Does Config Constants have any unpatched vulnerabilities?

No. All known vulnerabilities in Config Constants have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Config Constants compatible with WordPress 4.8.28?

According to WordPress.org data, Config Constants 0.2 has been tested up to WordPress 4.8.28. Check the plugin's changelog for the latest compatibility information.

How often is Config Constants updated?

Config Constants was last updated on Mar 20, 2017. Frequent updates are generally a positive security signal.

What is Config Constants's security score?

Config Constants has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Config Constants Security & Risk Analysis

wordpress.org/plugins/config-constants

Modify WP_DEBUG and other WordPress constants directly in the WordPress admin rather than manually editing them via wp-config.php!

100 active installs v0.2 PHP + WP 4.0+ Updated Mar 20, 2017

configconstantdebugmodewp-config-wp-config-php

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Config Constants Safe to Use in 2026?

Generally Safe

Score 85/100

Config Constants has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago

Risk Assessment

The 'config-constants' plugin v0.2 presents a mixed security picture. On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and has no recorded vulnerabilities or CVEs. The attack surface is also remarkably small, with no identified AJAX handlers, REST API routes, shortcodes, or cron events, indicating a limited potential for direct exploitation. However, a significant concern arises from the complete lack of output escaping, meaning that all 8 identified output points are susceptible to cross-site scripting (XSS) vulnerabilities if they handle user-provided or untrusted data. Additionally, the absence of capability checks and nonce checks on its entry points is a notable weakness, as it doesn't properly verify user permissions or prevent cross-site request forgery (CSRF) for any potential future functionalities.

Key Concerns

All output points are unescaped
No capability checks implemented
No nonce checks implemented

Vulnerabilities

None known

Config Constants Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Config Constants Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped8 total outputs

Attack Surface

Config Constants Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 3

actionadmin_initconfig-constants.php:71

actionadmin_menuconfig-constants.php:72

filterplugin_action_linksconfig-constants.php:73

Maintenance & Trust

Config Constants Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28

Last updatedMar 20, 2017

PHP min version

Downloads7K

Community Trust

Rating100/100

Number of ratings1

Active installs100

Alternatives

Config Constants Alternatives

WP Config Constants

wp-config-constants

Shows you the values of constants defined in your wp-config.php file

10 No CVEs

WP Debugging

wp-debugging

A support/troubleshooting plugin for WordPress.

10K 2 CVEs

WP Safe Mode

wp-safe-mode

100

Disable plugins or switch themes for just you or the whole site for debugging, troubleshooting or accessing and restoring a broken website.

2K No CVEs

Easy PHP Settings

easy-php-settings

An easy way to manage common PHP INI settings and WordPress debugging constants from the WordPress admin panel.

1K 1 CVE

Developer Debug Tools

dev-debug-tools

100

Lots of debugging and testing tools for developers.

100 No CVEs

Developer Profile

Config Constants Developer Profile

David Gwyer

11 plugins · 109K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

156 days

View full developer profile

Detection Fingerprints

How We Detect Config Constants

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/config-constants/

Version Parameters

config-constants/config-constants.php

HTML / DOM Fingerprints

CSS Classes

pcdmdashicons-yesdashicons-no

HTML Comments

/* @todo
- Move all CSS to separate file and enqueue only on Plugin options page.
- add to class layout rather than functions
- only show the info icons on hover
- need to disable the functions to write to config file if it's not writable.
- Add some more constants from here: https://codex.wordpress.org/Editing_wp-config.php
- Could replace globals with class properties once we refactor plugin
- Add dismissable notice on plugins page that doesn't show again when dismissed.
 */

Data Attributes

pcdm_options

FAQ