Description

During development of plugins or themes, as well as during deployment of a WordPress site, developers or system administrators may enable debug logs to log any PHP errors that occur.

WordPress makes use of the WP_DEBUG constant which is defined in wp-config.php. The constant is used to trigger the debug mode throughout WordPress. The constant is set to be false by default.

On this website, WordPress debug mode is enabled. When debug mode is enabled all PHP notices, warnings, errors and other debugging information are logged in a file named ./wp-content/debug.log. This file is readable by anybody who has access to this website. An attacker can use the debugging information from this file to conduct further attacks.

Remediation

Disable WordPress debug mode in production or restrict access to ./wp-content/debug.log file.
To disable WordPress debug mode make the following change in wp-config.php:

define('WP_DEBUG', false);

References

Related Vulnerabilities