Description
The WordPress Plugin Check tool (wp plugin check) has flagged 13 PHP files in the EmbedPress plugin that are missing the required direct file access protection guard. This is a mandatory requirement for all plugins listed on the WordPress.org plugin directory.
Every PHP file that can be requested individually (i.e., not just included via require/include) must prevent direct browser access by checking for the ABSPATH constant near the top of the file. Without this guard, an attacker can directly request these files, potentially leaking server paths, triggering partial PHP execution, or causing unexpected output.
The fix is simple — add the following line at the very top of each affected file (after the opening <?php tag):
if ( ! defined( 'ABSPATH' ) ) exit;
Affected Files
The following files (detected by Plugin Check missing_direct_file_access_protection) are missing the guard:
| # |
File |
| 1 |
EmbedPress/Ends/Back/Settings/templates/partials/sidebar.php |
| 2 |
EmbedPress/Ends/Back/Settings/templates/partials/toast-message.php |
| 3 |
EmbedPress/Ends/Back/Settings/templates/partials/footer.php |
| 4 |
EmbedPress/Ends/Back/Settings/EmbedpressSettings.php |
| 5 |
EmbedPress/Ends/Back/Handler.php |
| 6 |
EmbedPress/DisablerLegacy.php |
| 7 |
EmbedPress/Analytics/Analytics.php |
| 8 |
EmbedPress/Gutenberg/BlockManager.php |
| 9 |
EmbedPress/Includes/Classes/Analytics/Content_Cache_Manager.php |
| 10 |
EmbedPress/Includes/Classes/FeatureNotices.php |
| 11 |
EmbedPress/Loader.php |
| 12 |
EmbedPress/CoreLegacy.php |
| 13 |
Core/LocalizationManager.php |
Why This Is Necessary
WordPress loads PHP files through its bootstrap process, ensuring ABSPATH is always defined in a normal WordPress request. If a PHP file is accessed directly via a URL (e.g., https://example.com/wp-content/plugins/embedpress/EmbedPress/Loader.php), ABSPATH is not defined — the guard causes the script to exit immediately, preventing:
- Path disclosure — PHP errors may reveal absolute server paths.
- Partial execution — Class/function definitions or side-effect code running in an unexpected context.
- Security violations — A failing point in WordPress.org's automated and manual plugin review.
Reference: WordPress Plugin Handbook — Direct File Access
Steps to Reproduce (using Plugin Check)
-
Install the Plugin Check plugin on any WordPress installation:
- Via WP Admin:
Plugins > Add New > search "Plugin Check" by the WordPress Plugin Review Team.
- Or via WP-CLI:
wp plugin install plugin-check --activate
-
Run the check against EmbedPress using WP-CLI:
wp plugin check embedpress --ignore-warnings --allow-root
-
Observe the ERROR entries with code missing_direct_file_access_protection for all 13 files listed above.
Alternatively, navigate to Tools > Plugin Check in WP Admin, select EmbedPress, and run the check — the same errors will be listed there.
✅ QA Acceptance Checklist
After the fix is applied, QA should verify the following:
Description
The WordPress Plugin Check tool (
wp plugin check) has flagged 13 PHP files in the EmbedPress plugin that are missing the required direct file access protection guard. This is a mandatory requirement for all plugins listed on the WordPress.org plugin directory.Every PHP file that can be requested individually (i.e., not just included via
require/include) must prevent direct browser access by checking for theABSPATHconstant near the top of the file. Without this guard, an attacker can directly request these files, potentially leaking server paths, triggering partial PHP execution, or causing unexpected output.The fix is simple — add the following line at the very top of each affected file (after the opening
<?phptag):Affected Files
The following files (detected by Plugin Check
missing_direct_file_access_protection) are missing the guard:EmbedPress/Ends/Back/Settings/templates/partials/sidebar.phpEmbedPress/Ends/Back/Settings/templates/partials/toast-message.phpEmbedPress/Ends/Back/Settings/templates/partials/footer.phpEmbedPress/Ends/Back/Settings/EmbedpressSettings.phpEmbedPress/Ends/Back/Handler.phpEmbedPress/DisablerLegacy.phpEmbedPress/Analytics/Analytics.phpEmbedPress/Gutenberg/BlockManager.phpEmbedPress/Includes/Classes/Analytics/Content_Cache_Manager.phpEmbedPress/Includes/Classes/FeatureNotices.phpEmbedPress/Loader.phpEmbedPress/CoreLegacy.phpCore/LocalizationManager.phpWhy This Is Necessary
WordPress loads PHP files through its bootstrap process, ensuring
ABSPATHis always defined in a normal WordPress request. If a PHP file is accessed directly via a URL (e.g.,https://example.com/wp-content/plugins/embedpress/EmbedPress/Loader.php),ABSPATHis not defined — the guard causes the script to exit immediately, preventing:Reference: WordPress Plugin Handbook — Direct File Access
Steps to Reproduce (using Plugin Check)
Install the Plugin Check plugin on any WordPress installation:
Plugins > Add New > search "Plugin Check"by the WordPress Plugin Review Team.wp plugin install plugin-check --activateRun the check against EmbedPress using WP-CLI:
Observe the
ERRORentries with codemissing_direct_file_access_protectionfor all 13 files listed above.Alternatively, navigate to Tools > Plugin Check in WP Admin, select EmbedPress, and run the check — the same errors will be listed there.
✅ QA Acceptance Checklist
After the fix is applied, QA should verify the following:
if ( ! defined( 'ABSPATH' ) ) exit;added (or equivalent) immediately after the opening<?phptag.wp plugin check embedpress --ignore-warningsreturns zeromissing_direct_file_access_protectionerrors.https://yoursite.com/wp-content/plugins/embedpress/EmbedPress/Loader.php) returns an empty/blank response — not a PHP error or partial output.