WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_error_reporting
prevent path disclosure error reporting
Development or debugging behavior appears in code that may run in production.
Why It Shows Up
The scan found logging, debugging, path disclosure, `phpinfo()`, error-reporting changes, or similar development-oriented functions.
Why It Matters
Debug output can leak paths, configuration, request data, stack details, or sensitive runtime information.
How to Fix
- Remove temporary debugging calls before release.
- If logging is required, guard it with `WP_DEBUG` or a plugin setting intended for administrators.
- Never show debug details to unauthenticated visitors or normal front-end users.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #251 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #252 | authLdap | 36 | 47 | 30 | 4k+ | Exception output is not escaped | ||
| #253 | CP Blocks | 36 | 46 | 38 | 1k+ | wp function not compatible with requires wp | ||
| #254 | Google SEO Pressor for Rich snippets | 36 | 51 | 160 | 400 | Missing nonce verification | ||
| #255 | Speed Optimizer – The All-In-One Performance-Boosting Plugin | 36 | 45 | 96 | 1m+ | Non-prefixed hook name | ||
| #256 | Wanderlust OCA para WooCommerce | 36 | 157 | 55 | 500 | Text Domain Mismatch | ||
| #257 | WP Coder – Insert & Manage Code Snippets | 36 | 53 | 280 | 10k+ | Nonce verification recommended | ||
| #258 | 360 Javascript Viewer | 37 | 144 | 22 | 1k+ | Output is not escaped | ||
| #259 | Delivery Date Time & Pickup for WooCommerce | 37 | 148 | 216 | 400 | Output is not escaped | ||
| #260 | Get Custom Field Values | 37 | 40 | 44 | 1k+ | Output is not escaped | ||
| #261 | XML Sitemap Generator for Google | 37 | 43 | 79 | 1m+ | Input is not validated | ||
| #262 | Phoenix Media Rename | 37 | 175 | 104 | 50k+ | Output is not escaped | ||
| #263 | Ashe Extra | 38 | 109 | 54 | 3k+ | Text Domain Mismatch | ||
| #264 | CRUDLab Disable Comments | 38 | 20 | 54 | 700 | Missing nonce verification | ||
| #265 | Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds | 38 | 167 | 82 | 50k+ | Output is not escaped | ||
| #266 | Lana Downloads Manager | 38 | 146 | 78 | 3k+ | Unsafe printing function | ||
| #267 | Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform | 38 | 120 | 107 | 500 | Output is not escaped | ||
| #268 | Slickplan Importer | 38 | 40 | 58 | 400 | Non-prefixed global variable | ||
| #269 | Templatiq | 38 | 31 | 94 | 900 | Non-prefixed hook name | ||
| #270 | BugSnag Error Monitoring plugin | 39 | 52 | 96 | 2k+ | wp function not compatible with requires wp | ||
| #271 | Culqi | 39 | 571 | 88 | 1k+ | Text Domain Mismatch | ||
| #272 | Library Viewer | 39 | 65 | 93 | 400 | Non-prefixed hook name | ||
| #273 | UserHeat Plugin | 39 | 121 | 20 | 6k+ | Non Singular String Literal Domain | ||
| #274 | WP Multibyte Patch | 39 | 24 | 55 | 1m+ | Input is not sanitized | ||
| #275 | Analytics Germanized for Google Analytics (GDPR / DSGVO) | 40 | 49 | 14 | 8k+ | Output is not escaped | ||
| #276 | QR code MeCard/vCard generator | 40 | 322 | 21 | 2k+ | Unsafe printing function | ||
| #277 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Request data is not unslashed | ||
| #278 | Text Hover | 41 | 44 | 13 | 1k+ | Output is not escaped | ||
| #279 | Text Replace | 41 | 55 | 12 | 3k+ | Output is not escaped | ||
| #280 | Trusty Whistleblowing Solution | 42 | 230 | 17 | 400 | Text Domain Mismatch | ||
| #281 | Directorist – WPML Integration | 43 | 10 | 134 | 400 | Non-prefixed hook name | ||
| #282 | Good Old Twitter Feed Widget | 43 | 110 | 10 | 400 | Text Domain Mismatch | ||
| #283 | Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button | 44 | 24 | 71 | 50k+ | Non-prefixed constant | ||
| #284 | Tabby Checkout | 47 | 33 | 46 | 4k+ | Non-prefixed class | ||
| #285 | WP PHP Console | 47 | 18 | 24 | 500 | Output is not escaped | ||
| #286 | MWW Disclaimer Buttons | 48 | 21 | 16 | 400 | Output is not escaped | ||
| #287 | Search in Place | 49 | 74 | 57 | 3k+ | wp function not compatible with requires wp | ||
| #288 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 4k+ | Non-prefixed global variable | ||
| #289 | StoryChief | 51 | 12 | 55 | 1k+ | Input is not sanitized | ||
| #290 | Hangul font nanumgothic – google | 52 | 35 | 16 | 1k+ | Output is not escaped | ||
| #291 | WP Hooks Finder | 52 | 27 | 31 | 1k+ | Output is not escaped | ||
| #292 | Social Media Widget | 53 | 90 | 21 | 30k+ | Text Domain Mismatch | ||
| #293 | WP Console – WordPress PHP Console powered by PsySH | 53 | 34 | 48 | 20k+ | Exception output is not escaped | ||
| #294 | Anti-Captcha (anti-spam botblocker) | 56 | 23 | 26 | 1k+ | rand mt rand | ||
| #295 | Blog Time | 57 | 38 | 6 | 600 | Output is not escaped | ||
| #296 | Text Domain Inspector | 61 | 41 | 36 | 400 | Non-prefixed global variable | ||
| #297 | Mantenimiento web | 63 | 49 | 15 | 20k+ | Text Domain Mismatch | ||
| #298 | Werk aan de Muur | 64 | 48 | 20 | 900 | Non Singular String Literal Domain | ||
| #299 | CP Media Player – Audio Player and Video Player | 66 | 224 | 48 | 3k+ | Text Domain Mismatch | ||
| #300 | Payment Gateway for Cpay with WooCommerce | 67 | 67 | 26 | 400 | wp function not compatible with requires wp |