Allowing direct file access to plugin files

[ashokdudhat]

Allowing direct file access to plugin files

Direct file access occurs when someone directly queries a PHP file. This can be done by entering the complete path to the file in the browser's URL bar or by sending a POST request directly to the file.

For files that only contain class or function definitions, the risk of something funky happening when accessed directly is minimal. However, for files that contain executable code (e.g., function calls, class instance creation, class method calls, or inclusion of other PHP files), the risk of security issues is hard to predict because it depends on the specific case, but it can exist and it can be high.

You can easily prevent this by adding the following code at the beginning of all PHP files that could potentially execute code if accessed directly:
if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
Add it after the <?php opening tag and after the namespace declaration, if any, but before any other code.

Example(s) from your plugin:
templates/form-fields/url-field.php:14
templates/form-fields/timezone-field.php:15
autoupdater/templates/addon-licence.php:2
templates/event-submitted.php:2
admin/wp-event-manager-field-editor.php:382
templates/venue/content-single-event_listing-venue.php:9
templates/venue/venue-dashboard.php:1
templates/form-fields/select-field.php:1
... out of a total of 75 incidences.