Description

During development of plugins or themes, as well as during deployment of a WordPress site, developers or system administrators may enable debug logs to log any PHP errors that occur.

WordPress makes use of the WP_DEBUG constant which is defined in wp-config.php. The constant is used to trigger the debug mode throughout WordPress. The constant is set to be false by default.

On this website, WordPress debug mode is enabled. When debug mode is enabled all PHP notices, warnings, errors and other debugging information are logged in a file named ./wp-content/debug.log. This file is readable by anybody who has access to this website. An attacker can use the debugging information from this file to conduct further attacks.

Remediation

Disable WordPress debug mode in production or restrict access to ./wp-content/debug.log file.
To disable WordPress debug mode make the following change in wp-config.php: 

define('WP_DEBUG', false);

References

Debugging in WordPress

WordPress Security Tips Part 10 | Secure Your Debug Logs

Related Vulnerabilities

ASP.NET error message

Oracle JavaServer Faces multiple vulnerabilities

WordPress Plugin Modern Events Calendar Lite Multiple Vulnerabilities (5.16.2)

WordPress 5.8 Multiple Vulnerabilities (5.8)

Unauthorized Access to a web app installer

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure