ISSUE #7: Allowing Direct File Access to plugin files #18
Description
Direct file access occurs when someone directly queries a PHP file. This can be done by entering the complete path to the file in the browser's URL bar or by sending a POST request directly to the file.
For files that only contain class or function definitions, the risk of something funky happening when accessed directly is minimal. However, for files that contain executable code (e.g., function calls, class instance creation, class method calls, or inclusion of other PHP files), the risk of security issues is hard to predict because it depends on the specific case, but it can exist and it can be high.
You can easily prevent this by adding the following code at the top of all PHP files that could potentially execute code if accessed directly:
if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
Example(s) from your plugin:
templates/admin/dashboard.php:13
templates/public/profile.php:5
templates/admin/paywall-settings.php:4
templates/public/sticky-header.php:3
templates/admin/content.php:4
templates/admin/customers.php:3