WP-Safety

Patchwing – Essential Debug Tools Security & Risk Analysis

wordpress.org/plugins/patchwing

A developer tool for WordPress that provides real time server metrics, PHP configuration insights, error logging and performance monitoring.

0 active installs v1.0.1 PHP 7.4+ WP 5.9+ Updated Apr 4, 2026
databasedebugdeveloperlogsperformance
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Patchwing – Essential Debug Tools Safe to Use in 2026?

Generally Safe

Score 100/100

Patchwing – Essential Debug Tools has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The "patchwing" v1.0.1 plugin exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices by using prepared statements for all SQL queries and properly escaping all output. The absence of known CVEs and a clean vulnerability history suggest a generally well-maintained codebase. However, a significant concern arises from the "attack surface" analysis, which reveals 6 AJAX handlers with no authentication checks. This lack of authorization on all entry points presents a substantial risk, as any unauthenticated user could potentially trigger these handlers, leading to unintended actions or information disclosure.

While the taint analysis shows no critical or high-severity flows, the presence of 7 "dangerous functions," specifically `shell_exec`, without any indication of sanitization or contextual usage is a red flag. If these functions are invoked with user-supplied input or in an insecure manner, they could lead to remote code execution. The plugin also has file operation capabilities, which, combined with the lack of authentication on AJAX handlers and the presence of dangerous functions, could create a potent attack vector if not carefully managed. In conclusion, while the plugin is strong in some areas like SQL and output handling, the critical vulnerability of unprotected AJAX endpoints and the potential misuse of `shell_exec` overshadow these strengths, demanding immediate attention.

Key Concerns

  • AJAX handlers without authentication
  • Presence of dangerous function shell_exec
Vulnerabilities
None known

Patchwing – Essential Debug Tools Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Patchwing – Essential Debug Tools Release Timeline

v1.0.1Current
v1.0.0
Code Analysis
Analyzed Apr 16, 2026

Patchwing – Essential Debug Tools Code Analysis

Dangerous Functions
7
Raw SQL Queries
0
10 prepared
Unescaped Output
0
257 escaped
Nonce Checks
8
Capability Checks
11
File Operations
3
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

shell_exec$result = shell_exec($command . ' 2>/dev/null');includes/class-dashboard.php:547
shell_exec$psRes = shell_exec('powershell -Command "Get-CimInstance Win32_OperatingSystem | Select-Object Totaincludes/class-dashboard.php:564
shell_exec$totalStr = shell_exec('wmic OS get TotalVisibleMemorySize /Value');includes/class-dashboard.php:570
shell_exec$freeStr = shell_exec('wmic OS get FreePhysicalMemory /Value');includes/class-dashboard.php:571
shell_exec$freeOut = shell_exec('free -b'); // -b for bytesincludes/class-dashboard.php:601
shell_exec$total = (int)shell_exec('/usr/sbin/sysctl -n hw.memsize');includes/class-dashboard.php:618
shell_exec$vmStat = shell_exec('/usr/bin/vm_stat');includes/class-dashboard.php:619

SQL Query Safety

100% prepared10 total queries

Output Escaping

100% escaped257 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

5 flows
patchwing_render_system_info (includes/class-dashboard.php:109)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Patchwing – Essential Debug Tools Attack Surface

Entry Points6
Unprotected6

AJAX Handlers 6

authwp_ajax_patchwing_db_table_actionsincludes/class-core.php:39
authwp_ajax_patchwing_refresh_system_infoincludes/class-core.php:40
authwp_ajax_patchwing_get_system_info_reportincludes/class-core.php:41
authwp_ajax_patchwing_export_system_infoincludes/class-core.php:42
authwp_ajax_patchwing_performance_analyzer_refreshincludes/class-core.php:43
authwp_ajax_patchwing_performance_analyzer_clearincludes/class-core.php:44
WordPress Hooks 5
actionadmin_enqueue_scriptsincludes/class-core.php:32
actionadmin_initincludes/class-core.php:34
actionadmin_menuincludes/class-core.php:36
actionadmin_initincludes/class-core.php:45
actionplugins_loadedpatchwing.php:36
Maintenance & Trust

Patchwing – Essential Debug Tools Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 4, 2026
PHP min version7.4
Downloads150

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Patchwing – Essential Debug Tools Alternatives

Developer Debug Tools

Developer Debug Tools

dev-debug-tools

A
100

Lots of debugging and testing tools for developers.

100 No CVEs
Dynamic Inspector for Elementor – Performance Profiler & Debugger

Dynamic Inspector for Elementor – Performance Profiler & Debugger

dynamic-inspector-for-elementor

A
100

A powerful frontend inspector and navigator for Elementor that helps developers debug, inspect elements, and analyze performance.

40 No CVEs
Database Performance Monitor

Database Performance Monitor

database-performance-monitor

A
85

Outputs some database query information on page load for logged in admins. Output is located as an html comment in the footer and also in the console.

10 No CVEs
Debug Bar Query Count Alert

Debug Bar Query Count Alert

debug-bar-query-count-alert

A
85

A simple add-on for the Debug Bar plugin to replace the button text with the database query count and time.

10 No CVEs
Cron Error Silence

Cron Error Silence

cron-error-silence

A
100

Silence noisy WordPress cron-related error messages and clean up your debug logs – without affecting core functionality.

0 No CVEs
Developer Profile

Patchwing – Essential Debug Tools Developer Profile

Nafiz

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Patchwing – Essential Debug Tools

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/patchwing/assets/css/style.css/wp-content/plugins/patchwing/assets/js/vendor/chart.min.js/wp-content/plugins/patchwing/assets/js/vendor/jquery-3.7.0.min.js/wp-content/plugins/patchwing/assets/js/patchwing.js/wp-content/plugins/patchwing/assets/js/performance-analyzer.js/wp-content/plugins/patchwing/assets/js/debug-log.js/wp-content/plugins/patchwing/assets/js/db-tables.js
Script Paths
/wp-content/plugins/patchwing/assets/js/vendor/chart.min.js/wp-content/plugins/patchwing/assets/js/vendor/jquery-3.7.0.min.js/wp-content/plugins/patchwing/assets/js/patchwing.js/wp-content/plugins/patchwing/assets/js/performance-analyzer.js/wp-content/plugins/patchwing/assets/js/debug-log.js/wp-content/plugins/patchwing/assets/js/db-tables.js
Version Parameters
patchwing/style.css?ver=chart.min.js?ver=jquery-3.7.0.min.js?ver=patchwing.js?ver=performance-analyzer.js?ver=debug-log.js?ver=db-tables.js?ver=

HTML / DOM Fingerprints

CSS Classes
patchwing-settings-fieldpatchwing-performance-chartpatchwing-debug-log-wrapper
HTML Comments
<!-- Patchwing: Dashboard --><!-- Patchwing: PHP Info --><!-- Patchwing: Debug Log --><!-- Patchwing: Database Tables -->+2 more
Data Attributes
data-patchwing-settingsdata-patchwing-performance-data
JS Globals
patchwing_varspatchwing_dashboard_datapatchwing_performance_analyzer_datapatchwing_debug_log_datapatchwing_db_tables_data
REST Endpoints
/wp-json/patchwing/v1/settings/wp-json/patchwing/v1/performance-data/wp-json/patchwing/v1/debug-log
FAQ

Frequently Asked Questions about Patchwing – Essential Debug Tools