WordPress.PHP.DevelopmentFunctions.prevent_path_disclosure_phpinfo
prevent path disclosure phpinfo
Development or debugging behavior appears in code that may run in production.
Why It Shows Up
The scan found logging, debugging, path disclosure, `phpinfo()`, error-reporting changes, or similar development-oriented functions.
Why It Matters
Debug output can leak paths, configuration, request data, stack details, or sensitive runtime information.
How to Fix
- Remove temporary debugging calls before release.
- If logging is required, guard it with `WP_DEBUG` or a plugin setting intended for administrators.
- Never show debug details to unauthenticated visitors or normal front-end users.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1 | BulletProof Security | 0 | 5,048 | 4,949 | 20k+ | 2026-05-20 | Output Not Escaped |
| #2 | Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF | 20 | 557 | 541 | 100k+ | 2026-05-19 | Output Not Escaped |
| #3 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | 2026-05-22 | Output Not Escaped |
| #4 | Wordfence Security – Firewall, Malware Scan, and Login Security | 21 | 1,592 | 2,973 | 5m+ | 2026-05-13 | Output Not Escaped |
| #5 | WP phpMyAdmin | 21 | 4,528 | 6,435 | 50k+ | 2025-10-17 | Missing Arg Domain |
| #6 | E2Pdf – Export Pdf Tool for WordPress | 22 | 1,075 | 836 | 10k+ | 2026-06-16 | Unsafe Printing Function |
| #7 | InfiniteWP Client | 22 | 2,286 | 1,812 | 200k+ | 2026-02-26 | Exception Not Escaped |
| #8 | NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall | 22 | 1,265 | 2,065 | 100k+ | 2026-06-07 | Non Prefixed Variable Found |
| #9 | Prime Mover – Migrate WordPress Website & Backups | 22 | 1,326 | 1,600 | 10k+ | 2026-06-06 | Non Prefixed Variable Found |
| #10 | Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links | 22 | 1,044 | 1,797 | 20k+ | 2026-05-27 | Non Prefixed Variable Found |
| #11 | URL Shortify – Simple and Easy URL Shortener | 22 | 1,520 | 2,689 | 10k+ | 2026-06-04 | Non Prefixed Variable Found |
| #12 | ManageWP Worker | 22 | 507 | 565 | 1m+ | 2026-05-11 | Non Prefixed Class Found |
| #13 | WP Umbrella: Update Backup Restore & Monitoring | 22 | 915 | 905 | 70k+ | 2026-06-10 | Exception Not Escaped |
| #14 | YaySMTP – WP Mail SMTP with Email Logs, Tracking & Reports | 22 | 654 | 435 | 10k+ | 2026-06-16 | Exception Not Escaped |
| #15 | Ecwid by Lightspeed Ecommerce Shopping Cart | 23 | 339 | 307 | 20k+ | 2026-02-13 | missing direct file access protection |
| #16 | Unlimited Elements For Elementor | 24 | 709 | 2,092 | 300k+ | 2026-05-14 | Non Prefixed Variable Found |
| #17 | WPeMatico RSS Feed Fetcher | 24 | 1,376 | 582 | 10k+ | 2026-06-15 | Output Not Escaped |
| #18 | Beaver Builder Page Builder – Drag and Drop Website Builder | 25 | 4,463 | 1,819 | 100k+ | 2026-06-08 | Text Domain Mismatch |
| #19 | Online Scheduling and Appointment Booking System – Bookly | 25 | 3,528 | 870 | 60k+ | 2026-06-04 | Text Domain Mismatch |
| #20 | Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel | 25 | 876 | 1,798 | 100k+ | 2026-05-21 | Non Prefixed Variable Found |
| #21 | Index WP MySQL For Speed | 25 | 250 | 255 | 50k+ | 2026-05-07 | Output Not Escaped |
| #22 | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin | 25 | 960 | 738 | 60k+ | 2026-06-16 | Text Domain Mismatch |
| #23 | Kadence Central – Site Management, Backups, Security, and Reporting | 26 | 462 | 213 | 30k+ | 2026-06-11 | Text Domain Mismatch |
| #24 | LWS Tools | 31 | 104 | 134 | 20k+ | 2026-06-15 | Missing Unslash |
| #25 | WP Edit | 33 | 337 | 137 | 40k+ | 2018-10-15 | Unsafe Printing Function |
| #26 | Health Check & Troubleshooting | 35 | 264 | 238 | 300k+ | 2024-07-25 | Missing Arg Domain |
| #27 | WP-ServerInfo | 38 | 162 | 55 | 10k+ | 2023-08-09 | Output Not Escaped |
| #28 | Compress, Resize & Lazy Load Images – WPvivid Image Optimization | 47 | 107 | 58 | 10k+ | 2026-06-01 | missing direct file access protection |
| #29 | Cloudways WordPress Migrator | 62 | 15 | 25 | 20k+ | 2026-04-20 | Output Not Escaped |
| #30 | DreamHost Automated Migration | 62 | 15 | 23 | 20k+ | 2026-04-20 | Output Not Escaped |
| #31 | Migrate Guru – Site Migration & Cloning | 81 | 7 | 8 | 200k+ | 2026-04-20 | Unescaped DBParameter |
| #32 | BlogVault Backup & Staging | 82 | 53 | 22 | 80k+ | 2026-06-06 | missing direct file access protection |
| #33 | MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall | 82 | 55 | 22 | 200k+ | 2026-06-06 | missing direct file access protection |
| #34 | The WP Remote WordPress Plugin | 82 | 51 | 24 | 30k+ | 2026-06-06 | missing direct file access protection |
| #35 | Cloudways Site Manager | 91 | 14 | 7 | 20k+ | 2026-05-25 | wp function not compatible with requires wp |
