Title | 67 | 11 | 8 | 40k+ | Output is not escaped | ||
| #4792 | Mailster Gmail Integration | 67 | 15 | 13 | 1k+ | Missing Translators Comment | ||
| #4793 | Manage Upload Types | 67 | 7 | 13 | 400 | Output is not escaped | ||
| #4794 | Map Block Leaflet | 67 | 52 | 7 | 700 | Short PHP open tag found | ||
| #4795 | Meks Audio Player | 67 | 25 | 7 | 1k+ | Output is not escaped | ||
| #4796 | MetaTag | 67 | 7 | 13 | 600 | Input is not validated | ||
| #4797 | Mosaic Gallery – Advanced Gallery | 67 | 45 | 79 | 3k+ | Non-prefixed global variable | ||
| #4798 | Mouse cursor customizer | 67 | 5 | 38 | 1k+ | Missing nonce verification | ||
| #4799 | onOffice for WP-Websites | 67 | 5 | 507 | 1k+ | Non-prefixed global variable | ||
| #4800 | Per Page Sidebars | 67 | 12 | 11 | 900 | Input is not validated |